UW Privacy Office


Internal Agreements

Access and Use Agreements

The Access and Use Agreement provides clear, concise, and consistent information about individuals’ access to and right to use UW information systems and UW institutional information. It states that individuals are responsible for protecting the privacy and security of all UW data they use from information systems to which they are given access regardless of how or where data are created, managed, or stored. This agreement is used by various information systems at UW.

External Agreements

A written agreement establishes the purpose and parameters for data processing and clarifies roles and responsibilities between the UW and a third-party.

In some instances, such as when data processing is governed by a law or regulation, written data processing agreements are required between a “Controller” (a person or entity that makes decisions about the means and purpose of data processing) and a “Processor” (a person or entity that engages in data processing on a controller’s behalf).

Use the flowcharts below to determine:

  • If a third-party data processing agreement is required (review the Privacy Agreement Workflow 1); and
  • If required, then which third-party data processing agreement should be used (review the Privacy Agreement Workflow 2).

Privacy Agreement Workflow 1

Privacy Agreement Workflow 1

Privacy Agreement Workflow 1

Privacy Agreement Workflow 2

Privacy Agreement Workflow 2 [PDF]

Privacy Agreement Workflow 2

Privacy Agreement Workflow 2

Business Associate Agreement

A Business Associate is identified as an entity or individual who:

  • is not a workforce member of the UW;
  • will be or is performing a service or activity “for” or “on behalf of” the UW or UW Medicine, and;
  • is or will be offering services that involve the use or disclosure of Protected Health Information (PHI)

If a third party or partner meets the Business Associate criteria, a Business Associate Agreement (BAA) is required.

Data Security and Privacy Agreement

The Data Security and Privacy Agreement (DSPA) was retired and replaced with the Data Processing Agreement (described below) for certain third-party agreements that involve personal data.

Data Processing Agreement

A Data Processing Agreement (DPA) helps uphold UW’s values and principles related to privacy and addresses laws and regulations that govern the protection of personal data.

Review the DPA webpage for more information about, and for resources available to assist UW departments and units with, DPAs.

Review the TrustArc Privacy Management Platform webpage to learn how to register third party data processing.