Every industry and locale has unique requirements for what data is deemed sensitive, and there are often legal mandates and certification standards that must be met when sending or storing such data.

B12 sends and stores information submitted via forms securely, but you are ultimately responsible for compliance with any data protection and privacy laws that govern your clients’ data. As a result, we recommend that you do not collect sensitive data via B12 forms. Below is a list of commonly-restricted types of sensitive data.

Commonly-restricted types of sensitive data

  • Sensitive personally-identifiable information (PII)

    • Social security number (SSN)

    • Drivers license number or State-issued Identification Card number

    • Passport information or images

    • Date and place of birth

    • Mother‘s maiden name

    • Gender identity

  • Sensitive financial information

    • Credit card numbers and bank account information (although this can be collected through payment tools, such as B12’s Payments and Invoicing tool, or other third-party payment integrations)

    • Tax information

    • Credit reports

    • Loan applications or history

    • Records of financial transactions

  • Sensitive business information

    • Accounting data

    • Trade secrets

    • Business plans

    • Login credentials

  • Personally-sensitive information¹

    • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs

    • Trade-union membership

    • Genetic data, biometric data

    • Data concerning a person’s sex life or sexual orientation

    • Protected health information (PHI): information, including demographic data, that relates to²:

      • the individual’s past, present, or future physical or mental health or condition,

      • the provision of health care to the individual, or

      • the past, present, or future payment for the provision of health care to the individual

      • and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

    • Education records such as enrollment information and transcripts

What if I need to store sensitive information?

  • If you need to collect sensitive information via a form on your website, you can build a form with an external form builder that specializes in data privacy law compliance, and then embed the form in your B12 website. One third-party we recommend is FormStack, which is compliant with HIPAA, PCI, WCAG, and more. For more third-party options, email our team at hello@b12.io and tell us what kind of information you need to collect. Our team will respond with recommendations.

  • If you need to collect payments from your clients, you can use B12 Payments and Invoicing, which is included in every B12 subscription, or a third-party payment processor such as PayPal.

The above list is not comprehensive for every industry and locale. If you’re unsure whether something constitutes sensitive data, we recommend you conduct your own research into potentially unique requirements.

References

1. Statement of sensitive personal information according to the GDPR

2. Summary of the HIPAA privacy rule from US Department of Health and Human Services


Bibliography

Statement of sensitive personal information according to the GDPR

Summary of the HIPAA privacy rule from US Department of Health and Human Services

Definition of PII from the US National Institute of Standards and Technology

The US Department of Education's Family Educational Rights and Privacy Act (FERPA)

The Federal Trade Commission's Gramm-Leach-Bliley Act for financial institutions

Did this answer your question?