www.rtoonline.com

Recommended Practices for Protecting Social Security Numbers
The Office of Privacy Protection’s recommendations are intended to serve as guidelines to assist organizations in moving towards the goal of aligning their practices with the widely accepted fair information practice principles described below. These recommended practices address, but are not limited to, the provisions of California Civil Code section 1798.85.

The recommendations are relevant for private and public sector organizations, and they apply to the handling of all SSNs in the possession of an organization: those of customers, employees and business partners.

  1. Reduce the collection of SSNs
    Collect SSNs preferably only where required to do so by federal or state law.  When collecting SSNs as allowed, but not required, by law, do so only as reasonably necessary for the proper administration of lawful business activities.  If a unique personal identifier is needed, develop your own as a substitute for the SSN.
     

  2. Inform individuals when you request their SSNs
    Whenever you collect SSNs as required or allowed by law, inform the individuals of the purpose of the collection, the intended use, whether the law requires the number to be provided or not, and the consequences of not providing the number.  If required by law, notify individuals (customers, employees, business partners, etc) annually of their right to request that you do not post or publicly display their SSN or do any of the other things prohibited in Civil Code Section 1798.85(a).
     

  3. Eliminate the public display of SSNs
    Do not put SSNs on documents that are widely seen by others, such as identification cards, badges, time cards, employee rosters, bulletin board postings, and other materials.  Do not send documents with SSNs on them through the mail, except on applications or forms or when required by law.13  When sending applications, forms or other documents required by law to carry SSNs through the mail, place the SSN where it will not be revealed by an envelope window. Where possible, leave the SSN field on forms and applications blank and ask the individual to fill it in before returning the form or application.  Do not send SSNs by email unless the connection is secure or the SSN is encrypted.  Do not require an individual to send his or her SSN over the Internet or by email, unless the connection is secure or the SSN is encrypted.  Do not require individuals to use SSNs as passwords or codes for access to Internet web sites or other services.
     

  4. Control access to SSNs
    Limit access to records containing SSNs only to those who need to see the numbers for the performance of their duties.  Use logs or electronic audit trails to monitor employees’ access to records with SSNs.  Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.  Do not store records containing SSNs on computers or other electronic devices that are not secured against unauthorized access.  Avoid sharing SSNs with other companies or organizations except where required by law.  If you do share SSNs with other companies or organizations, including contractors, use written agreements to protect their confidentiality.  Prohibit such third parties from re-disclosing SSNs, except as required by law.  Require such third parties to use effective security controls on record systems containing SSNs.  Hold such third parties accountable for compliance with the restrictions you impose, including monitoring or auditing their practices.  If SSNs are disclosed inappropriately and the individuals whose SSNs were disclosed are put at risk of identity theft or other harm, promptly notify the individuals potentially affected.
     

  5. Protect SSNs with security safeguards
    Develop a written security plan for record systems that contain SSNs.  Develop written policies for protecting the confidentiality of SSNs, including but not limited to the following:  Adopt “clean desk/work area” policy requiring employees to properly secure records containing SSNs.  Do not leave voice mail messages containing SSNs and if you must send an SSN by fax, take special measures to ensure confidentiality.  Require employees to ask individuals (employees, customers, etc.) for identifiers other than the SSN when looking up records for the individual.  Require employees to promptly report any inappropriate disclosure or loss of records containing SSNs to their supervisors or to the organization’s privacy officer.  When discarding or destroying records in any medium containing SSNs, do so in a way that protects their confidentiality, such as shredding.
     

  6. Make your organization accountable for protecting SSNs
    Provide training and written material for employees on their responsibilities in handling SSNs. Conduct training at least annually.  Train all new employees, temporary employees and contract employees.  Impose discipline on employees for non-compliance with organizational policies and practices for protecting SSNs.  Conduct risk assessments and regular audits of record systems containing SSNs.  Designate someone in the organization as responsible for ensuring compliance with policies and procedures for protecting SSNs.