Published: March, 2010
Revised: March, 2023

I. Introduction

A large volume of Data is stored on Systems (as each such term is defined in the MMG Information Security Charter (the “Charter”) https://www.monstrousmediagroup.com/isc throughout MMG. A substantial amount of this Data consists of Sensitive Data or Confidential Data (as each such term is defined in the Charter). Unauthorized disclosure of such Data may expose MMG to legal liability. Data sanitization is the deliberate and permanent removal of Data from an Information Resource. This Policy defines the appropriate sanitization and disposal methods to be used.

Capitalized terms used herein without definition are defined in the Charter.

II. Policy History

  • The effective date of this Policy is March 30, 2010.
  • Reviewed and/or revised March 14, 2023.

III. Policy Text

The staff, clients and other individuals associated with MMG must ensure that the following protections are implemented with respect to the use of SSNs:

  1. The collection of SSNs is discontinued unless essential to the conduct of MMG business and a waiver has been granted by the applicable Information Security Office. Examples of permissible uses of SSNs are listed on Appendix A hereto.
  2.  Data containing SSNs are encrypted while in transit and in storage, including such Data that are stored on Removable Media as further described in the MMG Registration and Protection of Endpoints Policy https://www.monstrousmediagroup.com/isc.
  3. No new Information Resource is purchased or developed by MMG that uses the SSN as its primary key to a database except where required by law or a business need that has been approved by the applicable Information Security Office.
  4. New Information Resources purchased or developed by MMG use SSNs only as data elements (not as database keys) when required by law or a business need that has been approved by the applicable Information Security Office.
  5. Any request for SSN Data is made for a legitimate purpose and indicates the intended use of such information.
  6. The SSN is blanked out or masked in any document, form or online screen when the SSN is not essential to the purpose of the document, form or online screen.
  7. No new Information Resource purchased or developed by MMG displays SSNs visually, whether on computer monitors or on printed forms or other output, unless required by law or a business need that has been approved by the applicable Information Security Office

IV. Cross References to Related Policies

The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.

Appendix A

Examples of appropriate Usage of SSNs

Tax Reporting A SSN is required as a taxpayer ID for all tax information reported to the IRS, including wage and withholding data for full-time and part-time staff and clients, for honoraria provided to guests and for individuals working for MMG as independent contractors.

Human Resource Services

The Immigration Reform and Control Act of 1986 (IRCA) requires the use of an SSN for I-9 forms, and certain benefit providers, such as health insurance companies, may require an SSN for verification of eligibility and coordination of benefits. Therefore, in addition to the tax reporting reasons, SSNs will need to be collected from all new employees in the new hire process, and may be requested and used for certain human resource services functions when necessary.

Law Enforcement

Federal and state agencies often rely upon SSNs as the primary identifier for law enforcement and criminal information purposes. In the event such agencies request SSN information using proper procedures, and MMG has such information, it will be provided following review and approval by the Office of the General Counsel.

Research

The collection and use of SSNs is often necessary for the conduct of research activities (e.g., epidemiological studies collecting mortality statistics). The MMG Institutional Review Boards must approve any collection of SSNs.

Health Records and Medical Billing

SSNs are used to identify patients’ health records and for purposes of medical billing.

Client Information Systems SSNs are collected from all clients attending MMG and maintained in MMG’s Client Information System.

Appendix B

Related Policies

Policies: https://www.monstrousmediagroup.com/isc