NYCPHP Meetup

[inforequest]

Aaron Fischer agfische-at-email.smith.edu |nyphp dev/internal group use| 
wrote:

>I'm not sure if my description of shared hosting environment is accurate.
>
>I am with one department at a college.  There are a number of 
>departments who use the same web server.  The IT department maintains 
>the server and assigns permissions and directory access to the various 
>departments.  It is in that sense that I am in a shared environment.
>
>The SS# is not being used as a unique identifier.  It is part of the 
>information that a student can choose to fill in when they are applying 
>for admission to the college.  (It is not a required field.)
>
>Not sure what the sring is or how to keep the key offline, but those are 
>the types of issues I want to be researching.  The encryption part of 
>the application development won't start until at least next week.
>
>-Aaron
>
>  
>
Well, that could be even worse if you don't control the server and those 
who do have no accountability for what you do on that server.

 From the sound of things, you don't  need to collect SSN so why take 
that risk? As soon as it is entered, it becomes a liability (depends on 
what state you're in what the liability actually is).

It seems your college is actually rather porgressive in trying to 
protect student data and privacy: see 
http://64.233.161.104/search?q=cache:KoF0heipsy8J:searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1171482,00.html%3Fbucket%3DNEWS+%22smith+college%22+policies+on+social+security+numbers&hl=en&gl=us&ct=clnk&cd=3
"Added to the mix are.....<redacted>.... both small liberal arts womens' 
schools. According to Schneider, these two schools are interesting to 
the alliance because they have young, predominantly female student 
populations to lend diversity to the more technical campuses."

there is also a privacy policy online that seems to suggest info is to 
be safeguarded, although by a very quick read it was not a very 
pro-student policy IMHO.
http://www.*******.edu/sao/handbook/policies/privacyofrecords.php

It may be that someone added that field as optional and 
just-in-case-it-might-be-useful so if you can find any policy at all 
that questions it, it might disappear from the specifications. Is the 
university involved in research grants from the government? If yes, it 
may be a covered entity under HIPAA, which regulates the use and storage 
of ss#. Maybe check your university IT policies on SS# just enough to 
find a need for clarification, to make the issue go away for a while?

Best of luck passing the buck.

-- 
-------------------------------------------------------------
"If you think this stuff is confusing, you should try optimizing websites for search engine exposure."  john andrews SEO http://www.johnon.com