UW Privacy Office


Internal Agreements

Access and Use Agreements

The Access and Use Agreement provides clear, concise, and consistent information about individuals’ access to and right to use UW information systems and UW institutional information. It states that individuals are responsible for protecting the privacy and security of all UW data they use from information systems to which they are given access regardless of how or where data are created, managed, or stored. This agreement is used by various information systems at UW.

External Agreements

A written agreement establishes the purpose and parameters for data processing and clarifies roles and responsibilities between the UW and a third-party.

In some instances, such as when data processing is governed by a law or regulation, written data processing agreements are required between a “Controller” (a person or entity that makes decisions about the means and purpose of data processing) and a “Processor” (a person or entity that engages in data processing on a controller’s behalf).

Use the flowcharts below to determine:

  • If a third-party data processing agreement is required (review the Privacy Agreement Workflow 1); and
  • If required, then which third-party data processing agreement should be used (review the Privacy Agreement Workflow 2).

Privacy Agreement Workflow 1

Privacy Agreement Workflow 1

Privacy Agreement Workflow 1

Privacy Agreement Workflow 2

Privacy Agreement Workflow 2 [PDF]

Privacy Agreement Workflow 2

Privacy Agreement Workflow 2

Business Associate Agreement

A Business Associate is identified as an entity or individual who:

  • is not a workforce member of the UW;
  • will be or is performing a service or activity “for” or “on behalf of” the UW or UW Medicine, and;
  • is or will be offering services that involve the use or disclosure of Protected Health Information (PHI)

If a third party or partner meets the Business Associate criteria, a Business Associate Agreement (BAA) is required.

Data Security and Privacy Agreement

The Data Security and Privacy Agreement (DSPA) was retired and replaced with the Personal Data Processing Agreement (described below) for certain third-party agreements that involve personal data.

Personal Data Processing Agreement

The Personal Data Processing Agreement (PDPA) helps uphold UW’s values and principles related to privacy and addresses laws and regulations that govern the protection of personal data.

A PDPA is required when a UW department or unit:

  • Makes decisions about the purpose and means for processing personal data; and
  • Engages a third-party for data processing, such as sharing, storing, or providing access to personal data.

UW Administrative Policy Statement 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions states that vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about PDPA-related risks.

Review the PDPA webpage for more information about, and for resources available to assist UW departments and units with, the PDPA.