UW Privacy Office


UW Privacy Office members collaborate with other UW units to provide resources that support the UW’s efforts to balance privacy risk when entering into agreements found on this page. If you don’t find a good fit for the type of agreement you are seeking or need customization, please email uwprivacy@uw.edu.

Providing Notice or Obtaining Consent for Collection and Use of Identifiable Information or Personal Data

Given that an individual may have one or more relationships with the UW, such as a child/youth, student, patient, human subject, donor, or employee, we give careful consideration to the privacy principle of user choice and whether the UW will allow individuals to opt-in or opt-out of providing their personal data or individually identifiable information. UW Privacy is coordinating with other UW units to identify best practices and create a repository of notice and consent forms that can be used by UW units. See Obtain Consent and Provide Privacy Notice under the “Privacy by Design” menu above for additional guidance.

Third Party Agreements

Completing a written data protection agreement with a third party about personal data processing prior to such processing will help establish clear terms about purpose, use and protection of the personal data, and will clarify associated roles and responsibilities.  In some instances, such as under the European Union’s General Data Protection Regulation (EU GDPR), written third party agreements are required between those acting as “Controllers” (those who make decisions about purpose, use and protection of the data) and those acting as “Processors” (those processing data at someone else’s direction).

Business Associate Agreement

A Business Associate is identified as an entity or individual who: is not a workforce member of the UW; will be or is performing a service or activity “for” or “on behalf of” the UW or UW Medicine, and; is or will be offering services that involve the use or disclosure of Protected Health Information (PHI). If a third party or partner meets the Business Associate criteria, a Business Associate Agreement (BAA) is required.

Personal Data Processing Agreement (PDPA)

The UW Personal Data Processing Agreement (PDPA document pending) supports the UW’s values and privacy principles. It sets forth the UW’s expectations for protecting University Personal Data and managing privacy related risk when the UW is contracting with third parties.

The Vice Presidents, Vice Provosts, Deans, and Chancellors are accountable for managing risk in their organizational units, including the risk related to units’ use of personal data. The PDPA helps units balance risk and address external requirements in various laws and regulations. The agreement is required when a UW unit makes decisions about the purpose and use of University Personal Data in Data Processing with third parties. Exhibit 1 of the agreement must be completed by the UW unit initiating and making decisions about the third-party partnership or contract.

The Privacy Office is providing PDPA information sessions to assist with the transition to the new agreement.

Data Security and Privacy Agreement (Pending revision)

For privacy purposes, the Personal Data Processing Agreement (PDPA) replaces the Data Security and Privacy Agreement (DSPA).  The Office of the Chief Information Security Officer (CISO) is developing a standard agreement for information security purposes.

Agreement for Data Processing Services (Agreement template pending)

The Agreement for Data Processing Services (ADPS) captures UW’s responsibilities when processing personal data under the direction of another organization. A written ADPS is required when a UW unit is identified as a “Processor” of personal data about people living in the European Union (see the UW Standard for the European Union General Data Protection Regulation).

UW Privacy Agreement Workflow 

Consult the UW Privacy Agreement Workflow to determine whether you must complete a PDPA, an ADPS, or consult with the UW Privacy Office to identify the best agreement to use under the circumstances.

Contract/Agreement/Project Workflow

Confidentiality Agreements

There are many types and versions of Confidentiality Agreements at the University. UW Privacy is coordinating with other UW units to create a repository of confidentiality agreements that can be used by UW units or members.

Access and Use Agreements

In an effort to provide clear, concise, and consistent Access and Use Agreements for UW computing system users, the UW has a standard agreement. This agreement is already in place for a number of central systems, and has already been reviewed by the UW Division of the Attorney General’s Office. If the language needs to be modified to meet a specific need, then please call or email uwprivacy@uw.edu to discuss.