Scenario
Government agencies will often need to collect use-generated data through form submissions. Typical use cases include contact forms, website feedback and consultation submissions. The data may be textual in nature but can also include files. The data may or may not contain personally identifiable information (PII), however, there will generally be an overarching desire for the data not to be retained on the website
Challenge
The challenge here is fundamental - how to securely store content within the organisation. The data may originate on the website but the security is based on how it is transmitted and stored. The Webform module does have a range of capabilities, however, it is not a full solution as it is not responsible for storing data. This is for the agency to determine.
Solution
The most robust solution would be for the agency to have a CRM or similar which was capable of storing user-generated data securely, allowing it to be processed and workflowed by back office staff. Such an approach maximises security and efficiency. Unfortunately, it appears that many agencies do not have such a system in place.
The most common option adopted by agencies is to email the data to an internal email address. Such an approach ensures the data is not stored on the site, however, the storage and processing problem is now perhaps worse as the content is stored as a blob in an email.
One final approach, which is available on GovCMS, but not commonly adopted is to POST the form’s content as JSON data to an endpoint. If the endpoint is secured, then this is a good way to get the data into an external system. The main issue here is that custom logic may need to be implemented on the endpoint to store the data away.
Outcome
The secure storage of data remains an ongoing issue for many government agencies. Ideally, there would be more adoption of CRM systems that can either expose themselves as a form or handle POSTs to an endpoint. This would improve the security and efficiency of data collection.
