Use a webform to capture and collate information digitally. They provide a better user experience and are more accessible than a Portable Document Format (PDF) form. Webforms can include checkboxes, radio buttons and text fields as well as confirmation that the form has been sent and received.
Guide to webform basics
This guide provides instructions for creating basic webforms with the most used elements. It also relies on using the standard Drupal default settings that webforms are prepopulated with, except where we recommend you change these settings.
There are many complex elements that can be added to webforms and settings that can be customised but these won't be covered in this guide to the basics.
On this page
- Webform access
- Using a webform
- Creating a new web form
- Confirmation the form has been submitted
- Using reCAPTCHA for spam protection settings
- Test your webform
- Storing web form submissions
- How to add a webform to a page
- Searching for webforms that have already been created
- See this live in the CMS Components Guide
Webform access
Webforms are an advanced feature of the Content Management System (CMS) and so not all editors are given this access.
It’s important to note that CMS users will need the Sensitive Data Access user role applied to their account to be able to create and update web forms. Users will also need to be given specific permission to access existing forms on the CMS by the form owner. Complete the User access request form and select Update user access in Drupal CMS to request this access.
Using a webform
A webform is an advanced function used to gather responses from customers. A webform is a reusable piece of content created within the CMS that can be added to many webpages or a single webpage. It can be added to a standard page or landing page.
Do
- Plan where the data from your webform will be stored. You may want to integrate with another system such as a CRM, SWIFT or SharePoint.
- Check the data security of the webform submissions and where the completed webforms are being sent. Find out who has access to the completed webform submissions.
- Consider the protection of privacy and privacy legislation. You will need a privacy collection notice to create a webform, and you may need to conduct a Privacy Impact Assessment, depending on the risk profile.
- Be clear about why you are asking for information.
- Use forms to create a better customer experience.
- Use webforms instead of downloadable PDF forms. You may also want to provide the downloadable PDF form in addition to the webform for users in some situations, for example:
- when a frontline worker may be providing a printed form to groups with low digital literacy or internet access.
- when customers are raising sensitive complaints and want to protect their anonymity.
- Test your form and check it is working as expected.
Don't
- Do not ask for information that isn't relevant or required for the purpose of your webform, especially if it is personal or sensitive information. For example, asking for first or last names when only an email address field is necessary.
- Do not use the CMS as an information database or to store information. Data submitted will be removed from the CMS after a short period of time as it is expected to be securely stored elsewhere.
- Don't use the default confirmation email message, which includes a summary of the webform data, if it contains personal or sensitive information as it can increase the risk of a data breach.
Creating a new web form
Go to Manage Menu > Structure > Webforms, then click + Add webform
- In the Add webform pop-up box and you will need to enter the mandatory fields:
- A Title for your webform.
- Select your agency from the Data Custodian (owner) look up.
- Click Save.
- After the form is saved you will automatically be taken to the Build tab > Elements tab within your new form.
Building the questions of your webform
You webform is built by adding individual question types, for example checkboxes or text field elements, into the webform.
To add questions:
- Go to your webform, (click Edit if it is not already open) and select the Build tab > Elements tab.
- Click the + Add element button. You will be presented with many element types, such as Checkboxes and Text fields.
- Find the type of element you want to use and click Add element and the Add element box will open to complete the element details. By default the General tab will be displayed.
- In the General tab you will need to enter the form question, such as 'First name,' in the mandatory Title field. If the webform has multiple choice answers, such as checkboxes or radios, you will also need to add in the answer options.
- You can choose to make your question a required field in the General tab by ticking the Required box under Form validation.
- Click Save.
- The Add element pop up will close after it is saved and you will see a list of all your elements. You can drag and drop your elements to change the order of your questions. You can also check the Required box on this screen to make a question mandatory.
- Click the Save elements button at the bottom of the elements list to save your changes.
Adding logic to a Webform
To show/hide questions based on condition logic in Drupal Webforms, add Conditions to your form once all the fields have been added.
- Select the Element you want to Show or Hide based on the previous answer.
- Click on the Conditions tab.
- Select State = Hidden
- If Element = All of the following is met
- Select – the previous question that if answered will mean you need to hide this next field
- Select – The value that means you need to hide this next field, checkbox selected, field = xyz etc
- Scroll to the bottom and select Save
- Repeat for all fields you wish to hide or show based on criteria.
Adding a link to Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) must be attached to a webform. A link to a PIA document can be added at any stage of building the webform or after the webform went live. A PIA link is a URL to your PIA document that is sent to your agency after your PIA request has been completed by the Digital Channels privacy team.
To add the link to a PIA document to your webform:
- On the Build page, you will see a Warning message indicating that the webform is missing a link to the Privacy Impact Assessment (PIA).
- You can opt to add a PIA link or continue building the webform.
- If you opted to add a PIA link, click on the Add a PIA link.
- You will be redirected to the Add link to Privacy Impact Assessment (PIA) field where you can paste in the link to the PIA document provided by the DCU privacy team.
- If you opted to continue building the webform on the Build page, the Privacy Impact Assessment (PIA) link missing message will be displayed.
- If you want to add the link now, click on the Add PIA link now button.
- You will be redirected to the Add link to Privacy Impact Assessment field where you can paste in the link to the PIA document.
- If you want to continue without adding the link, click Save and continue and raise the Privacy Impact Assessment (PIA) request within 30 days.
- Once you received the PIA link, go to the Build page of your webform, click on the Add a PIA link and follow step 5.
- Alternatively, go to the Settings page, scroll to the Third party settings > Privacy information and paste the link in the Add link to Privacy Impact Assessment (PIA) field.
Alternatively, read more on Adding a PIA link in a webform.
Adding a privacy collection notice (PCN)
To ensure all webforms on nsw.gov.au are in compliance with the Information Protection Principles (IPP) for agencies of NSW, it is now a requirement for all webforms to have a Privacy Collection Notice. Webforms without a Privacy Collection Notice now cannot be created.
To add the Privacy notice element on your webform:
- Click the + Add element button on the webform, within the Build tab > Elements tab.
- In the elements search for Privacy notice and click the + Add element to add it to your form.
- In the edit pop up add the title of Privacy notice.
- Under the heading Privacy notice settings use the drop down to select the relevant Privacy collection notice.
- Tick the Required box under the heading Form validation.
- Click the Save button to save the Privacy notice element.
Alternatively, read more on Privacy Collection Notice for webforms.
Adding the purpose for your data collection
- Scroll to and open Third party settings tab > DCS webform customisations tab > Config tab.
- Scroll to the heading Privacy information.
- In the Purpose of data collection text field add a description, in lower-case, of why you are collecting data. You should describe the action that happens when a user submits the form, for example, contacting the agency. This will populate the Privacy element correctly.
- Below the text field you can also change the Agency retention period. By default the CMS will only hold submissions for 10 days but you can make this longer or shorter depending on the policy of your agency.
- Scroll to the bottom of the page and click the Save button.
Confirmation the form has been submitted
After a customer submits their form, they should understand it has been successfully submitted.
Confirmation that the form has been sent is usually done in 2 ways:
- on the website with a confirmation message after the customer has clicked the submit button, and
- an automated email confirmation sent to the customer.
Confirmation message on the website
To edit the confirmation message:
- Go to the Settings tab > Confirmation tab, within the edit screen of your webform.
- Choose the Confirmation type or leave the default option of Page.
- Scroll to the heading Confirmation settings to add a Confirmation page title and Confirmation message.
A customised Confirmation message can include:
- details about when the customer will have their form processed by staff
- contact details for checking the progress of their form
- links to other parts of the website that may relevant to the customer.
Here is an example Confirmation page message:
Confirmation email
Customers usually expect to receive an email confirming that their webform has been submitted.
To edit the confirmation email:
- Go to the Settings tab > Emails / Handlers tab, within the edit screen of your webform.
- Click the + Add email button.
- Click the Edit button of the new email field, then scroll to the heading titled Message.
- Under the Message heading select Custom subject from the Subject dropdown. You can now write your own email subject.
- Below the Subject field, is the message field. The default message the form generates is the information that the customer provided in their form.
- To change the email message use the Body dropdown to change the message to either Custom body, or Twig template. You can then edit your email message.
- Click Save.
Custom body gives you an easy to use WYSIWYG interface to create your message. For most webforms, and editors, custom body is the best option to choose.
The twig template should only be used if you are familiar with editing HTML and webform tokens.
Form tokens are functional elements that pull data from the form the customer submitted. For example, a form token for the email address will automatically pull in the unique email address that the customer has provided in the email address field of their form.
A twig template should be used when you want to populate the confirmation email with unique data the customer has entered into the form. For example, if your webform is for your customer to choose 1 day to attend a multi-day event, using the twig template and retaining the form tokens, the customer email confirmation will show which day they are attending.
Don't use the twig template with the default tokens if your webform contains sensitive or personal information.
Using reCAPTCHA for spam protection settings
Use reCAPTCHA to reduce the chance of automated spam messages.
- Select reCAPTCHA v3 (invisible) for single page forms or reCAPTCHA v2
(visible) for multi page forms from the Handler settings section - Enter 50 in the desired reCAPTCHA score box.
Note: 50 is the recommended initial setting for reCAPTCHA score. If high levels of automated spam continue, then the score can be increased, but if set too high, it may block genuine submissions. It will not block manual spam submissions. - Replace the default error message with: 'Thank you for sending us your request. Unfortunately there was an error during validation of your request. Please try to reload the page and submit again.'
- Access Tab: Scroll down to Administer webform & submissions to assign who can edit the form and see submissions. Enter in each user you want to administer your form.
Test your webform
After you have built your webform you should check it is working as expected.
To view and test your webform:
- Go to the View tab within the webform edit screen.
- Check it is displaying as expected, then test your form.
- Go to the Test tab in the webform edit screen.
- Change the email address to your own email address to test the confirmation email. All other fields can be left with the pre-populated dummy data.
- Click the Submit button.
- Check the Confirmation page that displays after you click submit.
- Click the Back to form link.
- Go to the Results tab > Submissions tab, in your webform edit screen. You should see your test submission there.
- You can download all the submissions in the Results tab > Submissions tab or you can delete submissions in the Results tab > Clear tab.
Transferring webform submissions
The CMS does not store captured webform data because of security and privacy reasons. You will need to ensure any submissions made to your webform are transferred to a secure location.
Email and shared email boxes are not supported end points as they have been deemed not secure.
Sending webform submission data containing personal information to an email account creates a security risk for several reasons:
- Lack of encryption: Emails sent over standard protocols like SMTP are often in plain text. This means that anyone with access to the network could read the email.
- Limited control and monitoring: Email accounts usually lack the security features, logs, and access controls that are essential to protect personal information.
- Risk of data breaches: If an email account is hacked through phishing, malware, or other security incident, the personal information inside could be accessed by unauthorised people.
- Compliance issues: Under the Privacy and Personal Information Protection Act 1998 and Information Protection Principles agencies must protect personal information from unauthorised access, use, modification or disclosure. Sending personal information to an email account may not comply with these standards.
- Scalability concerns: As the number of webform submissions grows, transferring and storing personal information in email accounts becomes inefficient and more likely to result in errors.
You can transfer submissions to a location that meets the key considerations, such as:
- Sharepoint
- Salesforce
- any modern CRM product
- database products that accept one of the listed supported integrations using one of the following secure methods:
- JWT
- API Key
- OAuth.
Key considerations include:
- Secure layer transport
- Encryption at Rest
- Access Controls
- MFA
- Least privilege principals.
Contact your agency’s IT team to see what options are available to you and to help with the set-up. If you need further help from the nsw.gov.au team to set-up your webform you can submit a Content change update request.
If you require a conversation starter with your IT team here are some documented solutions that may assist.
How to add a webform to a page
To add a form to a page, go to the page and navigate to the edit screen, just as you would for adding other types of blocks.
- Click the Add block drop down and select Add Custom block.
- In the Type drop down select Advanced block.
- In the Plugin dropdown select Webform.
- Use the Webform field that is generated to search for and select the title of your webform.
- Save your page to display the webform.
Searching for webforms that have already been created
If you need to find a form that has already been created, you can find it by going to the menu and selecting Structure > Webforms > Forms and using the on-page filter to search for the webform.
Only the webform creator will be able to access the form and give access permission to others.
Giving editor access permissions to others for your form
Learn how to give another editor access to your form.
See this live on nsw.gov.au
Visit Webforms to see a live example of a form.
You can also see live examples of how agencies have applied the component to their content below:
- NSW Education Standards Authority: Make a complaint to NESA
- Visas and Migration: Update your skilled visa details
- The Cabinet Office: Minister for Agriculture, Minister for Regional NSW and Minister for Western NSW
- Contact the Far West Local Health District
- Provide your feedback: Information for Aboriginal people and Understanding cultural protocols pages
Need any more help?
If you have any questions, or require assistance with anything mentioned on this article, submit a request via the webform.