This guidance is provided by Waller, Lansden, Dortch & Davis, LLP in partnership with TICUA, is for
informational purposes only, does not create an attorney-client relationship, and does not constitute legal advice.
Please contact your institution’s counsel for legal advice on the information provided herein.
FERPA AND SOCIAL SECURITY NUMBERS
FREQUENTLY ASKED QUESTIONS
This guidance addresses the use of Social Security Numbers (SSNs) by educational
institutions for various student identification purposes, the current trend of moving away from
SSNs as student identifiers in favor of “alternative identifiers” to minimize the risk of inadvertent
disclosure, and frequently asked questions about legal compliance under the Family Educational
Rights and Privacy Act (FERPA) when SSNs are used by an educational institution in some
capacity.
Identity theft has become an increasingly prevalent crime in the United States, with over
12 million Americans victimized each year.i The routine use of SSNs by an organization
increases overall exposure to identity theft.ii Recognizing this new reality, the Social Security
Administration has concluded that the use of SSNs for academic purposes -- including class
registration, class rosters, computer logins, exams, grade reports, ID Cards, and notices -increases the likelihood of unauthorized disclosure of SSNs.iii
The Social Security
Administration for several years has recommended that educational institutions use alternative
identifiers for students instead of SSNs. Consistent with this guidance, the clear trend among
post-secondary institutions is toward alternative identifiers for ordinary identification and
authentication purposes in order to protect privacy and limit the unintended disclosure of
students’ SSNs. The Department of Education has followed suit and is also strongly
encouraging this trend.iv Additionally, the Family Policy Compliance Office (FPCO) considers
SSNs as “high risk records” and places a greater burden on institutions to protect this
information from theft.v
Under FERPA, a student’s SSN is considered personally identifiable information and
cannot be disclosed without a student’s consent.vi In accordance with FERPA’s regulations,
post-secondary institutions are prohibited from designating SSNs as directory information (i.e.,
information that may be released to third parties without a student’s consent).vii They are also
prohibited from disclosing or confirming directory information if a student’s SSN is used to
identify or help identify the student or the student’s records (e.g., the last four digits).viii This
means that school officials cannot request or acknowledge any part of a student’s SSN to help
identify a student or his/her education records, and that SSNs cannot be displayed publicly, or
printed on an identification card, meal card, or badge.
While the clear trend is to replace the routine use of SSNs with alternative identifiers,
careful and limited use of SSNs is still legal in most states. If your institution currently
uses SSNs to identify students for routine identification and authentication purposes, or is in the
process of replacing SSNs with alternative identifiers, below are frequently asked questions and
answers addressing the use of SSNs in a manner consistent with FERPA.
10837938.2
This guidance is provided by Waller, Lansden, Dortch & Davis, LLP in partnership with TICUA, is for
informational purposes only, does not create an attorney-client relationship, and does not constitute legal advice.
Please contact your institution’s counsel for legal advice on the information provided herein.
1.
Can an institution set as a default password a student’s SSN for purposes of
accessing its computer and email systems?
Probably yes, although it is not advised if there is a reasonable alternative to use as a
default. The FPCO has not provided any guidance on this issue. Based upon FERPA’s
regulations, SSNs may be used to search electronic databases as long as they are not disclosed,
without consent, to third parties.ix The primary focus of the regulations is to prohibit the
disclosure of SSNs to individuals who do not have a legitimate educational interest in obtaining
this information.x Assuming that the default password is only known to the student and an
individual with a legitimate educational interest (e.g., the IT staff member whose job requires
him/her to set and provide email or system access to students), FERPA would not prohibit this
practice. Note, however, that using SSNs to access computer log-in systems may increase the
risk of unauthorized disclosure and is considered by the Social Security Administration as a
practice to avoid.
2.
Can SSNs be used as student identification numbers?
Yes. FERPA permits post-secondary institutions to use SSNs for purposes of student
identification numbers.xi That said, and as discussed above, the Social Security Administration
and the Department of Education recommend the use of alternative identifiers in lieu of SSNs,
and as discussed above, this is the clear trend among post-secondary institutions.
3.
Can the last four-digits of an SSN be used to identify grades publicly?
No. The FPCO prohibits post-secondary institutions from posting grades along with
portions of a student’s SSN.xii According to the FPCO, even a portion of a student’s SSN is
considered personally identifiable information that cannot be disclosed without consent of the
student.xiii
4.
Can a non-SSN student identification number be used to identify grades publicly?
No. An institution cannot publicly display a student’s identification number if it gives
others without a legitimate educational interest direct access to a student’s education records.
Even if your institution no longer uses SSNs as student identification numbers, a student ID may
only be designated as directory information if there are additional factors that can be used to
authenticate the student’s identity to gain access to his/her education records (e.g., personal
identification number, password or other factor known or possessed only by the student).xiv
5.
Can a student’s SSN be used to interface with databases maintained by third
parties?
No. A student’s SSN cannot be used to interface with databases maintained by third
parties unless one of the exceptions under FERPA applies such as the third party is an authorized
representative of the Department of Education or the student’s lender/guarantor. This would
represent a disclosure of personally identifiable information in violation of FERPA.
10837938.2
This guidance is provided by Waller, Lansden, Dortch & Davis, LLP in partnership with TICUA, is for
informational purposes only, does not create an attorney-client relationship, and does not constitute legal advice.
Please contact your institution’s counsel for legal advice on the information provided herein.
6.
If students’ SSNs are used as student identification numbers, what steps should be
taken to keep this information confidential?
The FPCO encourages institutions to use best practices regarding the protection of
students’ SSNs and recommends that SSNs be restricted to internal use and for financial aid
purposes, unless authorized or required to be disclosed in accordance with state or federal law, or
a court order. To that end, we recommend that access to student SSNs or documents containing
SSNs be restricted to employees with legitimate educational interests, and that appropriate
oversight and training be implemented to comply with FERPA’s requirements.
i
Identity Theft Assistance Center at http://www.identitytheftassistance.org/pageview.php?cateid=47 (last visited
May 24, 2013).
ii
Avoid Identity Theft: Protect Social Security Numbers, Social Security Administration at
http://www.ssa.gov/phila/ProtectingSSNs.htm#best (last visited May 24, 2013).
iii
Practices to Avoid, Social Security Administration at http://socialsecurity.gov/kc/id_practices_avoid.htm (last
visited May 24, 2013).
iv
Avoid Identity Theft: Protect Social Security Numbers, Social Security Administration at
http://www.ssa.gov/phila/ProtectingSSNs.htm#best (last visited May 24, 2013); 34 C.F.R. Part 99, Final Rules (Dec.
9, 2008).
v
Section-by-Section Analysis of 34 C.F.R. Part 99 (December 2008) at
http://www2.ed.gov/policy/gen/guid/fpco/pdf/ht12-17-08-att.pdf.
vi
34 C.F.R. §99.3.
vii
Id.
viii
34 C.F.R. §99.37.
ix
34 C.F.R. Part 99, Final Rules (Dec. 9, 2008).
x
Id.
xi
Id.
xii
2001 FPCO Letter to Hunter College re: posting grades by last four digits of social security number (05/29/01).
xiii
Id.
xiv
34 C.F.R. §99.3.
10837938.2