Destruction Policy

3.400 POLICIES FOR THE DESTRUCTION OF RECORDS CONTAINING SOCIAL SECURITY NUMBERS

These policies are needed to curb the growing problem of identity theft. Identity theft occurs when a criminal uses another person's personal information to take on that person's identity. The intent of these policies is to protect individuals from identity theft by eliminating unauthorized access to social security numbers in college records.

Definitions:

Electronic Record -- Records created or stored by electronic means, including but not limited to, computer files and optically scanned files on tapes, disks, cd-roms or internal memory.

Erasure -- To remove electronic information so that it cannot be retrieved from the media on which the information is stored.

Shredding -- A means of destroying paper records by mechanical cutting.

Purpose:

All departments are obligated to protect social security numbers that may be contained in college records to prevent the misuse of personal information. Any college records, regardless of media, that contain social security numbers are to be destroyed in a manner that protects the confidentiality of the information. These records are to be destroyed, made undecipherable or erased so as to make the social security numbers unreadable by any means.

Procedures:

  1. Paper Records -- There are several accepted methods to destroy paper records containing social security numbers. The acceptable methods of hardcopy records destruction are as follows:
    1. Shredding - Shredding involves the use of a mechanical cutter to cut the paper in such a way as to render the document unreadable.
    2. Pulping -- Paper is macerated, mixed with water and turned into mash of paper fibers and liquids.
    3. Incineration -- Placing the paper into a furnace and destroying them completely by burning.
  2. Electronic Records - Unlike a paper record where you can visibly determine if the document is unreadable, electronic records require special handling to make information unreadable. The decentralization of computer-based information also results in information being stored on multiple computers, on back-up tapes and portable media. In addition to discrete electronic documents, social security numbers may also be contained as a field(s) in databases or other files. In such cases, the issue is removing the data contained within a field as well as the disposition of the entire file. Processes to protect and destroy social security numbers in electronic format and stored on information or record-keeping systems must be established.
    1. Security -- Access to information containing social security information must be restricted to those with a need to know or use. Security parameters of information systems must be established to restrict access to data to only the employees who legitimately work with this information. If the information system is connected to the Internet, it must be protected by a firewall, at a minimum and with encryption, secure socket layer (SSL) preferred.
    2. Control -- Limit the number of places where social security numbers are stored in info systems, and limit the locations within each system. Limit the amount of information that is retained on local computers; identify back-up tapes and what is done with them. If tapes, CDs or other removable media are used to store information containing social security numbers, the removable media must be retained in a secure location.
  3. Records Retention -- Determine if the social security numbers are required as part of the records series. If not, do not retain this data. Determine if the records are covered by a records retention schedule and that the retention schedules are being followed.
  4. Destruction -- When the records retention period has expired and the information needs to be destroyed, choose an appropriate method to protect the social security numbers.
    1. Files on a personal computer require that the information is not only deleted but also overwritten to prevent the information from being reconstructed. "Shredder" programs are available that overwrite the data with meaningless data multiple times to totally obliterate the original data.
    2. Back-up tapes should be overwritten at the earliest possible time. These tapes should not be held longer than the retention period for the information retained on them.
    3. Floppy disks, tapes and other magnetic storage devices must also have the data on them overwritten to protect the social security numbers stored on them. These materials can be shredded in a shredder to insure that the information is totally destroyed -they may be exposed to a powerful magnetic field several times to disrupt the information stored on them or they could be incinerated. If magnetic media is used, the data must be reviewed to ensure that the social security numbers are not retrievable unusable. If possible, they should be shredded.
    4. When disposing of computers that contain social security numbers or other privacy-protected information, care should be taken to protect the information that was stored in them. The hard drives should be wiped clean and inspected to make sure no privacy protected data remains. It may be necessary to remove the hard drive and dispose of it separately. Alternatively, the system can be programmed to change all social security numbers to 999-99-9999 before deleting files to make the data useless even if the file is captured.