Forms can be used to collect all sorts of information about end users - even personal information that’s important to keep secured. It’s important not only to be aware of the features Forms Manager uses to keep information secure, but also to think about what sorts of information you request and store. Although it's easy to capture personal information such as a Social Security number (SSN), storing that data may expose your school to significant legal responsibilities and liabilities, depending on where it's located.
Data to and from Finalsite is protected by HTTPS encryption that is standard throughout the web. It is the best practice, however, for highly sensitive data such as credit card information, or personally identifiable information such as SSNs, to only move between end users and servers through dedicated connections with highly focused security measures. Finalsite follows this practice, for instance, when users pay for something via a form: They are routed from Finalsite via a highly secured connection to the system that processes the transaction; users are then routed back to Finalsite after the transaction completes.
Schools should use dedicated systems for any data that can be associated with individual users, such as financial information, admission information, and so on. Finalsite does not support the collection of personally identifiable or financial information via forms, even over a secure HTTPS connection.
It’s critical for schools to obtain accurate information from a local attorney about the restrictions and consequences associated with collecting and storing sensitive information. Higher education institutions in the United States are bound by regulations concerning data security in The Family Educational Rights and Privacy Act (FERPA); schools in other countries may operate under similar laws. Additionally, individual US states have their own laws concerning the collection of personally identifiable information.
Because these data-privacy regulations are not new, most schools already have the appropriate dedicated systems in place and simply need to make slight adjustments in their procedures to keep private information secure. If you collect SSNs on your admission applications, for instance, your Admission office should already have data-privacy procedures as part of their workflow. In that case, the best approach is to not complicate matters using the website. Keep your web forms free of sensitive information so that they're not subject to restrictive data-storage regulations. Use unique, random identifiers to track user files (don't track people through the admission process using their SSN as an identifier), and ask for that on web forms rather than SSNs whenever possible.