SSN Protections Act 805

In Michigan the Social Security Number Privacy Act (Act 454 of 2004) was signed into law in December of 2004 as a means of protecting individuals from identity theft. The purpose of this act is to require companies to put protections and limits on access to social security numbers (SSN) obtained in the course of doing business. Since this is a human resource article, I am going to focus on the SSNs that may be obtained through the employment relationship. Many businesses may obtain SSN from clients and/or vendors and therefore apply this law to these other aspects of their business.

To comply we must consider all the places you may have a record with a social security number.

1) Employment application: Most employment applications request the applicant’s social security number. You don’t really need to have the number until after hire (unless you are doing a credit or criminal check). Just stop requesting the SSN when an individual applies. Revise your employment application to remove the SSN request. You will still need to deal with the applications you may have on file that have the SSN. This is information that, as of January 1, 2006, must be protected. You are required to keep employment applications for at least one year, so any thing older then one year should be shredded, the rest should be locked with access limited.
2) I-9 forms: All new employees must complete an I-9 form to prove eligibility to work in this country. Part of this evidence is often the social security card. Employers tend take a photocopy of the card and the employee’s driver’s license, two documents involved in identity theft. This is information that employers must retain for a minimum of three years. Make sure all I-9 records locked. After the three years, shred them. You should only touch an I-9 record twice, when you file it and when you shred it.
3) Pay Checks: Again, many companies publish the social security number somewhere on the pay stubs. If you don’t need to include it, just remove it. If you must have it, you can only print the last four numbers. If you use the employee’s SSN for the employee’s identification number, consider changing your system. An important aspect of the law has to do with mailing documents with SSN. If you mail a pay check or direct deposit statement only the last four numbers of the SSN can be published.
4) Payroll Records: I am confident your payroll records, reports, W-4, etc, will have SSNs published, it is unavoidable. This means that you absolutely need to keep these records locked and limit access.
5) Personnel files: I see a lot of file systems where a great deal of information related to the employee is written on the jacket cover, including the social security number. I strongly discourage the use of these types of jackets for a number of reasons, but with this law, I have another reason. If you like them, just make sure you do not have the SSN easily accessible on the jacket. If you do, get out your Sharpie and black it out.
6) Employee records: These records include the personnel file, but also the benefit file and payroll file, all of which are chocked full of the SSN. Treat these files with care. Keep them locked and limit access.
7) Review all other ways you may retain information that has a SSN number published. For example, identification cards may use the SSN and you will need to change those as well.

Finally, you must write and publish, in an employee handbook, procedure manual or similar document, a privacy policy that will include: (1) a statement ensuring practical confidentiality of SSN, (2) prohibits unlawful disclosure of SSN by employees, (3) limits access to information that may contain SSN, (4) advises the manner in which documents with SSN’s are disposed, and (5) advises employees of the potential penalties for a violation of this policy.

More information is available regarding the act on under Social Security Number Privacy Act (Act 454 of 2004). Betty: may want to MI Chamber web site as a resource instead.

Tags: , ,