Data Reduction for Staff and Faculty

If you have stored Restricted/PHI data, such as SSNs, on your computer, departmental server, UABFile drive or in cloud storage such as OneDrive or Box, you need to review your files and delete or redact any information that is no longer needed. This guide is meant to help staff and faculty find and remove Restricted/PHI data in support of a university-wide initiative to secure student and staff data.

In early 2017, UAB launched a campaign to reduce the number of sensitive records stored in distributed servers across campus by 25 percent in 2017 and 10 percent annually thereafter. Read the memo from CIO Dr. Curtis A. Carver Jr. regarding establishment of an Information Security Liaison program to assist with reduction of sensitive information.

Legal Requirements and University Policies

Due to the increasing threat of identity theft and fraud, State and Federal governments have created privacy laws and the University of Alabama at Birmingham has adopted internal policies that require the security and privacy of an individual's Social Security Number.

Legal Requirements University Policy University guidelines advise against…
  • Collecting, storing or processing SSN data unless there is a need to do so
  • The transmission of SSN information over public networks without encryption
  • Retention of SSN data beyond its useful life
  • Storing SSN data without encryption

Records Retention

The University of Alabama at Birmingham retains paper and electronic records in accordance with the University’s Records Retention Schedule. Any confidential records which are not required by law or policy for retention should be securely destroyed.

Please note: It is the position of the University of Alabama at Birmingham that it is lawful and permissible to redact Social Security Numbers from archived electronic or paper records for the purposes of identity protection.

Data Reduction

There are four options for dealing with Restricted/PHI data, such as SSNs, including:

  • Removing: If you do not need the file, delete or shred it. According to the UAB Records Retention Schedule, coursework only needs to be retained for a semester after it is submitted, if the grade is uncontested.
  • Redacting: If the file is necessary, but the SSN is not, redact it out by replacing it with Xs or using a black marker on paper documents.
  • Replacing:
    • If the SSN serves as an identifier
    • Identifier: A unique name or number used in a business processes to ensure a specific person is linked with a file or document. Examples include using a Student ID on exams or projects, or including a SSN on financial documents or tax forms, replace it with another appropriate identifier.
    • If the SSN serves as an authenticator.
    • Authenticator: A password paired with a user ID to grant access to a service. Authenticators are intended to prevent unauthorized visitors from accessing specific resources. use a different authenticator.
  • Retaining: Where the SSN must be kept, additional security measures must be taken to ensure the SSN cannot be easily compromised. Please follow the UAB Information Security Policies and Guidelines. Refer to the Data Protection and Security Policy and Data Classification Rule for more information.

Options for Dealing with Social Security Numbers

How to find SSNs

Start by looking in the places or files most likely to contain SSNs. As you find them, either keep a list to deal with later or deal with them on the spot.
Use the regular search tool that comes with Windows or Mac to help find more SSNs. Be sure to search files "Containing Text" and not just files named what you are searching. Also, to save time make sure the location where you are searching is limited to the places you listed in the above step. Unfortunately, Windows and Mac search cannot find SSNs that do not include the search terms you use. Below are some search terms to try:

  • Social Security
  • SSN
  • last four

For an advanced approach, you can search for all of these at once by typing the following: (If using OR or AND, they must be all capital letters to work right in Windows.)

"Social Security" OR SSN OR "last four"

Where to Look

The first task is to determine where to look. Where do you store documents or spreadsheets? What kind of files might have SSNs? Do you have any network folders or web sites that might contain SSNs? Even if you are fairly sure your documents do not contain SSNs, it's important to check. Here are some example places, but think about any places personal to you that may not be listed:

Types of Files
  • Word documents
  • Spreadsheets
  • Grade rolls
  • Student exams, papers, homework, etc.
  • Tax and financial forms
  • Archived e-mail
  • Database backup files
  • Website backup files
Locations to Search
  • MyDocuments folder
  • Backup or storage folders
  • Network drives or storage folders
  • Emails or listservs
  • Any websites, especially old versions, or files no longer in use.
  • Old CD backups of past works

Partial Social Security numbers

Although storing and processing partial SSN data (e.g. just the last four digits of a SSN) can reduce the risk of identity theft to an individual, residual risks do remain in instances where partial SSNs are used in conjunction with other identifying information such as address or birthplace.

SSN Removal from Paper Records

Many laws and UAB policies still apply to instances where partial SSN data is stored / processed / transmitted. Consequently, partial SSN data are included in the scope of UAB's SSN elimination initiative.

The focus of UAB SSN elimination has been placed on the removal of SSNs from information systems and business processes. Business processes that include the active use of SSNs in paper documents are therefore in the scope of the UAB SSN elimination efforts.

Archived paper records that are not currently used in a business process have been out of scope for these efforts, but it is the recommendation of the Office of Information Security to destroy or redact these documents if feasible (see Records Retention section above). If you these documents do need to be retained without redaction, ensure that they are stored in a secure fashion.

Further Questions?

If you have any questions, first ask for advice from the IT staff in your department. If you or they still have questions, please feel free to contact the AskIT help desk. AskIT should be able to answer frequent questions, or refer to the Office of Information Security if they cannot answer your question.