PII and MachForm

REQUESTING A NEW MACH FORM SITE:

  1. Please complete the PII Mach Form Process to verify your understanding of your responsibilities regarding PII data as they relate to the use of MachForm.
  2. Contact ITech at 601-266-HELP or  enter a work order to obtain assistance if your group/organization does not have a site or if you are not sure if your group/organization has a MachForm site.


ADMINISTRATOR RESPONSIBILITIES

  • All administrators are responsible for only assigning access to other individuals, rather than using one generic email address to allow staff to access a MachForm site.
  • As of 6/1/16, use of generic email accounts to access MachForm will be discontinued.
    • Follow the instructions to obtain new accounts for those who were previously accessing MachForm using a generic email address.


USER RESPONSIBILITIES:

  • As an account holder with access to the MachForm software, you are responsible for proper handling of any data that you might collect.
  • Student workers have the same responsibilities as other non-administrator account holders.
  • Each user must review and complete the the PII Mach Form Process listed below.


PII MACHFORM PROCESS:

NOTE:  Regardless of the number of MachForm sites to which an individual obtains access, each individual only has to complete this process once.



IMPORTANT INFORMATION ABOUT PRIVACY AND MACHFORM:

SITUATION:  The University of Southern Mississippi ("USM") uses MachForm for creation of forms by groups across campus.  MachForm is not set up for the encrypted transmission or storage of private data or financial transactions, which is necessary to protect PII data.

PROHIBITION:  Do not use MachForm to collect data personally identifiable information (PII).

WHAT IS PII?  PII is considered sensitive information that can be used, either alone or in conjunction with other information (i.e. data combinations), to identify a specific individual.

Examples of this sensitive information include:

  • Data covered under FERPA, including GPA.
  • Data covered under HIPAA
  • Date of birth
  • Social Security Number
  • Credit/debit card numbers and bank account/routing numbers

Data Combinations that Result in PII: When certain combinations (i.e. data combinations) of data are collected they rise to the level of information needed to identify a specific individual.  Users of MachForm should not collect any of the following data combinations since MachForm is not encrypted to the degree necessary to protect the data being collected.

Combination #1:  Name or emplID or email + Social security Number

Combination #2: Name or EmplID or email + driver’s license

Combination #3: Number/state ID number (name or emplID or email) +Alien registration number (name or EmplID ID or email) + tax ID (name or emplID or email + passport number

Combination #4: Name or emplID or email + Medicaid Account

Combination #5: Number (name or emplID or email) + full birth date (month/year ok) (name or emplID or email) + mother’s maiden name

Combination #6:  Any bank account number (with or without a name)

Combination #7: Any credit card number (with or without name)

Recommendations:  Do not collect birthdates.  Instead, use an age range identifier if possible.  Only use the specific age is essential to program needs.  If a department is using a form to collect information to coordinate birthday celebrations, the department should only collect individual birth months.  
 
NOTE: Since budget strings do not include PII of a sensitive nature, you may collect them.
 

USM's PII POLICY: 

  • Any forms built using MachForm that ask for any of the combinations listed above are in violation of the University’s Information Privacy Statement-Policy ACAF-IT-012
  • Such forms compromise the individual’s privacy and expose the individual who created the form, their group/organization, and the University to litigation and federal enforcement action.

HOW TO COMPLY WITH USM's POLICY: 

  • If you have any forms in existence that have collected data that falls within one of the data combinations listed above, follow these steps:
    • unpublish the form;
    • download the spreadsheet of data collected and then delete the fields that contain the data combination; and
    • update the form to remove the data fields that are collecting data that falls within the data combinations.
  • Avoid asking for a specific student GPA by allowing the student to select from a GPA range or to answer yes/no that his/her GPA is above a certain value.
  • Avoid asking for an individual's entire birthdate (mm/dd/yy).  Instead, ask for a birth range or birth month.

ADDITIONAL CONSIDERATIONS:

  • Do not collect information related to any Federal program using MachForm. 
  • Information related to a Federal Program must be protected from disclosure under The Privacy Act of 1974 , 5 U.S.C. §552a (see "Routine Uses" section). 
  • Since MachForm does not provide for comprehensive encryption, any information collected using MachForm would not be protected from disclosure and using MachForm to collect such data violates the level of protection applicable to such data under The Privacy Act of 1974
  • For additional information about The Privacy Act of 1974 , see the Overview of the Privacy Act of 1974 (2015 Edition).

QUESTIONS:  Please direct questions-

  • Regarding policies or PII specifically to Paul Walters, Director of Compliance and Ethics, at 601.266.4466 or paul.walters@usm.edu.
  • Regarding MachForm functionality to web@usm.edu.
  • Regarding forms that must have a payment option to the iTech Help Desk, helpdesk@usm.edu and ask about Cashnet, the online payment solution that USM uses.