Guidance for Departments Scanning for SSNs Stored on Servers and Workstations

Some University business and academic processes require the storage of Social Security numbers, but many campus units continue to store SSNs for processes where they are not explicitly required. In many cases, this is inadvertent and is a result of legacy practices and systems. Security breaches that expose Social Security numbers pose a significant reputational, financial, and legal risk to our University, so it is in our best interest to limit our potential exposure to these incidents by inventorying and removing SSNs from business processes and systems that do not require them.

The Electronic Communications Policy (ECP) protects the privacy of Electronic Communications Records:

“The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications. This Policy reflects these firmly-held principles within the context of the University’s legal and other obligations. The University respects the privacy of electronic communications in the same way that it respects the privacy of paper correspondence and telephone conversations, while seeking to ensure that University administrative records are accessible for the conduct of the University's business.”

Therefore, guidelines are provided to assist campus units in inventorying SSNs with tools such as Identity Finder or Spider while still complying with University policy. These guidelines are available on the Berkeley Ethics website as a pdf.