Encrypted Forms allow you to securely store sensitive data in the Form Center.
Important Notes:
Platinum Security and an Internal Privacy Impact Assessment are required before enabling encrypted forms on your site.
Encryption is set at the category level when a category is created and its forms can never be changed to unencrypted and vice versa. You will also not be able to copy forms from an unencrypted category to an encrypted one or vice versa.
Encrypted Forms submission databases use /gloAES (Advanced Encryption Standard) 256 encryption.
Privacy Impact Assessment (PIA)
When storing sensitive data, it is important to assess the risk that collecting sensitive information may pose. Whether you are making changes to what's collected, how the data is used, or the system that collects the data, it is important that assessments are performed by those collecting the data. This applies not only to CivicPlus® (The Data Custodian) but most importantly to you (The Data Owner). Assessments could be required for each form depending on how the data is used.
Personally Identifiable Information (PII) Confidentiality Safeguards
The safeguards put in place cover Operational, Privacy Specific, and Security Controls. While the Data Custodian (CivicPlus) is responsible for the Security Controls, the Data Owner is responsible for the Operational and Privacy Specific Controls. It is important that a /gloPrivacy Impact Assessment (PIA) is performed to assess and mitigate risk.
Operational Safeguards
Policy and Procedures
Security Training and Awareness
Privacy-Specific Safeguards
Anonymizing information
Conducting Privacy Impact Assessments
De-Identifying Information
Minimize the Use, Collection, and Retention of PII
Security Controls: The security controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev 4. Security Controls Framework. These PII-specific controls are put in place by CivicPlus and are shared to ensure that sensitive information is securely stored and transmitted.
Disclaimer
Encrypted Forms are secure for collecting PII (Personally Identifiable Information) and some PHI (Protected Health Information) Data, but not the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) Data.
For this reason, do not request the following information on any forms:
Credit Card/Debit Card Information
Medical Information such as diagnoses, treatment information, medical test results, and prescription information
Types of data that can be collected with Encrypted Forms:
A name, including the full name of the individual, their maiden name or mother's maiden name, and any alias they may use
Asset information, such as MAC (Media Access Control) address or IP (Internet Protocol), as well as other static identifiers that could consistently link a particular person
Bank Account Information
Biometric identifiers, including finger and voiceprints
Certificate or license numbers
Dates directly linked to an individual, including date of birth and death
Device identifiers and serial number
Driver's license number, passport number, or social security number
Email addresses and physical addresses such as street addresses, zip codes, and county
Health plan beneficiary numbers
Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators, or educational data
Medical record numbers
Telephone and fax numbers
Vehicle identifiers and serial numbers, including license plate numbers