Every industry and locale has unique requirements for what data is deemed sensitive, and there are often legal mandates and certification standards that must be met when sending or storing such data.
B12 sends and stores information submitted via forms securely, but you are ultimately responsible for compliance with any data protection and privacy laws that govern your clients’ data. As a result, we recommend that you do not collect sensitive data via B12 forms. Below is a list of commonly-restricted types of sensitive data.
Commonly-restricted types of sensitive data
Sensitive personally-identifiable information (PII)
Social security number (SSN)
Drivers license number or State-issued Identification Card number
Passport information or images
Date and place of birth
Mother‘s maiden name
Gender identity
Sensitive financial information
Credit card numbers and bank account information (although this can be collected through payment tools, such as B12’s Payments and Invoicing tool, or other third-party payment integrations)
Tax information
Credit reports
Loan applications or history
Records of financial transactions
Sensitive business information
Accounting data
Trade secrets
Business plans
Login credentials
Personally-sensitive information¹
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
Trade-union membership
Genetic data, biometric data
Data concerning a person’s sex life or sexual orientation
Protected health information (PHI): information, including demographic data, that relates to²:
the individual’s past, present, or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Education records such as enrollment information and transcripts
What if I need to store sensitive information?
If you need to collect sensitive information via a form on your website, you can build a form with an external form builder that specializes in data privacy law compliance, and then embed the form in your B12 website. One third-party we recommend is FormStack, which is compliant with HIPAA, PCI, WCAG, and more. For more third-party options, email our team at hello@b12.io and tell us what kind of information you need to collect. Our team will respond with recommendations.
If you need to collect payments from your clients, you can use B12 Payments and Invoicing, which is included in every B12 subscription, or a third-party payment processor such as PayPal.
The above list is not comprehensive for every industry and locale. If you’re unsure whether something constitutes sensitive data, we recommend you conduct your own research into potentially unique requirements.
References
Bibliography