Skip to main content

UINs to Become Directory Information

Effective January, 2012, Universal Idenfication Numbers (UINs) will no longer be classified as confidential information, but reclassified as public information.

History of UIN at TAMU

In 2000, UINs were first proposed as a replacement for using social security numbers (SSNs) as unique student identification numbers. Around that time, there was a rash of releases of SSNs and other confidential information at multiple universities across the United States. Concern over the security of confidential information received more attention.

UIN's were implemented for the first time in both the BPP and SIMS systems in 2003.

Almost immediately, UINs, which were ostensibly created for two reasons - to remove SSNs from general use as identifiers, and to create a publicly releasable identification number, became controversial and ultimately confidential. At the time, it was not clear whether UINs could be considered public information. In the absence of clear guidance, units took a variety of approaches. Some considered UINs confidential, while others didn't. Since the UIN was a number unique to TAMU, most units considered release of the information safe. It was common to release lists of grades with UINs identifying the students, and for service units to ask for UINs as a form of authentication to release information.

However, a ruling the from the Family Compliance Office, which first came to light in 2000, made it clear that under FERPA, UINs were considered confidential and must be protected.

"For the purposes of this section the term "directory information" relating to a student includes the following: the student's name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student... Additionally, we note that a social security number, or other identification number, is generally linked to significant amounts of other information about an individual. An individual's social security, or other identification, number is a private identification number, the disclosure of which is generally expected to be controlled by the individual. Therefore, the designation and disclosure of a student's social security, or other identification, number as "directory information" is not permitted under FERPA."

This led to several State of Texas guidelines which required entities like TAMU to report release of UINs as one would report the release of SSNs.

A conflation of information technology security policies during this time detailing procedures and protocols for the storage and transfer of confidential information also complicated the management of UINs for a variety of IT systems. Under the procedures, confidential data must be securely stored and encrypted while in motion or on mobile devices. For several years, IT operations had to scramble to become compliant with the new SAPs. This was complicated by the fact that sometimes IT was not aware in what resources UINs were located.

In 2009, TAMU Registrar Don Carter started the formal process of reclassifying UINs as public information. In 2010, Scott Kelly, General Counsel for TAMU, wrote a memo outlining the three conditions under which UIN would be considered public information:

  1. FERPA records could not be accessed by UIN alone, but could be used in conjunction with "other factors that authenticate the user's identity."
  2. The institution must take proper steps to designate and notify students about UINs being public information.
  3. A student could "opt out" of releasing their UIN under directory information. This is already an option for other types of directory information.

This memo cleared the way for UINs to be reclassified as public information. In 2011, Pierce Cantrell made a formal request of Karan Watson to take this action. This has led to an official reclassification of UINs as directory information, which will take place in January, 2012.

Why Make the Change?

There are several reasons why the Registrar and other units on campus wanted to change UINs to be classified as directory information:

  1. It would reduce the risk of releasing confidential information, and restore the original purpose for the creation of UINs.
  2. It would decrease the burden of IT procedures that are required when administering confidential information.
  3. It would allow staff and faculty to use UINs to identify students without fear of releasing confidential information. (The ability of a student to exclude UIN from directory information complicates this point.)

 What Does It Mean?

The most significant change for the Division of Student Affairs will be the restriction on using UINs as a sole data point to authenticate a student. UIN may still be used in conjunction with other confidential data to authenticate students. This would apply when releasing FERPA protected information to students.