OVERVIEW
This article contains important information about data security and the use of webforms.
Target audience: McGill Web site managers
In this article:
Data Privacy and Security
Site managers have a responsibility to protect the user data that they collect via forms on WMS sites. In particular, Personal Information (PI) and Personal Health Information (PHI) can only be collected under circumstances that adhere to government privacy regulations. Payment Card Industry (PCI) data (for example, anything involving credit or bank cards) cannot be collected under any circumstances.
On McGill websites, Personal Information (PI) can only be collected using Microsoft Forms. Exception: The file upload component in Microsoft Forms is currently only available on forms that require authentication, therefore, forms that collect PI or PHI (with consent) from the public will not be able to include attached files. In this case, WMS Webforms can be used on the condition that the submission be emailed to a McGill email address and expired from the database immediately.
PI includes information unique to the person. Examples include:
- numbers such as your SIN or Driver's license
- people's citizenship or immigration status
- McGill ID is considered PII, however, it can be captured via an authenticated webform as a token that can be inserted into the form.
Personal Health Information (PHI) includes any information related to a person's health, and can only be collected with consent, using Microsoft Forms. To gather consent, the form must include a checkbox with a message that has been approved by legal services. If you are part of a unit or department that regularly collects health information, check to see if a standard message exists.
Authentication of webforms
In most cases, webforms should require users to sign in (authenticate). Restrict the form by unchecking "anonymous user" from the Submission Access settings and select only the role(s) that should be allowed to submit the form. Note: the role "authenticated user" includes anyone with McGill credentials. (In some cases, a more targeted role can be chosen such as "McGill Staff and Faculty" if appropriate.)
Emailing webform responses
The Email feature allows an email to be sent to one or more individuals when the form is submitted. Webform contents can be sent to McGill email address only.
- Only shared mailboxes should be used to collect form submissions, to minimize the risk to McGill’s data, systems, and community.
- Avoid sending emails from anonymous (unauthenticated) forms: forms that send email confirmation notices can be exploited by spammers. If your form must allow access by anonymous users for business reasons:
- Confirmation messages sent to user-supplied email addresses must only contain a fixed message from the email template and never any content supplied by the site visitor.
- Forms set up to require authentication with McGill credentials provide a measure of protection by ensuring that the person filling the form is not anonymous. To restrict access to authenticated users, see SUBMISSION ACCESS in the Create a Webform article.
- Files uploaded through webforms: The File component can make the webform vulnerable to spammers if they use this field to upload files to the site with malicious content. Because uploaded files might contain viruses, users should scan files before opening or redistributing.
- All files uploaded through a webform are put into a private directory; only accessible to site managers and site reviewers. The form can also be configured to email files as attachments with submission results to a McGill email address.
- What this means:
- Anonymous users will NOT be able to access files that were uploaded to the site through a webform.
- Site Managers are responsible for managing the private files on their site; they may review, delete, or download them as needed.
- To allow public access to private files within the WMS, Site Managers will have to first download the private files and then add them to a public space such as a web page where they can be uploaded and inserted as a new file.
Storage of webform results
To reduce risks associated with the collection and storing of certain types of sensitive data, Webform submissions automatically expire after 40 days. Site managers will need to manage this data outside the WMS, as well as manage the regular download of results, and take this into account for some configuration options (e.g., submission limits) for forms that will be active longer than 40 days. The expiration date is based on the time of submission.
Please see Viewing and downloading results of webform submissions in the WMS for instructions on how to download your form results and how to set a shorter retention period, including immediate expiration in the case of the collection of PII or PHI (with consent) from the public.
ADDITIONAL REFERENCES:
- About: Surveys, Quizzes and Forms in Microsoft 365 (Microsoft Forms)
- Viewing and downloading results of webform submissions in the WMS
- Using tokens in WMS webforms
- Webform emails and confirmation pages in the WMS.
- Create a webform in the WMS
- * Index of documentation for the McGill Web Management System