This article covers best practices for collecting sensitive data with Finalsite Forms, including HTTPS encryption limitations and why Forms should not be used for HIPAA-covered or financial information.
đź’ˇQuick answers
- Is it safe to collect Social Security numbers through a Finalsite form? Collecting an SSN is technically possible, but storing that data may expose your school to significant legal liability, so it is best to avoid it and use a dedicated secure system instead.
- How does Finalsite protect data submitted through a form? Data to and from Finalsite is protected by standard HTTPS encryption, and highly sensitive transactions like credit card payments are routed through an additional dedicated secure connection.
- Are Finalsite forms HIPAA compliant? No; Finalsite forms are not HIPAA compliant and should never be used to collect health information, Social Security numbers, or banking information, even over a secure connection.
- What legal regulations apply to collecting personal data on school forms? US higher education institutions must comply with FERPA, individual states have their own personally identifiable information laws, and schools outside the US may have similar regulations, so it's best to consult a local attorney.
- What is a recommended alternative to collecting SSNs on a web form? Use a unique, random identifier to track user files instead of requesting a Social Security number, and route any sensitive admissions or financial data through a dedicated third party system.
Forms can be used to collect all sorts of information about end users - even personal information that’s important to keep secured. It’s important not only to be aware of the features Forms uses to keep information secure, but also to think about what sorts of information you request and store. This article will walk you through some best practices for how to follow best practices when collecting sensitive data with a form.Â
Not sure? Please review "Which forms module do I have: New Forms or Legacy Forms Manager?"Â
In this article
- Securing personal information
- HTTPS encryption and data protectionÂ
- Utilize third party systems
- Legal considerations and data privacy regulations
- More best practices for data privacy with forms
Securing personal information
Although it's easy to capture personal information such as a Social Security number (SSN), storing that data may expose your school to significant legal responsibilities and liabilities, depending on where it's located.
HTTPS encryption and data protectionÂ
Data to and from Finalsite is protected by standard HTTPS encryption. For highly sensitive data like credit card information or SSNs, it is best to use dedicated, secure connections. Finalsite ensures this by routing users through a highly secured connection for transactions, returning them to Finalsite once the process is complete.
Utilize third party systems
Schools should use dedicated systems for any data that can be associated with individual users, such as financial information, admission information, and so on. Finalsite does not support the collection of personally identifiable or financial information via forms, even over a secure HTTPS connection.
Forms are not HIPAA Compliant
Finalsite forms are not HIPAA compliant and should never be used to collect health information as well as SSNs or banking information. Even though the connection between the end user and the server is secured, storing such information after it has been collected may present serious issues.
Legal considerations and data privacy regulations
Here are some best practices and considerations to follow with regard to compliance with legal and data privacy regulations:Â
- Obtain accurate information from a local attorney about restrictions and consequences related to collecting and storing sensitive information.
- Higher education institutions in the United States must comply with data security regulations under The Family Educational Rights and Privacy Act (FERPA).
- Schools in other countries may operate under similar laws.
- Individual US states have their own laws regarding the collection of personally identifiable information.
More best practices for data privacy with forms
- Ask your administration for district and school data privacy policies. Most schools already have dedicated systems in place due to existing data-privacy regulations.
- Slight adjustments in procedures may be needed to keep private information secure.
- If collecting SSNs on admission applications, the Admission office should have data-privacy procedures as part of their workflow.
- Avoid complicating matters by not using the website for sensitive information.
- Keep web forms free of sensitive information to avoid restrictive data-storage regulations.
- Use unique, random identifiers to track user files instead of SSNs.
- Request unique identifiers on web forms rather than SSNs whenever possible.
Comments
Please Sign in to leave a comment if you don't see the comment box below.