Forms & Data Collection (Data Privacy)
An online web form can help your website visitors get in contact with you, send you questions or feedback, request your services, and even help you conduct your day-to-day business. However, when the information you collect accidentally gets into the wrong hands, bad things can happen. If you collect data from your website visitors, you have an obligation to protect the privacy of that data. Data privacy relates to how data should be collected, stored, managed and shared, to ensure it's protection from people looking to exploit it.
Data breaches continue to expose the personal data of millions of people across the globe. In 2020 alone, there were 1001 data breaches, effecting over 155.8 million individuals1. That's why it's important that you understand how to keep your users' information safe, and the university's reputation untarnished.
1. Establish trust
- When you ask your users to give you information about themselves, they need to trust
that you will handle that information in a safe and secure manner. There are several
things you can do to establish your trustworthiness.
- Brand recognition: It's important that your users recognize your form as part of your organization. The look and feel of your web form should be consistent with the rest of your website, which should be consistent with the University's brand.
- Contact information: In case something goes awry with the functioning of your form, it's best to give users contact information that they can use if they get stuck, rather than spin their wheels and get very frustrated with you. If your website complies with the University's world wide web policy, you should already have this on every page of your site.
- Privacy statement: A privacy statement or policy tells your users how you will use their information.
Make sure you understand, abide by, and provide a link to the University's privacy statement. If your website complies with the University's world wide web policy, you should already have this on every page of your site.
- If what you want to do with the data conflicts with the University's privacy statement, you may have to consult with the Office of General Counsel to create your own.
2. Encrpyt the data
- Encrpytion is the process of making data unreadable to anyone other than the intended receipient. You can make this happen by using a security certificate (also known as an SSL certificate, a TLS certificate, or an HTTPS certificate), and serving your web form over the HTTPS protocol rather than the HTTP protocol.
- Your users will be able to detect this happening by looking at the web location bar
in their browser and seeing "https://" in the url, as well as a padlock next to the
- Please note if your website is hosted with any of the 3 central web teams - UIT, UMC or UHealth - or with UIT's Software Platform Services team, this will happen automatically.
- Also be mindful of the data you send in any email notifications.
3. Only collect what you need
- Only collect and handle data that you know will be used and is absolutely needed.
4. Limit access
- Use the principle of least privilege to ensure that users can access only the data they need to do their jobs, and only for as long as they need it.
4. Use University authentication/single sign-on (SSO)
- If possible, put your form behind campus uNID and password authentication to add an extra layer of security.
5. Know your data types and how to handle them
- The following are the types of data that are commonly considered sensitive:
- Personally identifiable information (PII) — Data that can be used to identify, contact or locate an individual or distinguish
one person from another.
- Includes the following standalone information:
- Full Social Security Number (SSN)
- Driver's license or State ID number
- Passport number
- Visa number
- Also includes full name in combination with:
- Mother's maiden name
- Date of birth
- Last 4 digits of SSN
- Citizenship or immigration status
- Ethnic or religious affiliation
- Includes the following standalone information:
- Personal health information (PHI) - Medical history, insurance information and other private data that is collected by healthcare providers and could be linked to a certain person.
- Personally identifiable financial information (PIFI) - Credit card numbers, bank account details or any other data concerning a person’s finances.
- Student records - An individual’s grades, transcripts, class schedule, billing details and other educational records.
- Personally identifiable information (PII) — Data that can be used to identify, contact or locate an individual or distinguish one person from another.
- Sensitive data should be encrypted in transit and at rest, stored on a secured server, and only accessed by those with a legitimate business need .
6. Know your data protection and privacy regulations
- The following are some applicable data privacy laws that you'll want to be aware of:
- Family Educational Rights and Privacy Act (FERPA) - Protects students’ personal information.
- Health Insurance Portability and Accountability Act (HIPAA) - Protects personal health information (PHI).
- Children’s Online Privacy Protection Act (COPPA) - Protects children’s privacy by allowing parents to control what information is collected.
- General Data Protection Regulation (GDPR) - Governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union.
- California Consumer Privacy Act (CCPA) - Governs privacy rights and consumer protection for residents of California.
- DO NOT under any circumstances collect credit card numbers. "UPAY" is the University's payment processing solution which is the only official, approved method that the University supports for accepting credit card payments.
- Avoid collecting social security numbers, drivers license numbers and passport numbers, or any PII (defined above).