[ NEWS ]








By Susan Carroll
Arizona Daily Wildcat
March 23, 1998

Social Security number release 'probably' illegal, official says

University of Arizona officials released student and employee Social Security numbers to two companies in their zeal to set up the new CatCard system - a move that may have violated federal law.

University Attorney Michael Proctor said the UA is "not making excuses" for providing the personal data to Saguaro Credit Union and MCI Telecommunications Corp. and said it is likely the university violated state and federal law by releasing the information.

"More likely it is a violation than it is not a violation," Proctor said. "My sense is that it probably is a violation."

Terrence Bressi, a Lunar and Planetary Lab engineer, and physics senior Andrew Tubbiolo began looking into the matter after they called MCI regarding the calling card feature of the new CatCards and were asked to verify their Social Security numbers, Bressi said in a message distributed to some UA e-mail listservs Wednesday.

"Since I don't do business with MCI and I didn't release my SSN, I asked her (the MCI representative) how she got the information and she replied it was released by the university," Bressi's e-mail stated.

Damage-control hit a fever pitch Thursday when UA officials promised to retrieve the information. MCI is expected to delete Social Security numbers from their system today, and negotiations are underway with Saguaro Credit Union, Proctor said.

"Right now, I'm trying to stop the bleeding," he said, adding that he has not yet determined exactly how the information was released or if the release was legal.

"But basically, I think we blew it," Proctor said.

The Family Educational Rights and Privacy Act prohibits schools from releasing "personally identifiable information" without students' permission.

Proctor said the UA employees involved in releasing the information probably believed it was legal to release Social Security numbers to service providers.

"Clearly, releasing the records violated the spirit of the law," said journalism lecturer Jim Mitchell, who holds a law degree. "Someone in the university would have to be monumentally stupid to release records for commercial purposes."

Proctor said providing MCI and Saguaro Credit Union with the Social Security numbers may technically be legal if the businesses are considered agents of the university. There is a clause in FERPA that states government contractors keeping a "system of records" for the university may be considered employees.

But in his e-mail, Bressi wrote, "MCI and Saguaro Credit Union were contracted to provide long distance services and banking services, not to operate a system of records for the university."

Bressi said he plans to file complaints through several agencies, including the Arizona Board of Regents and the U.S. Department of Education.

Proctor said university officials may have released the records in an effort to make the implementation of CatCard features as seamless as possible - they were not given to the companies to foster solicitation.

"They (the companies) can't solicit. That would be a violation," Proctor said.

"How it happened doesn't matter. The issue is whether we should have or shouldn't have (released the information)," he said. "I think we took the high road here and got the data back."

"The law is confusing to begin with," Mitchell said. "I don't think it takes a rocket-scientist to realize you don't release Social Security numbers for commercial purposes."

Dick Roberts, the UA's chief budget officer, was unavailable for comment but told The Arizona Daily Star last week that MCI and Saguaro Credit Union pay the university to provide their services. Specific amounts however, he said, were unavailable.

The new CatCards will be activated today with an altered agreement from service providers. Students can now opt out of using their Social Security information and instead choose a randomly generated number.

Besides the calling card feature, the new CatCards can be linked to Saguaro Credit Union accounts, serve as identification, and provide access to meal plans and library and Student Recreation Center privileges for about 45,000 students, faculty and staff.

CatCard program director Liz Taylor refused comment Friday but was quoted in an e-mail from UA administrative associate Lisa Wakefield released the same day.

"The trust of employees and students is valuable to us," Taylor stated. "And we need to be straight with people about what happened, why it happened, and what we're doing to address it."

The CatCard was designed as a move away from using Social Security numbers as personal identifiers, Proctor said. The 16-digit number on the front is designed to protect private information, he said.

(LAST_STORY)  - (Wildcat Chat)  - (NEXT_STORY)