To: Gary Rogers, Chief Financial Officer Sylvia Davis, Vice President for Administration and Finance From: Louis Gross, President, UTK Faculty Senate Re: Privacy and Social Security Number Matters at UT Date: February 23, 2007 cc: Rhynette Hurd, Chair, Academic Affairs and Student Life Committee, UT Board of Trustees Robert Levy, Vice President for Academic Affairs & Student Success John Schommer, Faculty Senate President, UTM Gavin Townsend, Faculty Senate President, UTC George Cook, Faculty Senate President, UTHSC Loren Crabtree, Chancellor, UTK John Petersen, President, UT Members, Academic Affairs and Student Life Committee, UT Board of Trustees I am attaching a copy of a resolution passed by the UTK Faculty Senate at its February 5 meeting regarding the use of Social Security numbers. This resolution calls for UT to have a written policy stating the appropriate use of Social Security numbers, as well as a stated policy on encryption methods to be applied when legitimate use of these numbers is specified in the policy. In a letter to the Senate, Joel Reeves of UT's Office of Information Technology both supported the spirit of the resolution and noted that a written policy has been under development for some time, led by Assistant Vice President Les Mathews. The UTK Senate Information Technology Committee had also been informed that consultants have made presentations to President Petersen regarding security matters and suggested methods to reduce the risk of security breaches and to manage identities within UT's data systems. Data and identity security matters are of great concern to the faculty across the UT System, as noted in correspondence of the various campus Faculty Senate Presidents following the July 06 announcement of a breach. The Academic Affairs and Student Life Committee of the Board of Trustees is meeting March 7 in conjunction with the next Board Meeting. On the agenda of this meeting is an update on the Student Information System to be implemented across the UT System. Written, UT Board-accepted policies regarding identity security and encryption methods are rationally a necessary step before any detailed consideration of implementation of a Student Information System should occur. This is to encourage you therefore to provide to the the AASL Committee before its meeting on March 7: (1) the policies that are intended to be implemented regarding acceptable use of private information such as Social Security numbers; (2) the policies that are intended to be implemented regarding encryption of private data and privileged access to encrypted private information across the UT System; and (3) a timeline and implementation plan for these policies across the UT System. Thank you for your consideration of this request. Sincerely, Louis J. Gross Professor of Ecology and Evolutionary Biology and Mathematics Director, The Institute for Environmental Modeling University of Tennessee - Knoxville President, UTK Faculty Senate Past-President, Society for Mathematical Biology (www.smb.org)