Data and Money Collection Standards

Collecting Personal Information

If units wish to use online forms to collect personally identifying information from their site visitors (name, address, phone number, email address, etc.), they must do so in compliance with the Georgia Tech Privacy Policy and European Union General Data Protection Regulations  (official European Union regulation site).  They must also make sure that they control access to the data collected, in accordance with the Georgia Tech Data Access Policy.

Some basic guidelines units must follow:

  • All web forms requesting personal data (sensitive or otherwise) must be hosted on an approved forms service or a Georgia Tech web server
    • Unapproved outside forms services (e.g. Google forms) cannot be used when collecting personal data.
    • While unit websites can be used for basic forms, please strongly consider using the campus licensed Qualtrics service whenever possible, as it provides very flexible form customization and is already set up to run under SSL.
  • Any server or service hosting such a form must be running SSL data encryption (i.e. the server URL should start with https://)
  • Never ask for sensitive information on any form.  Sensitive information includes social security numbers, credit card numbers, birthdates, and also the following items defined as sensitive data by the European Union:

    1. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
    2. Trade-union membership
    3. Genetic data, biometric data processed solely to identify a human being
    4. Health-related data
    5. Data concerning a person’s sex life or sexual orientation

    If faculty have a bona fide need to ask one or more of these questions in connection with official research, they should get approval through their normal channels for approving research involving human subjects.

Collecting Fees for Events and Services

All electronic payment transactions must be handled through the approved payment processing marketplace that is managed by the Bursar's office.  Institute policy prohibits the use of unit websites (campus hosted or otherwise) or outside payment processors (e.g. PayPal, EventBrite, etc.) to collect any kind of electronic payment, including but not limited to credit card payments.  It is acceptable to host a registration form on your website to collect general information and then send the user to the official payment marketplace to collect their money, but you must make sure you are following proper data security and privacy policies practices if you choose to collect user information on your own website (see the previous section).