SWAN (System Wide Automated Network) adopts this Identity Protection Policy pursuant to the Identity Protection Act, 5 ILCS 179/1 et seq. The Identity Protection Act requires units of local government to approve and implement an Identity Protection Policy to ensure the confidentiality and integrity of Social Security Numbers which agencies collect, maintain, and use. It is important to safeguard Social Security Numbers (SSNs) against unauthorized access as SSNs can be used to facilitate identity theft. One way to better protect SSNs is to limit the widespread dissemination of SSNs. The Identity Protection Act was passed in part to require government agencies to assess their personal information collection practices and make necessary changes to those practices to ensure confidentiality of SSNs.
Social Security Number protections
SWAN shall not:
- Publicly post or publicly display in any manner an individual's SSN. "Publicly post" or "publicly display" means to intentionally communicate or otherwise intentionally make available to the general public.
- Print an individual's SSN on any card required for the individual to access products or services provided by the person or entity.
- Require an individual to transmit a SSN over the Internet, unless the connection is secure or the
- SSN is encrypted.
- Print an individual's SSN on any materials that are mailed to the individual, through the U.S. Postal Service, any private mail service, electronic mail, or any similar method delivery, unless State or federal law requires the SSN to be on the document to be mailed. SSNs may be included in applications and forms sent by mail, including, but not limited to, any material mailed in connection with the administration of the Unemployment Insurance Act, any material mailed in connection with any tax administered by the Department of Revenue, and documents sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the SSN. A SSN that is permissibly mailed will not be printed, in whole or in part, on a postcard or other mailer that does not require an envelope or be visible on an envelope without the envelope having been opened.
In addition, SWAN shall not:
- Collect, use, or disclose a SSN from an individual unless:
- Required to do so under State or federal law, rules or regulations, or the collection, use or disclosure of the SSN is otherwise necessary for the performance of SWAN's duties and responsibilities;
- The need and purpose for the SSN number is documented before collection of the SSN; and
- The SSN collected is relevant to the documented need and purpose.
- Require an individual to use his or her SSN to access an Internet website;
- Use the SSN for any purpose other than the purpose for which it was collected.
Requirements to redact Social Security Numbers
SWAN shall comply with the provisions of any other State law with respect to allowing the public inspection and copying of information or documents containing all or any portion of an individual's SSN. SWAN shall redact SSN's from the information or documents before allowing the public inspection or copying of the information or documents.
These prohibitions do not apply in the following circumstances:
- The disclosure of SSN to agents, employees, contractors, or subcontractors of a governmental entity or disclosure by a governmental entity to another governmental entity or its agents, employees, contractors, or subcontractors if disclosure is necessary in order for the entity to perform its duties and responsibilities; and, if disclosing to a contractor or subcontractor, prior to such disclosure, the governmental entity must first receive from the contractor or subcontractor a copy of the contractor's or subcontractor's policy that sets forth how the requirements imposed under this Act on a governmental entity to protect an individual's Social Security number will be achieved.
- The disclosure of Social Security numbers pursuant to a court order, warrant, or subpoena.
- The collection, use, or disclosure of Social Security numbers in order to ensure the safety of: State and local government employees; persons committed to correctional facilities, local jails, and other law enforcement facilities or retention centers; wards of the State; and all persons working in or visiting a State or local government agency facility.
- The collection, use or disclosure of Social Security numbers for internal verification or administrative purposes.
- The disclosure of Social Security numbers by a State agency to any entity for the collection of delinquent child support or of any State debt or to a governmental agency to assist with an investigation or the prevention of fraud.
- The collection or use of Social Security numbers to investigate or prevent fraud, to conduct background checks, to collect a debt, to obtain a credit report from a consumer reporting agency under the federal Fair Credit Reporting Act, to undertake any permissible purpose that is enumerated under the federal Gramm Leach Bliley Act, or to locate a missing person, a lost relative, or a person who is due a benefit, such as a pension benefit or an unclaimed property benefit.
When collecting SSNs, SWAN shall request each SSN in a manner that makes the SSN easily redacted if required to be released as part of a public records request. "Redact" means to alter or truncate data so that no more than five sequential digits for a SSN are accessible as part of personal information.
Employee access to Social Security Numbers
Only employees who are required to use or handle information or documents that contain SSNs will have access. All employees who have access to SSNs are trained to protect the confidentiality of SSNs.
Approved by the SWAN Board on 10/16/2015.