SOCIAL SECURITY ADMINISTRATION
USE OF SOCIAL
SECURITY NUMBERS AS STUDENT
IDENTIFIERS IN REGION VII
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
By conducting independent and objective audits, investigations, and evaluations,
we are agents of positive change striving for continuous improvement in the
Social Security Administration's programs, operations, and management and in
our own office.
Date: January 31, 2005
To: Ramona Schuenemeyer
Acting Regional Commissioner Kansas City
From: Inspector General
Subject: Universities' Use of Social Security Numbers as Student Identifiers in Region VII (A-07-05-15074)
Our objective was to assess universities' use of Social Security numbers (SSN) as student identifiers and the potential risks associated with such use.
Millions of students enroll in educational institutions each year. To assist in this process, many colleges and universities use students' SSNs as personal identifiers. The American Association of Collegiate Registrars and Admissions Officers found that almost half of member institutions that responded to a 2002 survey used SSNs as the primary student identifier. Although no single Federal law regulates overall use and disclosure of SSNs by colleges and universities, the Privacy Act of 1974, the Family Educational Rights and Privacy Act, and the Social Security Act, contain provisions that govern disclosure and use of SSNs. See Appendix B for more information on the specific provisions of these laws.
We selected a sample of eight universities in Region VII. For each selected university, we interviewed university personnel and reviewed the policies and practices for the use of SSNs. See Appendices C and D for additional details on the scope and methodology of our review and a list of the universities we contacted, respectively. We are conducting a nation-wide review in each of the Social Security Administration's (SSA) 10 regions and will issue separate reports to each Regional Commissioner.
RESULTS OF REVIEW
Based on interviews with personnel at eight universities and reviews of the universities' policies and practices, we identified six universities that used the SSN as the primary student identifier, even when another identifier would suffice. The unnecessary use of SSNs increases the potential for unscrupulous individuals to gain access to these numbers and misuse them, thus creating SSN integrity issues. To address such issues, two universities included in our review have taken steps to eliminate or reduce SSN use.
UNIVERSITIES USE SSN AS PRIMARY STUDENT IDENTIFIER
Universities typically collect student SSNs on admissions applications and financial aid forms. The universities use SSNs for a variety of purposes, such as applications for admissions, class registration, class rosters, grade reporting, computer log on, and transcript requests. Of the eight universities in our review, we found that six used the SSN as a primary student identifier because of computer system requirements, common historical practice, convenience, and identity verification. In addition, we found that one university displayed the SSN on student identification cards.
Of the six universities using the SSN as the primary student identifier, five plan to reduce the use of the SSN where possible within the next 2 years. The university that displayed the SSN on the student identification card plans to replace all student identification cards with cards that will not display the SSN within the next 2 years when its current computer system is replaced. However, none of the universities plan to completely eliminate use of the SSN as an identifier. Rather, the universities plan to use an alternate number as the primary student identifier. The SSN will continue to be used for such purposes as financial aid, Federal reporting, and payroll.
One university stated it had no plans to change or reduce the use of the SSN. The registrar at this university stated it had no reported problems as a result of using the SSN as a student identifier and believed it would be difficult to verify a student's identity with outside organizations, such as other universities or employers, if it discontinued use of the SSN.
UNIVERSITIES AND STATES LIMIT SSN USE
Recent incidences of identity theft at universities have led some schools to reconsider the practice of using SSNs as primary student identifiers. In fact, the University of Missouri-Columbia (MU) and Iowa State University (ISU) assign each student a unique identification number that becomes the student's primary university identification number.
MU assigns a six-digit university identification number to be used as the primary identifier for its students. Students, faculty, and staff use this number for most university transactions. The SSN remains in the university database as a secondary identifier. MU only uses the SSN when it is necessary to verify a student's identity and for Federal reporting, billing, and financial aid purposes. The university-assigned student identification number appears on student identification cards and most university reports instead of the SSN.
ISU assigns a nine-digit university identification number as the primary student identifier. However, students can be identified in the university computer system by either their SSN or the university identification number. In addition, students can log on to the university's system using either their SSN or their university identification number and a password. Students, faculty, and staff are encouraged to, and typically do, use the university-assigned identification number instead of the SSN. ISU has installed numeric keypads at its various student service centers where students type their university identification number or SSN. ISU uses the SSN as a secondary identifier and as required by law, for financial aid purposes and outside reporting. Also, the university eliminated the display of student SSNs on identification cards and reports.
Two of the four States in Region VII have passed legislation on the use or display of the SSN.
Kansas passed legislation that prohibits post-secondary educational institutions from printing or encoding a person's SSN on or into the person's identification card. In addition, any distinguishing identifier assigned to a person shall be unique to that person and shall not be based on the person's SSN.
Missouri passed legislation that prohibits any person or entity from publicly displaying a person's SSN and from requiring that a person send their SSN over the Internet without appropriate encryption or other security measures.
POTENTIAL RISKS ASSOCIATED WITH USING SSNs AS STUDENT IDENTIFIERS
Universities' use of SSNs as primary identification numbers entails certain risks, including potential identity theft and fraud. Each time an individual divulges his or her SSN, he or she is exposed to having the number stolen and used for unintended purposes. Since student identification cards typically display the student's picture, name, and identification number, their exposure to identity theft increases when the SSN is the student identification number. It is important for universities, as well as individuals, to help prevent identity theft and fraud to the extent possible by reducing this exposure.
Although we identified no instances of SSN misuse at the universities we reviewed in Region VII, below are examples from other universities that illustrate the risks of using SSNs.
A university professor in Washington was indicted on 33 counts of mail fraud in a scam using students' SSNs. The professor allegedly accessed the university's records system and used students' information to obtain new SSN cards by posing as a parent. The professor then allegedly used the SSNs to obtain credit cards and birth certificates.
California authorities arrested a man suspected of stealing the names and SSNs of 150 college students and using that information to obtain credit cards and charge over $200,000 in the students' names.
A New York school notified about 1,800 students that their SSNs and other personal information had been posted on a university website. The university shut the website down and apologized to the students in an e mail.
A student at a Texas university was accused of hacking into the school's computer network and downloading the names and SSNs of over 55,000 students, faculty, and alumni.
A gentleman discovered a computer printout in a trash bin near a Pennsylvania
university listing SSNs and other personal data for hundreds of students.
CONCLUSION AND RECOMMENDATIONS
Despite the potential risks associated with using SSNs as primary student identifiers,
many universities continue this practice. We recognize the challenge of educating
such a large number of universities. However, given the potential threats to
SSN integrity, such a challenge should not discourage SSA from taking steps
to safeguard SSNs. Given the potential risks for SSN misuse and identity theft,
we believe SSA can better safeguard SSN integrity by educating universities
about unnecessary SSN use.
Accordingly, we recommend that SSA:
1. Coordinate with colleges/universities and State/regional educational associations to educate the university community about the potential risks associated with using SSNs as student identifiers.
2. Encourage colleges and universities to limit their collection and use of SSNs.
3. Promote the best practices of educational institutions that no longer use SSNs as student identifiers.
SSA generally agreed with our recommendations. Regarding our second recommendation, SSA stated it may be impractical to encourage colleges and universities to limit their collection and use of SSNs because it is embedded in all aspects of our society. In response to our third recommendation, SSA suggested that the Deputy Commissioner for Operations establish an interactive website for educational institutions' use that allows for best practices to be posted and discussed. See Appendix E for the full text of SSA's comments.
We understand SSA may face difficulties in persuading some colleges and universities
to limit their collection and use of the SSN given its widespread use as a primary
identifier. However, as discussed in this report, there are many risks associated
with the continued use of the SSN as a student identifier. Accordingly, SSA
should encourage educational institutions to safeguard the use of the SSN and
limit its collection and use whenever possible. We believe an interactive website
practices to be posted and discussed would be an effective forum to promote the practices of educational institutions that no longer use the SSN as student identifiers. Accordingly, we encourage the Regional Commissioner to work with the Deputy Commissioner for Operations to create a national website.
Patrick P. O'Carroll, Jr.
APPENDIX A - Acronyms
APPENDIX B - Federal Laws that Govern Disclosure and Use of the Social Security Number
APPENDIX C - Scope and Methodology
APPENDIX D - Universities Reviewed
APPENDIX E - Agency Comments
APPENDIX F - OIG Contacts and Staff Acknowledgments
FERPA Family Educational Rights and Privacy Act
ISU Iowa State University
MU University of Missouri-Columbia
SSA Social Security Administration
SSN Social Security Number
Federal Laws that Govern Disclosure and Use of the Social Security Number
The following Federal laws establish a general framework for disclosing and using the Social Security number (SSN).
The Privacy Act of 1974 (5 U.S.C. § 552a, note; Pub. L. No. 93-579, §§ 7 (a) and 7 (b))
The Privacy Act of 1974 provides that it is unlawful for a State government agency to deny any person a right, benefit, or privilege provided by law based on the individual's refusal to disclose his/her SSN, unless such disclosure was required to verify the individual's identity under a statute or regulation in effect before January 1, 1975. Further, under Section 7(b), a State agency requesting that an individual disclose his/her SSN must inform the individual whether the disclosure is voluntary or mandatory, by what statutory or other authority the SSN is solicited and what uses will be made of the SSN.
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99)
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. FERPA applies to those schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA, an educational institution must have written permission from the parent or eligible student to release any personally identifiable information (which includes SSNs) from a student's education record. FERPA does, however, provide certain exceptions in which a school is allowed to disclose records without consent. These exceptions include disclosure without consent to university personnel internally who have a legitimate educational interest in the information, to officials of institutions where the student is seeking to enroll/transfer, to parties to whom the student is applying for financial aid, to the parent of a dependent student, to appropriate parties in compliance with a judicial order or lawfully issued subpoena, or to health care providers in the event of a health or safety emergency.
The Social Security Act
The Social Security Act provides that "Social Security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law, enacted on or after October 1, 1990, shall be confidential, and that no authorized person shall disclose any such Social Security account number or related record." (42 U.S.C. §405(c)(2)(C)(viii)). The Social Security Act also provides that "[w]hoever discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States; shall be guilty of a felony " (42 U.S.C. §408(a)(8)).
Scope and Methodology
To accomplish our objective, we
selected 2 universities from each of the 4 States in Region VII - 1 university with more than 15,000 students and 1 university with less than 15,000 students;
interviewed selected university personnel responsible for student admissions, registration, or information systems either by on-site visit or teleconference;
reviewed Internet websites of 8 universities;
reviewed the Program Operations Manual System, applicable Federal laws as discussed in Appendix B, and applicable State laws; and
reviewed selected studies, articles, and reports regarding universities' use of Social Security numbers (SSNs) as student identifiers.
We visited four universities and conducted interviews via teleconference at
four others to learn more about their policies and practices for using SSNs
as student identifiers. Our review of internal controls was limited to gaining
an understanding of universities' policies over the collection, protection,
and use/disclosure of SSNs. The Social Security Administration entity reviewed
was the Office of the Deputy Commissioner for Operations. We conducted our audit
from July through September 2004 in accordance with generally accepted government
We interviewed personnel at eight universities in Region VII. The table below shows the names and locations of these schools as well as their total student enrollments.
Iowa State University
University of Missouri-Columbia
Kansas State University
University of Nebraska-Lincoln
Central Missouri State University
Emporia State University
Iowa Lakes Community College
Wayne State College
Source: We determined student enrollment by reviewing university websites or
the following website: www.collegeboard.com
Date: January 7, 2005
To: Assistant Inspector General for Audit
From: Acting Regional Commissioner Kansas City Region
Subject: Draft Audit Report - Universities' Use of Social Security Numbers (SSN) as Student Identifiers in Region VII (A-07-05-15074)-Response
Thank you for the opportunity to review the draft audit report on Universities' use of the SSN as student identifiers in our region. We agree with the conclusions of your report. While we also generally agree with your recommendations, below are comments we would like to offer for each of your three recommendations.
1. "Coordinate with educational institutions/associations to educate about the potential risk of using SSNs as student identifiers."
Most of our field offices already have contact with university officials for enumeration purposes. We can and should use this forum to surface issues germane to safeguarding student SSNs. We have always tried to discourage any public or private entity from using the SSN as a primary identifier, and should continue to do so.
2. "Encourage colleges and universities to limit their collection and use of SSNs."
While we agree with this recommendation philosophically, we are concerned that it may be impractical to implement. The SSN is firmly embedded in almost every fiber of our society. It is essential for employment, banking, and governmental purposes. Virtually every student at every post-secondary educational institution fills out a financial aid profile/questionnaire prescribed by the Department of Education. The primary identifier beyond name and date of birth is the SSN. While we must encourage our educational institutions to safeguard SSNs and use them only as necessary, asking them to limit collection and use may encourage them to ignore our message entirely.
3. "Promote best practices of educational institutions that no longer use SSNs as student identifiers."
We agree this should be done. We would like to suggest you expand this recommendation. We recommend that Operations establish an interactive website for educational institution use that would allow for; 1) best practices to be posted, and 2) a forum for discussion of issues and concerns.
Again, thank you for the opportunity to comment on your findings. If your staff has questions, the contact in our Center for Program Support is John Gezich at 816-936-5649.
OIG Contacts and Staff Acknowledgments
Mark Bailey, Director (816) 936-5591
Ron Bussell, Audit Manager (816) 936-5577
In addition to those named above:
Tonya Coffelt, Auditor-in-Charge
Deb Taylor, Auditor
Kimberly Beauchamp, Writer-Editor
For additional copies of this report, please visit our web site at http://ww.ssa.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-08-01-11050.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social Security Administration's (SSA) programs and operations and makes recommendations to ensure program objectives are achieved effectively and efficiently. Financial audits assess whether SSA's financial statements fairly present SSA's financial position, results of operations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA's programs and operations. OA also conducts short-term management and program evaluations and projects on issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste, abuse, and mismanagement in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing their official duties. This office serves as OIG liaison to the Department of Justice on all matters relating to the investigations of SSA programs and personnel. OI also conducts joint investigations with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters, including statutes, regulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures and techniques, as well as on legal implications and conclusions to be drawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security. OEO also coordinates OIG's budget, procurement, telecommunications, facilities, and human resources. In addition, OEO is the focal point for OIG's strategic planning function and the development and implementation of performance measures required by the Government Performance and Results Act of 1993.