Privacy/Security - Deciding what to collect (WCMS 2)
Deciding what to collect on a Web form
Information security
The University of Waterloo collects personal information in accordance with its policies and the rules set out under the Freedom of Information and Protection of Privacy Act (FIPPA). Form creators should consider the following when creating forms:
Employees should collect and maintain only the specific information required for the purpose of admission, registration, or other fundamental activities related to being a member of the University community and attending the University of Waterloo.
Forms and relevant documentation should identify the purpose of the collection of information, and how the information will be used.
Forms should identify a contact person who can answer questions about the collection of information on the form.
The University’s Policy 46: Information Security describes the University’s security classification scheme and outlines the responsibilities members of the University community have with respect to information security. Key points:
Information at UWaterloo is either Confidential or Public. Confidential information includes:
Restricted information
A subset of Confidential information where the protection of such information is required by law or regulation, or the university is required to provide notice to an individual or some authority if information is inappropriately used. The strength of security controls for information classified as Restricted will normally exceed those for information classified as Confidential.
Highly restricted information
Highly Restricted information is the subset of Restricted information that presents a higher risk to the University if compromised, and is therefore subject to heightened security measures for its protection and restrictions on its use. Examples of highly restricted information include University records containing information commonly used to perpetrate identity theft, such as Social Insurance Numbers or bank account numbers.
The Information Security Officer maintains a directory of the types of highly restricted information in the custody or under the control of the University, and assists Information Stewards and Custodians in developing and implementing the heightened security measures required for managing this information. Form creators are advised to contact the Information Security Services group of IST for assistance with collecting Highly Restricted Information.
Security breach
There are requirements in the event of an information security breach. See UWaterloo’s Information Security Breach Response Procedure for more information.
Retaining information
All data collected on forms (exported or not), should be retained no longer than is allowed in the University's Records Retention Schedules. These are a work in progress, so a schedule may not exist yet for a particular record type. In those cases, best practice dictates that information should be retained for only one year after last use.
Research
If the information that will be collected on the form is related to research, comply with any requirements of the Office of Research Ethics.
More information
Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA)
Ontario’s Personal Health Information Protection Act (PHIPA)
E-commerce and the web
All web-based credit card payments or other financial transactions (e-commerce) must be done through Bambora, a service provider under contract with UWaterloo. Web form does not support Bambora. Web forms requiring payment cannot be made in the WCMS for the time being. Arrangements for e-commerce sites must be made through Finance. See the Statement on Electronic Business from Secretariat & Office of General Council.
Please be aware that for those websites that are accepting payments, i.e. credit card payments, on any University of Waterloo website must follow the guidelines below. The University has a preferred vendor agreement with Bambora and is the only permissible gateway on campus.
Anti-spam legislation
If you are requesting consent to subscribe to a marketing email list, note that you cannot default the checkbox to ‘Yes’ (users must take the action of expressing consent). Keep a record of who gave consent in case you are ever asked to prove that consent has been received. And remember that, while express consent lasts forever, subscribers must be given a clear option to unsubscribe. For more information, read Are your e-promotions ready for the new anti-spam law?, or contact the Secretariat & Office of General Counsel, if further information is necessary.