An audit reveals
Valencia College had been storing Social Security numbers of applicants and students indefinitely and giving employees unnecessary access to that data.
Valencia College employees had unnecessary access to Social Security numbers for more than a million current, former and prospective students, increasing the risk of unauthorized disclosure or fraud, the Florida Auditor General found.
The report questioned Valencia’s need to keep data for people who no longer attend the college or never enrolled there. Besides data for 156,336 current students, Valencia has Social Security numbers on file for 887,951 former and 118,501 prospective students, according to the report released earlier this month. The auditor urged the college to specify a “public purpose” for keeping this information indefinitely and cease the practice if there isn’t one.
The Auditor General’s office monitors state institutions, including colleges and universities, and the Valencia report was the result of a routine check.
There’s no evidence anyone’s information was used improperly, said Linda Shrieves Beaty, a spokeswoman for the college.
Besides keeping large numbers of Social Security numbers on file, the auditor found, too many employees had access to them. The auditor selected 21 Valencia employees with access to students’ Social Security numbers and found five of them no longer needed it because their roles had changed. Also, the college didn’t provide evidence that 15 of the other 16 employees needed access to former or prospective students’ Social Security numbers, according to the report.
In response, Valencia is reducing the number of employees who have access to student data by ending access for people who no longer need it because they’ve moved to different roles or departments, Shrieves Beaty said, but the college needs to retain data for students who’ve applied or who no longer attend because many who attend are “transient.” Students might apply but not actually sign up for class for a couple of years or take semesters off.
“By keeping those applications on file and hence their Social Security numbers, we save them the cost of getting those transcripts again, getting those test scores again,” she said.
The Auditor General’s office does not tell college leaders how long they should keep data, and it’s up to the institutions to protect their students’ Social Security numbers, audit manager Jaime Hoelscher said.
“However, the longer student information is maintained without a documented public purpose, the greater the risk that sensitive personal information may be used to commit a fraud against college students or others,” Hoelscher wrote in an email.
Other colleges and universities have been the targets of