Data and Money Collection Standards

Collecting Personal Information

If units wish to use online forms to collect personally identifying information from your site visitors (name, address, phone number, email address, etc.), you must do so in compliance with the Georgia Tech Privacy Policy and European Union General Data Protection Regulations  (official European Union regulation site).  You must also make sure that you control access to the data you collect in accordance with the Georgia Tech Data Access Policy.

Some basic guidelines units must follow:

  • All web forms requesting personal data (sensitive or otherwise) must be hosted on an approved forms service or a Georgia Tech web server

    • Unapproved outside forms services (e.g. Google forms) cannot be used when collecting personal data.

    • While unit websites can be used for basic forms, please consider using the campus licensed Qualtrics service whenever possible, as it provides very flexible form customization and is already set up to run under SSL.

  • Any server or service hosting such a form must be running SSL data encryption (i.e. the server URL should start with https://)

    • Please contact the IAC web developer to make sure that the hosting you have selected supports SSL and learn how to make sure it is enabled on your hosting account.

  • Never ask for sensitive information on any form.  Sensitive information includes social security numbers, credit card numbers, birthdates, and also the following items defined as sensitive data by the European Union:

    1. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
    2. Trade-union membership
    3. Genetic data, biometric data processed solely to identify a human being
    4. Health-related data
    5. Data concerning a person’s sex life or sexual orientation

    If faculty have a bona fide need to ask one or more of these questions in connection with official research, they should get approval through their normal channels for approving research involving human subjects.

Collecting Fees for Events and Services

All electronic payment transactions must be handled through the approved payment processing marketplace that is managed by the Bursar's office.  Institute policy prohibits the use of unit websites (campus hosted or otherwise) or outside payment processors (e.g. PayPal, EventBrite, etc.) to collect any kind of electronic payment, including but not limited to credit card payments.  It is acceptable to host a registration form on your website to collect general information and then send the user to the official payment marketplace to collect their money, but you must make sure you are following proper data security and privacy policies practices if you choose to collect user information on your own website (see the next section).