Best Practices for Online Forms

Here is helpful information about best practices, data collection, and e-Signatures for forms.

  1. Have at least 2 owners (in case someone is out of the office, leaves the Univ., etc.) who can edit the form and access the submissions.
    1. For Office 365 Forms, it's recommended to create a group form; this allows all members of a group to access and manage the form.  To do this, first create a group with at least 2 people --- be sure to use the web version of Outlook.  Then create a group form.
  2. Use only accessible form fields.
    1. See sample O365 form and Google form.  (Inaccessible form fields are identified on these sample forms.)
    2. Qualtrics sample form – Not available at this time.  Details about accessibility issues are available at Penn State’s site:  Qualtrics Survey Tool.
    3. If you have questions about the accessibility of a form, please contact me so that I can review the form before it’s made available to the public.
  3. Test the form once you have final draft.
    1. Have someone test the form that does not have access permissions.
    2. Ensure that email notifications are sent/received (if using).
    3. Download data to see if it’s in a format that you can use. 
      If the form allows multiple responses for a question, be aware of the following:
      1. Depending upon the form software, multiple responses may be in a single cell or entered into separate cells.  See the examples below:
        Multiple Responses in Separate Columns
        Option A Option B Option C
        X    
        X   X
          X X
        Multiple Responses in Single Column
        Responses
        Option A
        Option A,Option C
        Option B,Option C
      2. You may need to change question type or work with the data in Excel to get it into the desired format.

    Data Collection

    1. Per University policy, DO NOT collect PII (Personal Identifiable Information), such as:
      1. Social Security #, Driver’s License #, Credit Card #, Bank Account #
      2. Birth Date
      3. State ID cards
      4. Passport #, Military ID #, Tribal ID #
      5. User ID/email address combined with passwords or security questions/answers
      6. Digital Signatures
      7. Biometric Data (fingerprints, retina images, DNA profile)
      8. Protected Health Information
    2. The nine-digit PSU ID can be collected on a form and included in the body of an email message IF:
      1. The web form resides on a server that is compliant with the requirements for Moderate/Level 2 data under AD95.
      2. The Office 365 and Google suites meet these requirements.
    3. FERPA data is generally classified as Level 2 unless there is PII involved (SSNs, Drivers' License Numbers, etc.).
    4. Questions may be directed to the Penn State Privacy Office ([email protected]).
    5. University policies (including data retention):
      1. Permitted Storage (Acceptable locations for data storage)
      2. AD95 - Information Assurance and IT Security
        1. Classification of Information
      3. AD53 – Privacy 
      4. University Privacy Office (Data, PII, credit cards, etc.  Includes email address if you have any questions.)
      5. University Information Security Office (Privacy, policies, data classification, etc.)
      6. AD35 - University Archives and Record Management (retention, archives, etc.)
      7. General Records Retention Schedule
      8. Web Privacy Statement
      9. AD96 - Acceptable Use of University Information Resources

    e-Signatures

    1. Guidelines for Electronic Signatures (Behrend)
    2. The nine-digit PSU ID can be collected on a form and included in the body of an email message IF:
      1. Must follow steps as outlined on this page.
      2. In a nutshell:  Notify Randy Geering and maintain records, i.e. form and data associated with specific version of form.