Encrypted Forms allow you to securely store sensitive data in the Form Center.
- Platinum Security and an Internal Privacy Impact Assessment are required before enabling encrypted forms on your site.
- Encrypted categories and their forms can never be changed to unencrypted and vice versa.
Privacy Impact Assessment (PIA)
When storing sensitive data, it is important to assess the risk that collecting sensitive information may pose. Whether you are making changes to what's collected, how the data is used, or to the system that collects the data, it is important that assessments are performed by those collecting the data. This applies not only to CivicPlus (The Data Custodian) but most importantly to you (The Data Owner). Assessments could be required for each form depending on how the data is used.
Personally Identifiable Information (PII) Confidentiality Safeguards
The safeguards put in place cover Operational, Privacy Specific and Security Controls. While the Data Custodian (CivicPlus) is responsible for the Security Controls, the Data Owner is responsible for the Operational and the Privacy Specific Controls. It is important that a Privacy Impact Assessment (PIA) is performed to assess and mitigate risk.
- Operational Safeguards
- Policy and Procedures
- Security Training and Awareness
- Privacy-Specific Safeguards
- Anonymizing Information
- Conducting Privacy Impact Assessments
- De-Identifying Information
- Minimize the Use, Collection, and Retention of PII
- Security Controls: The security controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev 4. Security Controls Framework. These PII-specific controls are put in place by CivicPlus and are shared to ensure that sensitive information is securely stored and transmitted.
Encrypted Forms is secure for collecting PII and some PHI Data, but not HIPAA or PCI Data.
For this reason, do not request the following information on any forms:
- Credit Card/Debit Card Information
- Medical Information such as diagnoses, treatment information, medical test results, and prescription information.
Types of data that can be collected with Encrypted Forms:
- Telephone and fax numbers
- Email addresses and physical addresses such as street addresses, zip codes and county.
- Driver’s license number, passport number or social security number.
- A name, including the full name of the individual, their maiden name or mother’s maiden name, and any alias they may use.
- Asset information, such as MAC address or IP, as well as other static identifiers that could consistently link a particular person.
- Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators or educational data.
- Dates directly linked to an individual, including date of birth and death.
- Bank Account Information
- Medical record numbers
- Health plan beneficiary numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial number
- Biometric identifiers, including finger and voice prints