Web Form Operating Procedure
Updated 7/18/2022
This Web Form Operating Procedure is an operating procedure attached to Section B of the Administrative Policy Regarding Web Publishing Policy Register 9-01.3.
Microsoft Forms and Qualtrics are the two types of form tools approved for use by ϳԹ because of their accessibility and security attributes. When selecting a tool, consider:
- Microsoft forms: For quick surveys, registrations, polls or quizzes. Microsoft forms are easy to use and integrate with Microsoft Teams and the university's Office 365 platform.
- Qualtrics: For research purposes or surveys and questionnaires that require logic, meaning a different set of questions can appear based on an answer to a specific question. The forms can collect data and allow for more in-depth analysis when compared to a Microsoft Form. Note: there is a higher learning curve when learning how to create a Qualtrics form.
Employees with access to Drupal, the ϳԹ content management system, are data stewards and need to realize that creating a form that requests private information comes with certain privacy standards. Any exceptions need approved by Information Services Vice President and the Division of University Communications and Marketing (UCM) Senior Vice President. Should you find yourself in the need to pursue this approval, please contact Lin Danes, director of web services in UCM, to have her triage and advance your request.
Digital Form Requirements
-
We recommend creating and storing forms using a department account or with an account co-owned with another employee to ensure the forms will be accessible, should the form creator change jobs or leave the university.
-
Because of the Family Educational Rights and Privacy Act (FERPA), ϳԹ policy 5-08.101 provides operational procedures for administering and maintaining student education records in compliance with the Family Educational Rights and Privacy Act of 1974 (FERPA). If you are creating a form that requires any identifiable student information you must be cognizant of FERPA regulations.
-
Social Security Numbers may not be collected via any form independently created by a department; rather they may only be collected using applications and for purposes that have been explicitly authorized by the Office of Security and Access Management and by the relevant Data Steward(s).
-
Any website that collects personally identifiable information via an approved form creator, including but not limited to ϳԹ Identification Numbers (Banner IDs), must be scanned regularly for vulnerabilities, and where feasible, reside behind a web application firewall.
-
According to Administrative Policy 7-01.2 Regarding Credit Card Security, the processing of credit cards may only be conducted using secure PCI DSS compliant university-approved electronic applications or devices. Confirmation of these is available upon request from the Bursar Office.
-
Payment Card Industry Compliance (PCI): According to ϳԹ's Administrative Policy 7-01.2 Regarding Credit Card Security, the processing of credit cards may only be conducted using secure PCI DSS compliant university-approved electronic applications or devices. Any ϳԹ department with a need to collect funds by accepting a credit card payment must begin the process by contacting the Bursar’s Office at cashier@kent.edu or 330-672-2757 to request access or equipment for processing credit cards, or before entering into any type of merchant credit card agreement.
-
Protected Health Information. The collection and storage of Protected Health Information may only be conducted using secure HIPAA compliant university-approved electronic applications or devices.
Viewing, Storing and Distributing Collected Data
-
Email triggers should not include any of the data described above.
-
Prior to creating a form using an approved form builder, and/or reviewing form results and/or sharing downloaded data with a ϳԹ colleague, individuals must review this Web Form Operating Procedure.
-
Downloaded data:
-
must be protected from public view.
-
must not be saved on a shared drive unless the file is password protected.
-
may only be stored on devices that are scanned regularly for vulnerabilities, and where feasible, reside behind a web application firewall.
-
may be printed, but must be protected from being exposed to external access.
-
that has been printed must be shredded when disposed.
-
For the Secured Use and Confidentiality of University Records and Data
All persons accessing ϳԹ institutional data hold a position of trust relative to student and University information in any form, and must recognize the responsibilities entrusted to them in preserving the security and confidentiality of this information. ϳԹ also recognizes its obligation to uphold student privacy rights under the Family Educational Rights and Privacy Act of 1974 (FERPA), the Gramm-LeachBliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Ohio Revised Code Section 102, and all other Federal and State laws and regulations governing the security and confidentiality of information used in our operations. Therefore, in this regard: I, the undersigned, acknowledge that I understand and accept the following statements:
-
I am familiar with the ϳԹ policies 5-08.101: Operational procedures and regulations regarding collection, retention and dissemination of information about students, and 5-08.102: Operational procedures and regulations regarding release of name and address listings, for administering and maintaining student education records.
-
I will use computing resources and data only for legitimate University business for which I am explicitly authorized; and I know that it is against University policy to peruse or use University records including, but not limited to, confidential information for my personal interest or advantage.
-
I will not exhibit or divulge the contents of any record (paper or electronic) to any person except in the conduct of their work assignment in accordance with University and office policies; I will not knowingly include or cause to be included in any records or report a false, inaccurate or misleading entry; I will not aid, abet, or act in conspiracy with another to violate any part of this agreement or the referenced Federal and State laws and regulations.
-
I will report security and privacy violations.
-
I understand that access to information will be granted only on a strict “need-to-know” basis, the determination of which will be made by the data stewards(s) in cooperation with the individual’s security administrator.
-
I understand that assigned computing system USERID(s) and associated password(s) are to be considered highly confidential and are not to be shared, communicated or made easily accessible to anyone.
-
I understand that violation of these statements may lead to reprimand, suspension, dismissal or other disciplinary action consistent with the general personnel policies of the University.
-
I understand that responsibility for confidentiality continues after I leave a position of affiliation with ϳԹ. Pursuant to the Ohio Revised Code, Chapter 102.03(B), I understand that disclosure of confidential information by present or former public officials or public employees may constitute a violation of state statute; conviction of which is a first-degree misdemeanor (up to six months imprisonment and/or $1000 fine).
Violations
Any ϳԹ-managed website, web application or web content that is identified as violating any Federal or State law or regulation, University policy or infringing upon the copyright or intellectual property of another party will be removed upon notification or discovery and/or possible disciplinary action of the individual(s) involved - up to and including termination of employment.