Using DocuSign with PII and FERPA Protected Data
Sender Responsibilities
As a DocuSign Sender requesting PII (Personally identifiable Information) or FERPA (Family Educational Rights and Privacy Act) data in a DocuSign envelope, you have a responsibility to protect this data upon its storage within DocuSign and to ensure only the appropriate parties have access to this envelope data.
This responsibility includes the assurance that appropriate masking or hiding of information that is considered PII or FERPA protected occurs when using DocuSign. This includes PII or FERPA protected data as part of an individual field such as Social Security Number or in combination with other Recipient data such as Full GID when in combination with Full Name.
The Sender responsibilities are outlined under the three methods of collecting PII or FERPA data within DocuSign.
When utilizing either the DocuSign application or any DocuSign integrations (Outlook or Word) the creator or initiator of an envelope, the individual selecting "Send an Envelope", is considered the "Sender" of that envelope.
The "Sender" is responsible for using the "Hide text with asterisks" feature on any Text field added to the document that may request PII or FERPA protected data.
Templates can be created by any DocuSign User with the appropriate permission. Templates can also be shared between DocuSign Users. When you select the "Use Template" option you are initiating an envelope and you become the envelope "Sender". Depending on the steps taken and permissions granted to DocuSign Users the Template may be restricted to modification. As a "Sender" you are responsible for ensuring that the "Hide text with asterisks" feature is enabled on any Text field added to the document that may request PII or FERPA protected data. This may require testing the appropriate text fields to ensure data is masked with astericks or contacting the Template owner to ensure PII or FERPA requested data is protected.
Powerforms are created based off a DocuSign Template. The Template owner is converted to be the default DocuSign Powerform "Sender". The Powerform owner or a DocuSign Admin are allowed to change the "Sender" of a Powerform as required. When using a DocuSign Powerform with PII or FERPA protected data, if astericks do not appear in the field that should be protected, upon tabbing or selecting another field, then the Powerform owner should be contacted to ensure appropriate safeguards are in place on the Powerform.
Hiding Text and Form Data
DocuSign articles outlining the process for Data Masking PII and FERPA as well as how to see this masked data:
- To find out about Data Masking, see DocuSign's Field Types page.
- To find out about Form Data, see DocuSign's Form Data page.
Data Storage and FERPA
- MSU-Northern's Data Stewardship Standards.
- See the Data Storage Security table to see what you can, and cannot, send/store in DocuSign.
- See the Family Educational Rights and Privacy Act (FERPA) Overview