Secure Online Data Collection Guidelines
When collecting data, especially on the web, it is important that you are aware of the policies and guidelines around the data you collect, how it’s used and how it’s protected. This is guided by federal and provincial privacy legislation including FIPPA, PHIPA and PIPEDA, which the University of Guelph is subject to.
There are 3 important steps that should be followed when collecting confidential or personal information (also referred to as “Personally Identifiable Information” or PII for short):
Step 1: If you are collecting data that would be considered sensitive/confidential i.e. Type 2 or Type 3 as defined in this University policy document, you must contact the University’s Privacy Officer (University Secretariat) for discussion and approval to collect the data you are seeking.
Step 2: If you are planning to store/collect/integrate with any data from institutional databases, such as from Student Information Systems, or the University Central Directory, you should ensure that you have received proper approval from the appropriate custodian of that data. For example, the Registrar’s approval would be required for information from Student Information Systems. An Information Sharing Agreement (email firstname.lastname@example.org with a request for the form) should be completed to seek approval, prior to setup.
Step 3: You should also contact the solution provider or developer of the data collection tool you will be using, in order to ensure proper configuration and security requirements as outlined by CCS Information Security.
Items to be considered such as:
- Sensitive data should be fully encrypted: https://www.uoguelph.ca/ccs/infosec/encryption_policy. CCS offers an encryption service.
- Email is not a secure method for transport of Personally Identifiable Information (PII).
- Data collection from human subjects used for research purposes requires Research Ethics Board approval.
- Some tools/applications may not be suitable for collection or storage of Type 2 or Type 3 data. Engage the CCS Information Security for assistance when selecting a tool that will store this type of data.
Protection of Personal Information
Be aware of the University’s obligations with respect to the collection and use of personal information: https://www.uoguelph.ca/secretariat/office-services/privacy-and-access-information
Please refer especially to the information included here: Protection of Personal Information:
If Personally Identifiable Information is being collected, responsible data management is required:
- Notice of collection is provided wherever personal information is collected, making clear the purpose of collection and uses of the information.
- Files are stored securely and access to them is limited to authorized persons. For more information about secure file storage, please contact CCS Information Security.
Information and Records Management
Please also refer to the records management information here: https://www.uoguelph.ca/secretariat/office-services-privacy-and-access-information/information-and-records-management
Your department/unit should have a records retention and disposition policy. If you do not have one, please contact the University’s Privacy Officer.
Tool/Software Specific Information
Drupal Content Management System
CCS Web & Development Solutions uses Drupal for website delivery on campus. The CCS supported Drupal environment is not appropriate for collection of Type 2 or Type3 data, as their current environment does not support data encryption at rest.
Qualtrics is the campus wide survey software in use at the University of Guelph and it meets all of the requirements for the storage of highly sensitive (Type 3) data. Read more: Qualtrics security info
Please review the following for proper configuration of the software for collection of data using Qualtrics for Research.
Written by: CCS Information Security, Applications and Project Management, and University Secretariat
Last Update: November 2016