Web Development, Mobile Applications, and Applications Services Guidelines and IT Accessibility Toolkits
Oakland University's online presence is essential to its mission. Thus, the university's web and mobile development guidelines seek to establish standards that will:
- Support the university Strategic Plan, noting the emphasis on Community Engagement that requires positive and consistent image and branding.
- Assist website developers, content managers, and web publishers in developing sites that comply with university policies and guidelines, and local, state, and federal laws.
- Facilitate the official business of the university through appropriate online transactions.
- Verify that there is a development model to sustain the website over time and through technology platform shifts.
This applies to websites located within the oakland.edu domain and all subdomains, the official website of the Oakland University, websites conducting university business, and mobile applications that link in any way to Oakland University operations, data, or intellectual property. Also covered are university-owned apps that are apps developed by university employees and contractors with an intended distribution by Oakland University. The approved university app is the MySAIL app. In general throughout this document, the term "websites" includes all sites access by an URL and all mobile apps.
Policies and Standards Applicable to All Websites, Developed Applications, and Apps
All organizations and individuals creating and maintaining websites and apps must comply with university policies, network connectivity acceptable use policies, applicable laws, and regulations. A partial list follows:
Developers must comply with all IT Policies and Guidelines.
- Developers must comply with the university acceptable use Policy #890:
Connected with Policy #890 are the policies of Merit Network, Inc. (also located here: https://www.merit.edu/about-us/policies/#acceptable_use).
- As noted in Policy #890, Oakland University websites are limited to official, course, organization, and personal sites. Websites are prohibited from hosting pages on behalf of individuals and organizations that are not affiliated with the university, in accordance with the above policies.
- All web sites must follow university and legal standards regarding copyright and trademarks as described in the Policy #890. Student course materials involving Fair Use copyrighted materials must be stored behind a university-protected login identity and with access coordinated with course availability.
All web sites must follow Communications and Marketing standards and related university policy. Communications and Marketing Web Governance guides the design layout. The university's name and logos must be used in compliance with Policy 450 Licensing of University Name, Logo and Symbols. Additional guidelines are maintained by Communications and Marketing for Web Development and Graphics and for Style Guidelines.
Websites must be developed and maintained with attention to accessibility standards. In compliance with Section 508 of the Rehabilitation Act, the Americans with Disabilities Act, and university non-discrimination policies, all websites to the extent feasible, must be made accessible to people with disabilities. If it is not feasible, alternative methods must be made available to complete the same tasks in a time window equivalent to 24-hour web site availability. Compliance with the WCAG Standard 2.0 Level AA is desired. Oakland University documentation is in the knowledge base article Accessibility Efforts and Toolkits.
- Domain names (URLs) must comply with university Communications and Marketing standards and comply with university policy #850 Network Infrastructure Policy. Domains will be monitored and tested for compliance with accessibility standards. Any licensing costs required to add scanning for the domain will be funded by the unit creating the web site.
- The disclosure of information about students must comply with federal Family Educational Rights and Privacy Act (FERPA) guidelines. Student grades, individualized student activities, or other typical course activities, must be accessed through a standard university login process to comply with regulations.
Any display or processing of confidential information described in Policy #860 Information Security requires review by the Chief Information Officer or designee prior to development.
Websites that involve records or transactions of any type must comply with university policy for retention: Policy #481 Records Retention and Disposal. Additionally, student records may only be released within the rules stated in Policy #470 Release of Student Educational Records. Preservation of records gathered through web sites may also be required to meet external legal requests as noted in Policy #890.
Websites that involve the processing of payment with any type of payment card must be compliant with current Payment Card Industry Data Security Standards. Please verify site plans for processing payments by describing the plan in an email to firstname.lastname@example.org prior to development.
Websites that involve the processing of any medical record must be compliant with medical privacy records laws and the Health Insurance Portability and Accountability Act. Please verify site plans for processing any type of medical records by describing the plan in an email to email@example.com prior to development.
All websites and website analytics must comply with all applicable laws and university policies governing personal privacy and the confidentiality of information. Sites collecting personally identifiable information must link to the Privacy Statement. Additionally, any web site or mobile app that gathers data must comply with the General Data Protection Regulation and related university privacy statements.
Servers and applications must meet campus security standards and protect the privacy and security of personally identifiable and sensitive information. University Technology Services will periodically audit the security of campus servers and applications. If common security best practices are not implemented, the department will be responsible for implementing security improvements and mitigating risk within a reasonable time, depending on risk. If mitigation actions are not taken, the web site will be taken off-line until risk is appropriately mitigated. Servers and applications must comply witn university Policy #880 Systems Administration Responsibilities.
Software as a Service, hosted software, online solutions utilization a web site, and other developed software solutions involving an agreement with Oakland University or payment from Oakland University to a vendor must be procured in compliance with university purchasing policies and procedures described here: Software.
- No web application or mobile app may process payment involving a payment card without prior approval from Student Business Services and University Technology Services.
Licensing and distribution of apps requires attention and planning. Anyone who develops apps must follow the licensing and distribution requirements found on the site specific to the mobile device platform. Developers must adhere to license requirements for any third-party APIs or modules that are imbedded in the app. To distribute official university apps on the iTunes App Store, there is one Oakland University license that is administered centrally by University Technology Services. If a deistribution plan involves a new or separate agreement, the university software process must be followed.
- To maximize the university software investment, provide efficient use of university resources, and best comply with the above policies and guidelines, an existing university resource is the preferred first choice for any web site. Primary existing resources include:
Custom Web and Apps Development
If your unit seeks a website development environment outside the usual Percussion or Moodle environment, a review process must be initiated. The app market place is changing rapidly, and generally we recommend developing a website using Responsive Web Design techniques, as the resulting product has broader use, is easier to distribute, and is easier to maintain than an app. University Technology Services will assist in assessment of a development direction within university policies, but in general UTS does not offer support services for web site or app development.
Faculty should follow research protocols first if the web site or app are intended for direct or indirect research purposes. The Office of Research Administration should be contacted to determine if approval by the Institutional Review Board is required.
The review process is:
Submission of the request to University Technology Services at firstname.lastname@example.org .
- Description of the purpose of the web environment or app.
- Description why an existing university web environment will not work for the project.
- University Technology Services (UTS) and University Communications and Marketing (UCM) will then engage in a review involving a series of meetings with the requesting office. The review will include a step-by-step review of each of the areas of policy and standards compliance with the requesting unit expected to address each area.
- UTS and UCM will then design an appropriate solution, including resources to sustain the website over time.
- UTS and UCM will work with a designated representative of the financial office to determine the initial cost of the project and the ongoing annual costs.
- The project will then be presented to the requesting office to determine whether they want to continue.
- If continued effort is desired, the project will be presented to the area Vice President for approval.
- If approved, the project will proceed.
- Additional review may be required before a web site or app is launched and distributed.