Social Security Numbers

Social security numbers are a subset of Institutional Data and they are also Personally Identifiable Information, as defined by the Family Education Rights and Privacy Act (FERPA). Social Security Numbers, when combined with a person’s name, are also Personal Information under the Massachusetts Data Privacy Laws and Regulations. They are Regulated Institutional Data, under the Information Classification and Handling Policy, and should be handled with the highest level of confidentiality and security. Social Security numbers are also included as Sensitive Personal Information in the University’s Information Steward Program.


The University must comply with FERPA and the Massachusetts Data Privacy Laws and all staff, faculty and students are required to follow the University’s policies.

Getting Started

  1. Review your business practices with your Information Steward and run an Identity Finder scan to see if you have caches of Social Security numbers in your department. Also, consider whether you have any paper documents that include Social Security Numbers. In this process, evaluate with your Information Steward your business need for this information.
  2. If you determine that you have a business need to store Social Security numbers, keep them on network drives or in applications. approved by TTS for Social Security numbers, with strictly limited access. If you no longer have a business need for the information, securely delete the files.
  3. Review with your Information Steward appropriate use and storage of Social Security numbers, including not using unencrypted email, not storing the information on a laptop or other mobile device that is not encrypted and storing paper records in a locked container in a secure, locked location.
  4. Comply with the Tips and Guidelines for Sensitive Personal Information. The Sensitive Personal Information Guide is also available as a quick summary.


Guide to Massachusetts Data Privacy Laws
FERPA Policy
Information Classification and Handling Policy
University Records Policy
Confidential Records Destruction