๐ A Quick Heads-Up on Social Security Numbers
We wanted to share a friendly reminder that’s been on our radar lately.
Procurement Services has noticed an uptick in documents being submitted โ attached to requisitions, uploaded into systems, sent over email โ that include full Social Security Numbers (SSNs). We know this is almost always unintentional, so we wanted to make it easy to know what to do going forward.
A Little Context
SSNs are among the most sensitive pieces of personal information out there. When they show up somewhere they shouldn’t โ an email, an attachment, a system upload โ it creates real risk for the individual involved and for the university. The good news: this is very easy to prevent once you know what to look for.
The Simple Guidance
Most procurement transactions don’t require an SSN at all. Before attaching or uploading any document that includes one โ in RealSource, Works, Chrome River, email, or anywhere else โ it’s worth a quick gut check:
Does this process actually need an SSN?
More often than not, it doesn’t. If you’re unsure, reach out to the relevant team before submitting and they can confirm.
A Better Path for One-Time Individual Payments
For a lot of payments to individuals โ honoraria, awards and prizes, stipends, research participant compensation โ there’s a way to skip SSN handling on your end entirely: Candex.
Candex is VCU’s secure third-party payment platform for one-time payees, accessible as a catalog in RealSource. Rather than collecting a W-9 from the recipient and routing it through email, attachments, or shared drives, the payee enters their own information โ including their SSN โ directly into Candex’s secure portal. The data gets where it needs to go without ever passing through a VCU inbox.
If you’re processing one of those payment types, it’s worth checking whether Candex fits before you start collecting paperwork. Less for you to handle, less for us to redact, and the recipient’s information stays better protected end-to-end.
If a Document Happens to Contain One
Sometimes you’re working with a form or record that includes an SSN and you need to submit it for another reason entirely. In that case, just redact the SSN before it goes anywhere.
A couple of things worth knowing about redaction:
- Placing a black box over text in a PDF doesn’t always remove the underlying data โ use your PDF editor’s actual redaction function (Adobe Acrobat has a dedicated “Redact” tool) or remove the field entirely
- A marker on a printed and scanned page may not hold up either โ the number can sometimes still be recovered
When in doubt, remove the SSN entirely if the document’s purpose doesn’t require it. Showing only the last 4 digits is fine when partial identification is genuinely needed.
What This Helps Avoid
Beyond the security piece, submissions with unredacted SSNs can result in delays or require resubmission โ so catching it upfront saves everyone time.
Questions? We’re Happy to Help
If you’re ever unsure whether an SSN is needed, how to redact properly, or which channel is appropriate for sensitive documents, just reach out to Procurement Services before submitting. We’d much rather answer a quick question than have to sort things out after the fact.
Thanks for helping keep our community’s information safe! ๐
Categories Procurement Services