California SSN and Encryption

[Jeremy Barker]

Roland Perry wrote:

> In message <3.0.2.32.20020712064827.012e3d00@pop3.norton.antivirus>,
> Donald ramsbottom <donald@ramsbottom.co.uk> writes
> >The problem of identity theft is via Social Security Numbers is getting so
> >bad new laws mandating encryption of transmission of neumbers.
> >
> >"California Law Curbs Release of Social Security Numbers, Mandates Encryption
> >Aiming to curb the fast-rising rate of identity theft, a new California
> >law, effective July 1, requires Internet transmission of Social Security
> >numbers (SSNs) to be encrypted and bans private companies from disclosing
> >SSNs.   The law does not apply to state or local agencies.  Under the new
> >law, an individual may not be asked to transmit his or her SSN over the
> >Internet unless the connection is secure or the SSN is encrypted.
> >Moreover, individuals cannot be required to use their SSNs to access
> >Internet Web sites unless additional authentication (e.g., a password or
> >unique personal identification number) is also required for access.  The
> >California law also (i) bans the public posting or display of an
> >individual's SSN in any manner; (ii) bans printing an individual's SSN on
> >any identification card required to access products or services; and (iii)
> >bans printing an individual's SSN on any materials that are mailed to the
> >individual, unless otherwise required by law.
>
> Makes you wonder why anyone would ever think that just a SSN was an
> adequate proxy for a username and password, in the first place!
>
> UK DPA law would prevent companies from disclosing NI numbers [and it's
> bizarre that US State and local agencies are absolved from any duty of
> care in this respect].
>
> There's a strong impression amongst many UK institutions that it's
> illegal under UK law to use the NI numbers for any purpose other than
> gathering NI. For example, as a way to identify employees for more
> general (including IT related) purposes. Does anyone know if this is an
> urban myth?

There's no explicit law to that effect but I suppose you could argue that the Data
Protection Act should prevent use for illicit purposes.  In the past it is at
least rumoured that NI numbers have been used to index industry "blacklists" of
alleged "troublemakers".  IIRC these were said to be particularly widespread in
the offshore oil industry where people who had questioned safety claimed to
encounter serious problems finding work once they had disclosed their NI number to
a prospective employer.

Note that NI numbers are used for a lot of official purposes - Income Tax as well
as NI collection (although it is now the Inland Revenue that deals with both) and
all kinds of social security stuff.  They are also used for other things.  For
example, most legal aid forms have to include the client's NI number if they have
one - because of this, in the legal practice where I work, we routinely record
clients' NI numbers.

jb