Academic journal article
By Eveland, Sue
College and University , Vol. 80, No. 4
With all the recent headlines about security breaches and information loss at financial and educational institutions, the higher education community needs to address the issue of using social security numbers as ID numbers. The University of Oregon undertook a change process to assign generated ID numbers to all records in their information system. This article describes the decision and implementation processes used at UO, the timelines required to make the change, as well as the unique issues that arose during the changeover.
There can be no dispute that it is time for colleges and universities to stop using student social security numbers (SSN) as ID numbers. Even in states that have not enacted laws to prohibit this practice, it is clear that the risk of identity theft and the vulnerability of data systems dictate that institutions of higher education address the need for change in this area. Over the past years, breaches in computer systems, both within higher education and in the financial world, have kept the topic in the headlines and further support the need for the higher education community to address the problem. While it is appropriate and even required that colleges and universities collect the SSN for several reasons (e.g., federal financial aid and payroll), it is no longer acceptable practice to use the SSN as an ID number. So, how can colleges and universities undertake a successful conversion process?
At the University of Oregon (UO), an integrated computer system (Banner) has been in place since 1989. Students, faculty, staff, vendors, visitors, and others have all had records created in the system keyed to an ID number; and until 2002, typically that number was the SSN. Concern about this practice had bubbled to the surface occasionally over the past dozen years; students and staff who wanted to use an ID number other than their SSN were afforded the opportunity, but only if they asked. Over time, and with the growing number of stories about identity theft and about serious security breaches among institutions of higher education, the Banner Coordinating Group (BCG) on the UO campus decided to put together a task force to investigate the benefits and challenges of implementing the use of generated ID numbers at UO. The task force was led by the Computing Center and originally included representation from Student Financial Aid, Admissions, Registrar's Office, Payroll, Human Resources, ID Card Office, Business Office, and the Library.
The task force came together in November 2001 to look at the feasibility and desirability of change and quickly concluded that the change should be implemented; only the question of resources would dictate how and how quickly the changeover could be accomplished. Key to changing the ID numbers of students, faculty, and staff was also changing their UO ID cards at the same time, as a myriad of UO business processes were tied to the ID number via the ID card (meal plans for students, card-entry access to buildings, library check-out systems, recreation center admittance, and timecard systems for some student jobs, to name just a handful). One concern was that aging ID card equipment could not handle the volume of recarding the entire university all at once; there could be disruption of services to students and faculty alike, and negative goodwill ramifications. Cost estimates for a one-time conversion came in at $90,000. Due to these concerns, a strategy for a phased changeover was recommended. Here's what happened next.
Gaining Necessary Approvals
In mid-November 2001, the task force presented its report and proposal to begin a phased conversion to the BCG. BCG members asked for additional information about why UO could not implement a one-time change. The task force went back to the drawing board, did more investigation, contacted institutions that had managed an all-at-once conversion, recalculated the costs for a one-time process, and returned to the BCG in mid-December 2001 with the same phase-in recommendation. …