As colleges and universities collect more and more sensitive, personal electronic information, they become more and more likely to experience a “data breach.” Although institutions spend considerable time focusing on high-tech solutions to help guard their data against criminal activity, low-tech strategies can prove equally effective. One low-tech strategy is to simply stop putting a student’s personal information (“PI”) on university forms and documents when it is not necessary—like including a student’s social security number on a transcript.
More than 13 percent of colleges and universities still include a student’s full social security number on transcripts
A recent survey by the American Association of Collegiate Registrars and Admissions Officers found that 13% of colleges and universities still include a full social security number on a student’s transcript. The survey also found that 39% of institutions include at least the last four digits of the social security number on the transcript. (The survey can be viewed here)
A transcript containing a social security number is PI that can trigger reporting obligations under state data privacy laws
A transcript containing a student’s name and full social security number is PI under every state’s data privacy laws. And the unauthorized disclosure of such a transcript—regardless of whether the disclosure is inadvertent or due to illegal activity—will likely trigger reporting obligations in every state.
Redacting a portion of the social security number from the transcript is not a panacea to the privacy concerns, because states view redacted social security numbers differently. For example, states like Iowa exclude a social security number from their definition of PI if it is redacted down to 5 numbers, but states like North Carolina only exclude a social security number from their definition of PI if it is redacted down to 4 numbers. Furthermore, some states do not expressly define the term “redacted” in their data privacy laws at all.
To complicate the matter further, the data privacy laws of the state where the student lives at the time of the unauthorized access or disclosure—not the laws of the state where the institution is located—will drive the breach and notification analysis. Students commonly transfer to institutions in other states, and many students will move to a different state following graduation. For that reason, your institution’s redaction practices may comply with your state’s data privacy laws, but your state’s laws may not be the applicable law when analyzing your notification obligations after a breach.
The simple solution to this multi-variable analysis is to just stop putting a student’s social security number on the transcript.
What this means for your institution
Out of habit, and with good intentions, colleges and universities commonly turn an otherwise innocuous file or document into sensitive electronic information by including unnecessary PI in the document. Breaking the habit and removing PI from institutional forms and documents is a simple, low-tech strategy that will help reduce your institution’s risk of a “data breach.”