Email changes for form submissions
Follow-up email sent April 22, 2022
This is a follow up email regarding email changes tied to FormAssembly form submissions (previous email below for reference).
The University of Utah Governance, Risk and Compliance (GRC) group in the Information Security Office (ISO) has made a policy determination about data collected through forms and sent via email. GRC/ISO reiterates that the university must comply with federal and state laws and university policies regarding data protection and privacy, or risk substantial fines and other penalties. Therefore, GRC/ISO has officially directed my team to no longer support the practice of emailing data collected through form submissions.
While we understand and empathize that this will require a change in processes for some organizations, we also recognize that we have a responsibility to follow laws and policy to help prevent exposing the university to risk. Our team is also adjusting to this change. In the coming weeks, we will set a target date for eliminating all personal data from form submission emails. Once set, we will follow up with an official announcement to give everyone time to reevaluate and rework their processes. If there is anything my team can do to help with those processes, please let us know.
If you have questions or feel you have a unique situation that needs to be addressed, please reach out to Associate Director Trevor Long in GRC at firstname.lastname@example.org. If his office approves your exception, we will happily work to accommodate accordingly.
Barb and the rest of the Omni CMS support team
Original email sent March 23, 2022
You are receiving this email because our records indicate that you receive email notifications for online form submissions. Over the past few months, my team has been migrating existing forms from Form Tools to FormAssembly. If we migrated your form and it is actively collecting data, you may have noticed a change to the content in the email submission notification.
I would like to issue my sincere apologies for the lack of communication behind the removal of data submissions from the email notification. We underestimated how much this change would impact our users and their business processes, and in hindsight, we should have been less focused on meeting our project deadline and more focused on coordinating and communicating the change with our users before implementing it.
Over the past few years, my team and I have been aware of and tracking changes in the data privacy and protection space, particularly new regulations such as GDPR and CCPA. Given these changes, and because we are not able to encrypt emails from FormAssembly, we decided to revisit our practice of emailing data from form submissions. Under university policy, personally identifiable information (PII) must be encrypted both at rest and in transit. The definition of PII has been evolving and we have been advised that it *could potentially* include basic contact information, such as first name, last name, and email address. Because of this, the university’s Governance, Risk & Compliance (GRC) team has advised us to discontinue the practice.
As stated before, we realize we underestimated how much this change impacts our users and their business processes. Originally, we were going to have groups request exceptions from the GRC team if they needed to receive data via email. However, it appears that is not an efficient or realistic strategy. We are going to take a step back and reassess the situation with the Information Security Office (ISO). I have a meeting with the ISO on Friday, March 25, at 10:00 a.m.
Until we decide on the best strategy moving forward, please consider the following options:
- Continue without submitted data in notification emails.
- If you can reasonably operate without the submitted data in the notification emails, we appreciate your willingness to adjust your processes to protect the data you request from your users.
- Restore submitted data to notification emails for the time being.
- If you cannot reasonably operate without the data in the emails, please email my team and we will put you on the exception list, restore the data in the emails, and keep you posted regarding necessary changes in strategy in the coming weeks.
Again, we apologize for the confusion and consternation this has created. We will work diligently to find a good balance between protecting university and user data, and supporting existing business processes.
Thank you so much for your patience and understanding on this important matter. Please don’t hesitate to reach out to me directly if you have questions or concerns.
Barb and the rest of the Omni CMS support team