SOCIAL SECURITY ADMINISTRATION
UNIVERSITIES'
USE OF SOCIAL
SECURITY NUMBERS AS STUDENT
IDENTIFIERS IN REGION II
July 2005
A-02-05-25104
AUDIT REPORT
Mission
We improve SSA programs and operations and protect them against fraud, waste, and abuse by conducting independent and objective audits, evaluations, and investigations. We provide timely, useful, and reliable information and advice to Administration officials, the Congress, and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
By conducting independent and objective audits, investigations, and evaluations,
we are agents of positive change striving for continuous improvement in the
Social Security Administration's programs, operations, and management and in
our own office.
MEMORANDUM
Date: July 27, 2005
To: Beatrice M. Disman
Regional Commissioner New York
From: Inspector General
Subject: Universities' Use of Social Security Numbers as Student Identifiers in Region II (A-02-05-25104)
OBJECTIVE
Our objective was to assess universities' use of Social Security numbers (SSN) as student identifiers in Region II and the potential risks associated with such use.
BACKGROUND
Millions of students enroll in educational institutions each year. To assist in this process, many colleges and universities use students' SSNs as personal identifiers. The American Association of Collegiate Registrars and Admissions Officers found that almost half (1,036) of member institutions that responded to a 2002 survey used SSNs as the primary student identifier.
The potential for identity theft increases each time an individual's SSN is divulged. Recent incidents of identity theft at universities have led some schools to reconsider the practice of using SSNs as the primary student identifier. However, at many universities, students continue to be identified by their SSN.
The Privacy Act of 1974, Family Educational Rights and Privacy Act (FERPA),
Social Security Act, and New York State Educational Law contain provisions that
govern disclosure and use of SSNs. For example, FERPA requires that educational
institutions, which receive funds under an applicable program of the U.S. Department
of Education, have written permission from the parent or eligible student to
release or display any personally identifiable information from a student's
education record.
Similarly, the New York State Educational Law prohibits, in most cases, universities
in New York State from displaying SSNs on students' public listing of grades,
class rosters or other lists provided to teachers; student identification (ID)
cards; or in student directories or similar listings. See Appendix B for more
information on specific legal provisions.
We selected a sample of seven universities in Region II. For each selected school, we interviewed university personnel and reviewed school policies and practices for the use of SSNs. We also coordinated with the Social Security Administration's Office of General Counsel and the Department of Education's Office of the Inspector General for further clarification on laws related to universities' use of SSNs. See Appendix C for a full description of our scope and methodology.
RESULTS OF REVIEW
Our review showed that the SSN was the primary method of student ID for four of the seven universities we selected. We also identified three universities in the region that did not use the SSN as the primary student identifier. The use of the SSN as the primary student identifier made the SSN vulnerable to risk of identity theft.
FOUR UNIVERSITIES USED THE SSN AS PRIMARY STUDENT IDENTIFIER
Despite the increasing threat of identity theft, officials from four universities stated that their schools used the SSN as the primary student identifier. Two examples follow.
ID Cards: Officials from three of the four universities stated the SSN appeared on student ID cards. One university official stated that students' SSNs were displayed on the back of ID cards. In general, the student SSN was also printed on receipts from the library and bookstore and on overdue book notices that were mailed to students.
Postcards: Officials from three universities stated that SSNs were collected on postcards. The postcards were sent to students from their respective schools to obtain information.
In addition, we found that officials from each of the four universities stated
the SSN was used to access the Internet and/or other computer systems. Although
the Internet and most computer systems use an encryption to prevent identity
theft, it is still possible the system could be hacked into. Additionally, in
some cases, forms that were accessible to students in the universities' computer
systems clearly displayed students' SSNs when they were printed.
When asked why the SSN was used as a student identifier, some officials informed
us they were unaware of any legislation limiting the use of the SSN. Those who
were aware of legislation cited the cost of converting to a new identifier system
as a barrier. One official stated that plans to eliminate the use of SSNs as
the primary student identifier have been addressed but have not yet been formally
adopted. The clear display of students' SSNs on cards and documents that may
have been seen and accessed by other individuals made the number vulnerable
to identity theft.
THREE UNIVERSITIES DID NOT USE THE SSN AS PRIMARY STUDENT IDENTIFIER
Our review found that three universities did not use the SSN as the primary student identifier. An official from one of the universities in New Jersey selected for our review stated they no longer used the SSN as the primary student identifier. New York has enacted a law that regulates universities' SSN use. The New York State Education Law prohibits the display of a student's SSN on "…public listing[s] of grades, on class rosters or other lists provided to teachers, student identification cards, [and] in student directories or similar listings…unless specifically authorized or required by law...." Accordingly, the two universities in New York did not use the SSN as the primary student identifier.
In previous preliminary research conducted by the Office of the Inspector General, which did not result in an audit report, one of the universities selected in New York State for our review requested students' SSNs on postcards. The university has changed this practice. A university official stated that the SSN was no longer requested on postcards.
The same official informed us the university did not use the SSN as the primary student ID. The university uses a computer-generated student ID number as a primary student ID. When registering for classes, students use a logon ID and password. The last six digits of the SSN is the initial password, but students are prompted to change this at the first logon. The same course of action applies when students initially access on-line services. However, the requirement to enter the last six digits of the SSN will be eliminated when the university's new Student Information System is implemented, tentatively scheduled for 2007. Although, the school's undergraduate and graduate admission applications request the SSN, we noted that providing an SSN was not mandatory for admission.
An official at the other New York State university stated that the school did not use the SSN as the primary student identifier. Specifically, a new system of ID was implemented in November 2002. This conversion was done to comply with the New York State Education Law regarding the use and display of the SSN. The system generates ID numbers for students. According to university personnel, these ID numbers are called X-numbers (eight-digit ID numbers beginning with the letter X).
All university employees and students have X-numbers for ID. On-line services at the university do not require the student's SSN. The SSN appears as an asterisk on the form for requesting transcripts.
CONCLUSION AND RECOMMENDATIONS
We found that SSNs were vulnerable to identity theft at four of the universities we contacted since they used the SSN as a primary student ID. The schools used the SSNs in ways that potentially exposed them to individuals other than the numberholders. While we recognize the Social Security Administration cannot directly prohibit universities from using SSNs, it can help reduce potential threats by encouraging schools to limit SSN use. Additionally, the Department of Education's Family Policy Compliance Office provides technical assistance to universities covered by FERPA to ensure compliance with the Act. The Social Security Administration could work with the Family Policy Compliance Office to help better educate universities that appear to be in noncompliance with FERPA.
Accordingly, we recommend that the Regional Commissioner:
1. Contact the universities that used the SSN as the primary student identifier, and others in the region, to educate the community about the potential risks associated with using SSNs as student identifiers.
2. Ask the Department of Education's Family Policy Compliance Office to assist those universities in Region II that use the SSN as the primary student identifier to ensure they are complying with FERPA.
AGENCY COMMENTS
The Agency agreed with our recommendations and has initiated corrective actions. The Agency's comments are included in Appendix D.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Federal and State Laws that Govern Disclosure and Use of the Social
Security Number
APPENDIX C - Scope and Methodology
APPENDIX D - Agency Comments
APPENDIX E - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
C.F.R. Code of Federal Regulations
FERPA Family Educational Rights and Privacy Act
ID Identification
OIG Office of the Inspector General
Pub. L. No. Public Law Number
SSN Social Security Number
U.S.C. United States Code
Appendix B
Federal and State Laws that Govern Disclosure and Use of the Social Security
Number
The following laws establish a general framework for disclosing and using the Social Security number (SSN).
The Privacy Act of 1974 (5 U.S.C. § 552a; Pub. L. No. 93-579, §§ 7(a) and 7(b)
The Privacy Act of 1974 provides that it is unlawful for a State government agency to deny any person a right, benefit, or privilege provided by law based on the individual's refusal to disclose their SSN, unless such disclosure was required to verify the individual's identity under a statute or regulation in effect before January 1, 1975. Further, under Section 7(b), a State agency requesting that an individual disclose their SSN must inform the individual whether the disclosure is voluntary or mandatory, by what statutory or other authority the SSN is solicited, and what uses will be made of the SSN.
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99)
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. FERPA applies to those schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA, an educational institution must have written permission from the parent or eligible student to release any personally identifiable information (which include SSNs) from a student's education record. FERPA does, however, provide certain exceptions in which a school is allowed to disclose records without consent. These exceptions include disclosure without consent to university personnel internally who have a legitimate educational interest in the information, to officials of institutions where the student is seeking to enroll/transfer, to parties to whom the student is applying for financial aid, to the parent of a dependent student, to appropriate parties in compliance with a judicial order or lawfully issued subpoena, or to health care providers in the event of a health or safety emergency.
The Social Security Act
The Social Security Act states, "[s]ocial security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law, enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such social security account number or related record." (42 U.S.C. § 405(c)(2)(C)(viii)). The Social Security Act also states, "…[w]hoever discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States; shall be guilty of a felony…" (42 U.S.C. § 408(a)(8)).
New York Education Code (NY CLS Edu § 2-b.)
Use of student SSNs is restricted. "No public or private… [university] shall display any student's social security number to identify such student for posting or public listing of grades, on class rosters or other lists provided to teachers, on student identification cards, in student directories or similar listings, or, unless specifically authorized or required by law, for any public identification purpose."
New Jersey Annotated Statutes (N.J. Stat §18A:3-28)
Use of student SSNs is restricted. "No public or independent institution of higher education in the State shall display any student's social security number to identify that student for posting or public listing of grades, on class rosters or other lists provided to teachers, on student identification cards, in student directories or similar listings, unless otherwise required in accordance with applicable State or federal law." This law becomes effective January 26, 2006.
Appendix C
Scope and Methodology
To accomplish our objective, we:
interviewed selected university personnel responsible for student admissions/registrations;
reviewed Internet websites of seven universities that we either visited or interviewed by telephone;
reviewed applicable laws and regulations;
reviewed selected studies, articles and reports regarding universities' use of Social Security numbers (SSNs) as student identifiers;
coordinated with the Social Security Administration's Office of General Counsel in Region II and the Department of Education Office of the Inspector General to further clarify use of SSNs as a primary student identifier as it relates to universities.
We visited two universities and conducted telephone interviews with officials
at five other universities to assess their uses of the SSNs as student identifiers.
The scope of our audit was to select two universities in each area of Region
II. In each area, 1 university had an enrollment of 15,000 or more students,
and the other had an enrollment of 14,999 or less. Our review of internal controls
was limited to gaining an understanding of universities' policies over the collection,
protection, use and disclosure of SSNs. We conducted our field work from December
2004 through February 2005. Our audit was conducted in accordance with generally
accepted government auditing standards.
Appendix D
Agency Comments
SOCIAL SECURITY
MEMORANDUM
Date: July 14, 2005
To: Inspector General
From: Regional Commissioner New York
Subject: OIG Draft Report On Universities' Use Of Social Security Numbers As
Student Identifiers in Region II, Audit No. 22005016 - REPLY
We have reviewed the draft report and are in agreement with the recommendations made by the OIG. Following are our actions to date:
Recommendation 1: Three of the universities that used the SSN as the primary student identifier are located in Puerto Rico and the fourth is in New Jersey. We have asked our Area Directors for those geographic areas to initiate our efforts to meet with the universities.
Recommendation 2: We will ask, if necessary, the Department of Education's Family Policy Compliance Office to assist those universities that use the SSN as the primary student identifier to ensure they are complying with FERPA.
Should your staff have any questions, they may contact Dennis Mass, Director, Center for Programs Support at 212 264-4004.
Beatrice M. Disman
Appendix E
OIG Contacts and Staff Acknowledgments
OIG Contacts
Tim Nee, Director, (212) 264-5295
Vicki Abril, Lead Auditor, (212) 264-0504
Acknowledgments
In addition to those named above:
Abraham Pierre, Auditor in Charge
Denise Molloy, Program Analyst
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig
or contact the Office of the Inspector General's Public Affairs Specialist at
(410) 965-3218. Refer to Common Identification Number A-02-05-25104.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.
Office of Investigations
OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.
Office of Executive Operations
OEO supports OIG by providing information resource management and systems security.
OEO also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OEO is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.