Why is this important?
Visitors need to be confident our sites are secure, our communications can be trusted, and their privacy is protected.
Legislation and policy
McGill staff are subject to Quebec and Canadian laws and McGill University’s policies concerning information security and maintaining the confidentiality of personal information.
In addition, anyone who processes, transmits or stores credit cards information in an unsecure and unauthorized manner may be found in violation of financial confidentiality laws and expose themselves to legal liability. If you need to collect payments, please get in touch with Financial Services.
Visit McGill’s cybersecurity website Secure your journey and the IT Knowledge Base’s Cybersecurity category for additional tools and resources.
Checklist of things to do
- Create secure webpages and webforms that properly protect users' personal data.
- Adhere to McGill's Essential web security guidelines for site owners.
- Don't display or email people's confidential information (unless it's using McGill's official email).
- Don't identify student names without their written consent, e.g. on Research web pages, do not list student participants.
- Don’t list people’s birth dates, addresses, places of residence, or any other personal details about them, even if as part of a congratulatory post.
- Don't share enter or upload sensitive or restricted data into generative AI tools without authorization.
- Microsoft Copilot is currently the only authorized generative AI tool at McGill. Refer to the Copilot article in the IT Services Knowledge Base to learn what is acceptable and not acceptable to enter into a prompt.
- If you become aware of unsafe practices or vulnerabilities, notify IT Security.
- Ensure your site has a designated sponsor/asset steward.
- Delete/decommission websites when they become inactive and/or are no longer of value.
- Update website access permissions accordingly when your web team members change roles, leave your department or leave the university.
- Use McGill usernames and passwords for authentication on McGill websites and systems (where possible).
- If authentication is required on McGill websites, it should be performed using one of our preferred Single Sign On (SSO) methods, such as SAML, with McGill’s central identity provider.
- Limit data collection for analytics and user research to interactions around links, buttons and page elements only.
- If linking to information in a cloud service, adhere to instructions in McGill's Cloud Directive which describes when and where you can process, transmit and store McGill data
Supporting resources
Related sites
How to create secure webforms
- Create Forms in the Web Management System
- Webform security: Protecting user data
- Webforms and security: Three things worth repeating
Privacy and security policies and guidelines
McGill policies and guidelines site owners and managers should be aware of.
Use of information technology
- Policy on the Responsible Use of Information Technology at McGill, IT Services
- Supporting Guidelines for the Responsible Use policy
- IT Policies, Directives, Regulations and Standards
- Reporting McGill IT security incidents
- Guide to secure web service/servers
- Cloud Services at McGill - When acquiring or using an online solution, here's what you need to know...
- Domains and URLs for McGill websites