Collecting Personally Identifiable Information with Forms

Throughout Canada, the U.S. and in many other jurisdictions, the protection of citizens’ privacy is an important right that is guaranteed and protected through various pieces of legislation. In Ontario, for example, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) protects individuals’ personal information that is held by institutions, and gives individuals the right to access that information.

Best practices for collecting PII with Forms

To comply with legislation such as the MFIPPA and to ensure citizens’ personal information remains safe with your organization, here are a few tips and best practices to consider when using Forms as an information collection tool.

1. Develop or review your data retention policy

Retaining individuals' PII data is important to ensure that citizens have access to their records if they request them view it or have them deleted earlier than required. Depending on the use of the information (i.e., credit or debit card data, or video surveillance data), there may be varying retention requirements and timelines. A data retention policy governs how your organization handles the PII that you collect in Forms and helps you minimize risk by defining set time periods that data is stored before it is deleted. Because of this, we recommend that you develop or review this policy to ensure that personal data is processed and deleted as quickly as possible after its use has been met, while maintaining legislative requirements for the term that the data needs to be stored.

2. Avoid exporting or sending data outside of Forms 

Alongside Form's safe and secure hosting capabilities provided by the cloud-based Microsoft Azure platform, your organization can help secure PII you’ve collected by keeping this information in Forms itself. That means eliminating the need for sharing or exporting form results through channels such as email and Excel. When you email information from Forms, this data is now in transit to third-party users. This makes it harder to track, which also makes it harder to enforce your data retention policy on that set of data. 

Additionally, when you export form responses to Excel, you create another copy of the data set which must be governed by your policies – and this copy of the data is not locked with staff user accounts like it is in Forms. Forms is also capable of delivering email notifications or PDF copies of response summaries to other users. You can avoid unnecessarily sharing data outside the tool by not using “answer tokens” that include PII in these emails and PDF copies of responses. Answer tokens are shortcuts that pull a response from one of the fields of your form into your form’s response summary.

We encourage you to always use Forms instead of fillable form PDFs when requesting information from citizens where possible, especially when collecting PII. Fillable form PDFs are not locked behind a secure storage solution with managed account access. They can be easily shared and are hard to track once they have been sent in transit to anyone outside of the form’s intended audience.

3. Restrict access to all forms that collect PII

We recommend that you restrict the number of users that have access to forms containing PII in Forms. Only staff who need to view the data as part of their role should have access to form responses that contain PII. This helps minimize risk because you can control who can open and view the form data. Learn more about Forms security and permissions, including how to restrict access to folders and forms, and provide access at an individual user level or for user groups.

4. Promptly remove Forms user access when staff members leave

It's important to always remove and delete access to Forms for staff members who leave the organization or change roles within the organization. This will prevent them from accessing PII in Forms after they have left the organization or role. You can remove users directly from Forms with its user management and permissions functionality.

Integrating your CMS with an Active Directory (AD), if your organization uses one, is also a great way to stay on top of user movement. Once a user’s AD account is disabled, they will no longer be able to access your website’s backend or Forms.

Understanding MFIPPA

Ontario's Freedom of Information and Protection of Privacy Manual helps public sector staff and citizens understand MFIPPA and its administration. The manual provides helpful information, describing how provincial legislation protects individuals’ privacy by:

• Providing rules as to what and how personal information can be collected by institutions
• Providing rules on how institutions handle, manage, and share personal information between institutions and other government organizations
• Establishing procedures for individuals to access their own personal information, subject to some exemptions

The manual also outlines the conditions under which institutions can use their authority to collect PII, as well as the manner of collection and the use and disclosure of citizens’ personal information.

What is considered personally identifiable information?

 Some common examples of personally identifiable information (PII) include:

• Information that relates to an individual's characteristics, background and history, such as race, ethnicity, country of origin or gender
• An identifying number such as a Health Card number, medical record numbers or Social Insurance Number (SIN)
• An identifying symbol, such as a signature
• Any information placed alongside a name that would reveal other personal information about the individual