Form data collection policy
Augustana is bound by State and Federal law to protect certain college data. In order to protect the privacy of our students and employees, the college also protects some data that is not legally required to. Third-Party forms can create a weakness in security of this data for two reasons:
- Ease of sharing inside and outside the college
- Storage of data on non-college controlled servers
Augustana classifies data created, owned, and used by the college in the following four categories (for more information, view our Data Classification Policy):
- Directory/Public Information
- Internal Information
- Restricted Information
- Confidential Information
Note: Any information that is protected by HIPPA or FERPA is not allowed to be collected through 3rd party forms.
Public Information - Acceptable for 3rd party forms
Definition: Public information is data for which there is no expectation for privacy or confidentiality.
Because there is no expectation of privacy for public information, data can be collected through 3rd party forms. Still, because of the ease of sharing through services like Google Drive, it is still a good idea to only collect the information that is required for your project.
Examples of public information:
- Personal/Employee Data
- Name
- College email address
- Phone number(s)
- Degrees, honors and awards
- Positions
- Photographs
- Classification
- Participation in campus activities and sports
- Weight and height (athletes)
- Dates of attendance
- Enrollment status
- Business Data
- Campus maps
- Job postings
- List of publications (published research)
- Press releases
Internal Information - Acceptable (be cautious)
Definition: Internal data is data that is not intended to be shared outside of Augustana.
Since this data is only for internal use, Augustana users should use caution when collecting and sharing this data through 3rd party forms. Make sure to consult with the owners or creators of the data before collecting or storing this information outside of college resources. If you have any questions about how to manage Internal data, please contact the head of the department who manages that type of data.
Confidential - Not acceptable for 3rd party forms
Definition: Data that could adversely affect individuals or the college if it were made available to unauthorized persons. Some of this data overlaps with the Restricted category.
This data should be protected when stored and transported and therefore is NOT approved for collection through third party forms.
Examples of Confidential data include:
- Student Data not included in directory information
- Records of current or former students (FERPA protected information)
- Records that are protected by HIPPA
- Personally identifiable information (including applicants, to current/former students, to donors, etc.)
- ID numbers
- Business/Financial Data
- Individual employment information
- Data subject to a confidentiality agreement
- Information that is confidential by law or agreement through a 3rd party.
Restricted - Not acceptable for 3rd party forms
Definition: Data that the college has a legal, contractual, or regulated responsibility to protect as well as data that would provide access to confidential or restricted information.
Examples of Restricted information includes, but is not limited to:
- Personally Identifiable Information
- Protected Health Information (PHI)
- Unencrypted data used to authenticate or authorize access to electronic resources
- Personal/Employee Data
- Student Data not included in directory information
- Business/Financial Data
- Donor information
- Management data
- Systems/Log data