OSU Policy on Digital Workflows and Digital Signatures related to Student Data

To meet federal obligations guided by FERPA, student privacy and information security must be observed on any form containing, or related to, student information at Oregon State University (OSU). To that end, as of July 1, 2021, all forms-based activities1 which gather student data and digital signatures are only allowable under the following circumstances.

  • The template or form requires OSU authentication prior to the user accessing the form

or

  • The template or form is launched from a platform that requires OSU authentication (e.g., MyOregonState, Banner Self-Service, Salesforce) and limits the workflow to OSU email addresses only

FERPA-protected information includes any information personally identifiable to a student that is maintained by OSU once the student has matriculated at OSU2. This includes but is not limited to information related to student employment, student health services, students’ financial accounts, students’ academic records, etc.

Any form or template which collects, or grants access to, students’ FERPA-protected information must first be approved by the Office of the Registrar3 and required training4 must be completed by that form’s originating owners and/or senders. All OSU employees are expected to adhere to the tenets of this policy with regards to current and/or future digitalized forms and digital signatures.

1. Including, but not limited to: DocuSign, OnBase, Banner Self-Service, etc. Note, this includes internal homegrown tools.
2. Matriculated is defined as being registered for an OSU course or an OSU orientation program.
3. For review and approval, please contact OtR at: [email protected]
4. Required training can be found at: https://is.oregonstate.edu/docusign/resources/designers; https://is.oregonstate.edu/onbase/training

 

Digital signatures and workflows protocol:

  • Requestors will review and complete required training.
  • Requestors will schedule FERPA consultation with Associate Registrar – Compliance.
  • Requestors will design their form(s) in development environment.
  • Requestors will submit request to move their form(s) from development to production environment.
  • Associate Registrar – Compliance will review request for FERPA compliance.
  • If FERPA-compliant, Administrative Technologies will move form(s) to the production environment.
  • Administrative Technologies will contact the requestor when move to production has been completed.

 

Frequently Asked Questions (FAQ)

Yes. However, you will need to follow the protocol above if the form is related to student data.

Students who are marked confidential cannot use DocuSign. This is because OSU is unable to send their information to DocuSign to create an account due to their confidentiality restriction.

If status as a student is a participation eligibility criterion and you wish to obtain consent digitally, you might consider building an authenticated consent form through Qualtrics. If this does not suit your needs and you wish to obtain consent through a digital signature, you will need to go through the form approval process.

The Office of the Registrar will release forms as we prepare them for DocuSign capabilities. If DocuSign has not yet been implemented on a form, we will not permit a digital signature on the form.  

The Office of the Registrar only accepts the paper version of those forms loaded into DocuSign if there is an extenuating circumstance (e.g. students with account holds) and certain populations (e.g. students with a confidentiality restriction). If a student submits a paper form that does not require a paper form submission, the Office of the Registrar will re-direct the student back to the DocuSign form. If you have questions or concerns about this, please contact [email protected].

OSU has implemented data security protocols and oversight with DocuSign. This allows for authentication, validating the recipient and signer identity through one’s ONID username.