Document Management allows you to create Standard or Secure Document Types. The Document Security Level cannot be changed once it has been set.

Standard Documents

The Standard Document Type is not encrypted and should not be used for soliciting or storing any sensitive personally identifiable information (SPII).

Secure Documents

Files uploaded to Secure Document Types will be encrypted and only those specified on the activity will be able to manage them. The Secure Document Type allows for collecting both PII and SPII, with the exceptions of Protected Health Information (PHI, regulated by HIPAA (Health Insurance Portability and Accountability Act)) and Cardholder Data (CHD, regulated by PCI DSS), which may not be collected in CivicRec documents.

For this reason, do not request credit card or debit card information on any documents and do not use CivicRec document management to collect patient information in relation to the provision of healthcare if you are a HIPAA-covered entity or Business Associate of a HIPAA Covered Entity.

Examples of data that can be collected with Secure Document Types:

• Telephone and fax numbers
• Email addresses and physical addresses such as street addresses, zip codes, and county
• Driver’s license number, passport number, or social security number
• A name, including the full name of the individual, their maiden name or mother’s maiden name, and any alias they may use
• Asset information, such as MAC address or IP, as well as other static identifiers that could consistently link a particular person
• Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators, or educational data
• Dates directly linked to an individual, including date of birth and death
• Bank account information
• Medical record numbers
• Health plan beneficiary numbers
• Medical information such as diagnoses, treatment information, medical test results, and prescription information
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial number
• Biometric identifiers, including finger and voice prints

Guiding Principles to Mitigate Risk When Collecting PII or SPII

• Only collect personal information if you really need it and explain why any SPII being collected is required
• Tell people what you’re going to do with their information
• Apply appropriate safeguards to the information, such as limiting access and training employees on proper handling
• Give people access to their personal information if they want it
• Let people correct information that’s wrong
• Get rid of information when you’re done with it

Learn more about PII, Sensitive PII, and PHI. 

1. You will first need to Create Document Types for your organization
   
2. Once created, you can Add a Document Type(s) to an Activity
   

1. Session documents can be uploaded during registration checkout
   
   • Note: View a list of Supported File Types. 
2. Staff members with the appropriate permissions can view and manage Document Status on the session roster
   
3. If needed, staff can use the Pin Participant tool to prevent users from being auto-removed if they miss the cutoff date for uploading a document 
   
4. Public users can also upload and manage requested documents from their dashboard
   
   
   • Note: Public users can also manage their documents on a mobile device. 
     
   • Note: Staff members will not be notified if a public user removes a document. 

When adding a required Document Type to an activity, you have the option to set the Days in Advance of a session start date the file must be uploaded. If the user fails to meet the Days in Advance date, they will be removed from the session automatically and auto-refunded unless they are pinned to the roster. This field can be left blank if you do not wish to remove participants from the session automatically. 

When enabling Document Management on your site you will need to work with your Customer Success Manager or Support to associate a user account with the Document Type automated refund receipts. 

1. Staff can use the Roster Report to view the status of specific Document Types for activity sessions