Web Form Operating Procedure | Kent State University

Web Form Operating Procedure

This Web Form Operating Procedure is an operating procedure attached to Section B of the  Administrative Policy Regarding Web Publishing Policy Register 9-01.3.

After extensive research Qualtrics became the web presence group’s approved form tool in November 2015 because of its accessibility and security attributes. Online forms should not be built using any technology except for Qualtrics.

Employees with access to Drupal, the Kent State content management system, are data stewards and need to be informed that creating a form that requests private information comes with certain privacy standards. Any exceptions need approved by Information Services Vice President and the University Relations Senior Vice President.

Digital Form Requirements

  • Social Security Numbers may not be collected via a Qualtrics form; rather they may only be collected using applications and for purposes that have been explicitly authorized by the Office of Security and Access Management and by the relevant Data Steward(s).

  • Any website that collects personally identifiable information via Qualtrics form, including but not limited to Kent State Identification Numbers (Banner IDs), must be scanned regularly for vulnerabilities, and where feasible, reside behind a web application firewall.

  • According to Administrative Policy 7-01.2 Regarding Credit Card Security, the processing of credit cards may only be conducted using secure PCI DSS compliant university-approved electronic applications or devices.  Confirmation of these is available upon request from the Bursar Office.

  • The electronic storage of credit card information on Kent State University devices or systems is never permissible.

  • Protected Health Information. The collection and storage of Protected Health Information may only be conducted using secure HIPAA compliant university-approved electronic applications or devices.

Viewing, Storing and Distributing Collected Data

  • Email triggers should not include any of the data described above.

  • Qualtrics forms, form results and/or downloaded data should only be distributed to or  shared with Kent State Drupal editors that have reviewed this Web Form Operating Procedure.

  • Downloaded data:

    • must be protected from public view.

    • must not be saved on a shared drive unless the file is password protected.

    • may only be stored on devices that are scanned regularly for vulnerabilities, and where feasible, reside behind a web application firewall.

    • may be printed, but must be protected from being exposed to external access.

    • that has been printed must be shredded when disposed.

For the Secured Use and Confidentiality of University Records and Data

All persons accessing Kent State University institutional data hold a position of trust relative to student and University information in any form, and must recognize the responsibilities entrusted to them in preserving the security and confidentiality of this information. Kent State University also recognizes its obligation to uphold student privacy rights under the Family Educational Rights and Privacy Act of 1974 (FERPA), the Gramm-LeachBliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Ohio Revised Code Section 102, and all other Federal and State laws and regulations governing the security and confidentiality of information used in our operations. Therefore, in this regard: I, the undersigned, acknowledge that I understand and accept the following statements:

  • I am familiar with the Kent State University policies 5-08.101: Operational procedures and regulations regarding collection, retention and dissemination of information about students, and 5-08.102: Operational procedures and regulations regarding release of name and address listings, for administering and maintaining student education records.

  • I will use computing resources and data only for legitimate University business for which I am explicitly authorized; and I know that it is against University policy to peruse or use University records including, but not limited to, confidential information for my personal interest or advantage.

  • I will not exhibit or divulge the contents of any record (paper or electronic) to any person except in the conduct of their work assignment in accordance with University and office policies; I will not knowingly include or cause to be included in any records or report a false, inaccurate or misleading entry; I will not aid, abet, or act in conspiracy with another to violate any part of this agreement or the referenced Federal and State laws and regulations.  

  • I will report security and privacy violations.  

  • I understand that access to information will be granted only on a strict “need-to-know” basis, the determination of which will be made by the data stewards(s) in cooperation with the individual’s security administrator.  

  • I understand that assigned computing system USERID(s) and associated password(s) are to be considered highly confidential and are not to be shared, communicated or made easily accessible to anyone.  

  • I understand that violation of these statements may lead to reprimand, suspension, dismissal or other disciplinary action consistent with the general personnel policies of the University.

  • I understand that responsibility for confidentiality continues after I leave a position of affiliation with Kent State University. Pursuant to the Ohio Revised Code, Chapter 102.03(B), I understand that disclosure of confidential information by present or former public officials or public employees may constitute a violation of state statute; conviction of which is a first-degree misdemeanor (up to six months imprisonment and/or $1000 fine).

Violations

Any Kent State University-managed website, web application or web content that is identified as violating any Federal or State law or regulation, University policy or infringing upon the copyright or intellectual property of another party will be removed upon notification or discovery and/or possible disciplinary action of the individual(s) involved - up to and including termination of employment.