Areas Processing Financial Data
Social Security numbers and bank account numbers may have been collected by DLCs in the past for processing reimbursements, time cards, contractor purchase orders or other financial transactions. Once submitted to the proper office for processing, local copies must be redacted to prevent a data breach. Some items may also be securely destroyed after a period of time.
Items To Be Redacted
On forms which require SSN for processing, redact the information on your local copy, before filing or scanning (see tips on redaction). Such forms might include:
- Independent Contractor Purchase Order or other vendor paperwork (which may include SSN)
- Request for Payments and travel reimbursements – look at both the request itself (SSN may be a required field), as well as backup documents which may include personal credit card statements, receipts with full credit card number, bank statements or cancelled checks. PIRN on backup documents should be redacted before submitting.
- Any Human Subject payment paperwork (SSN may be required for Accounts Payable, but is not needed for the DLC files)
- Any personal checks (payments, donations, etc.) - the bank routing number should be redacted from file copy.
Items To Be Securely Deleted
DLCs are not expected to keep the following old files (you may securely destroy or delete these items):
- Old time cards, time reports, and/or vacation reports that may have SSN
- MIT Affiliate Card requests prior to 7/1/07, where SSN was filled in
- Files related to Voucher payroll employees (e.g., I-9s, time sheets with SSN)
- Excel files with employee SSN, e.g. pre-2004 merit review files, when Employee ID (EE ID) was SSN, including downloads from the Data Warehouse prior to 4/1/08 which may have SSN.
- Databases (FileMaker, Access or other types) with employee or affiliate PIRN.