UW Privacy Office

Strategy and Initiatives

Last updated on February 1, 2023

ON THIS PAGE:

Privacy Matters

As a public university, it is important and expected that we respect, are transparent about, and protect the privacy of individuals’ information. While privacy involves ethical and legal obligations, it is ultimately about trust. If individuals do not trust us with their information, it is impossible for us to fulfill our academic, research, and healthcare missions. We owe it to those we serve to ensure that their information is handled appropriately.

Privacy by Design — A UW Value

The UW approach to privacy aims to create and uphold trusted relationships with those whose personal data allows us to serve them – our students, employees, research participants, and patients. It means we incorporate Privacy by Design by:

  • Ensuring that when we process their sensitive data, we’re reducing the risk of harm.
  • Respecting their privacy when handling their data.
  • Building/updating systems and processes to include privacy best practices.
  • Being transparent about how business processes and systems use individuals’ personal data.

The Need to Modernize Privacy at UW

The Privacy Office recently completed a privacy program assessment for the UW and a benchmarking study of emerging privacy trends in the United States, around the globe, and at 31 higher education institutions. In conclusion, institutions of higher education will increasingly be challenged to ensure privacy policies and practices are consistent with evolving individuals’ expectations of privacy and laws and regulations related to personal data. This includes the need for clear, coherent, comprehensive, and cohesive privacy program to successfully address:

  • The interoperability of shifting, expanding global, national, and state privacy laws.
  • Emerging technologies with profound privacy implications (e.g., facial recognition, artificial intelligence, and automated decision-making).
  • Increasing citizen and stakeholder expectations for privacy and data protection.

Our stakeholders will look to us to be exemplary stewards of their personal data in this changing environment.

The Need to Modernize Privacy Policy and Practices at UW

The UW Privacy Policy was last updated in 2012. As a result, the Privacy Office is leading an effort to update UW policies and practices to meet evolving expectations from individuals, keep pace with new technology, and comply with a shifting landscape of external obligations and requirements. The revisions to the privacy policy and practices will help the UW:

  • Establish values and Privacy Principles for processing (i.e., collecting, accessing, using, analyzing, sharing, and storing) personal data.
  • Create a foundation for the ethical use of personal data.
  • Address the interoperability of requirements in various laws and regulations, evolving technology, and constituents’ expectations.
  • Align with industry best practices for privacy and personal data protection.
  • Leverage higher education best practices for privacy and personal data protection.

The Privacy Steering Committee, established in 2019, reviewed, revised, and endorsed the policy in 2020. The membership of the committee includes individuals with subject matter expertise across the University.

Strategic Initiatives 2022-2024

To update and streamline the way we approach privacy at UW — and assist units in shifting away from a resource-intensive, siloed approach — we need a cohesive approach that looks at interoperability of expectations, technology, and numerous requirements.

A revised policy (APS 2.2), vetted by the Privacy Steering Committee, requires UW organizations that collect, access, use, analyze, share, and store personal data to:

  • Designate Privacy Partners who collaborate with the Privacy Office and provide local subject matter expertise for UW organizations.
  • Inventory personal data processing activities with the Privacy Office.
  • Assess high-risk processing activities (e.g., use of artificial intelligence, biometric, demographic data).
  • Include privacy terms and conditions in third-party contracts.
  • Include privacy in business and system design to avoid risk of harms to individuals and future data breaches at UW.
  • Be transparent with constituents about the purpose and use of their personal data through privacy notices and consent forms.
  • Use personal data according to UW privacy policies and standards.

A new data inventory and assessment system everyone can use, called TrustArc, will assist units with their responsibility for managing personal data at UW. The TrustArc platform will:

  • Create a comprehensive inventory of third parties/vendors/partners, systems, and business processes that involve personal data.
  • Walk individuals through the process of building privacy into the design of their systems and business processes.
  • Include prompts that create clarity about the purpose, use, and types of personal data processed at UW, and who is responsible and accountable for managing them.
  • Include standardized privacy assessment tool for assessing high-risk activity, which takes pressure off individuals to evaluate risk in isolation.

Support for the change includes training, tools, and on-demand resources that will involve a University-wide change management effort focused on the people, process, technology, policy, and (in some instances) culture change. Resources developed by the Privacy Office are available now or coming soon include:

  • Comprehensive Training Curriculum – Foundational training to raise general awareness and specialized training to support individuals working with personal data and managing privacy in the TrustArc platform.
  • Supporting Resources – New and updated information on workflows and tools for including privacy in the design of UW projects, business processes, and systems that include personal data.
  • Guidance and Templates for Implementing Policy – Policy and related guidance that reflect industry best practices, laws and regulations, and public sentiment, including implementation resources for UW personnel as well as information for students and the public.
  • A redesigned website – A more user-friendly site to house training, tools, and on-demand resources as well as foundational information about the UW’s approach to privacy, the role we all play in protecting personal data, and what to do when things go wrong.

A phased approach to communicating changes and sharing resources will be implemented in 2022-2024. After informing senior leadership, the Privacy Office will take a phased approach to roll out upcoming changes and supporting resources.