UW Privacy Office

Agreements

UW Privacy Office members collaborate with other UW units to provide resources that support the UW’s efforts to balance privacy risk when entering into agreements found on this page. If you don’t find a good fit for the type of agreement you are seeking or need customization, please email uwprivacy@uw.edu.

Providing Notice or Obtaining Consent for Collection and Use of Identifiable Information or Personal Data

Given that an individual may have one or more relationships with the UW, such as a child/youth, student, patient, human subject, donor, or employee, we give careful consideration to the privacy principle of user choice and whether the UW will allow individuals to opt-in or opt-out of providing their personal data or individually identifiable information. UW Privacy is coordinating with other UW units to identify best practices and create a repository of notice and consent forms that can be used by UW units. See Obtain Consent and Provide Privacy Notice under the “Privacy by Design” menu above for additional guidance.

Third Party Agreements

Completing a written data protection agreement with a third party prior to sharing data will help establish clear terms about purpose, use and protection of the personal data, and will clarify associated roles and responsibilities.  In some instances, such as under the European Union’s General Data Protection Regulation (EU GDPR), written third party agreements are required between those acting as “Controllers” (those who make decisions about purpose, use and protection of the data) and those acting as “Processors” (those processing data at someone else’s direction).

Business Associate Agreement

A Business Associate is identified as an entity or individual who: is not a workforce member of the UW; will be or is performing a service or activity “for” or “on behalf of” the UW or UW Medicine, and; is or will be offering services that involve the use or disclosure of Protected Health Information (PHI). If a third party or partner meets the Business Associate criteria, a Business Associate Agreement (BAA) is required.

Data Security and Privacy Agreement (Pending revision)

The Data Security and Privacy Agreement (DSPA) supports the mission of the UW to preserve, advance, and disseminate knowledge by setting the UW’s preferred information security and privacy terms in third party vendor agreements.  A written DSPA is required when a UW unit is identified as a “Controller” of personal data about people living in the European Union (see the UW Standard for the European Union General Data Protection Regulation).

Agreement for Data Processing Services (Agreement template pending)

The Agreement for Data Processing Services (ADPS) captures UW’s responsibilities when processing personal data under the direction of another organization. A written ADPS is required when a UW unit is identified as a “Processor” of personal data about people living in the European Union (see the UW Standard for the European Union General Data Protection Regulation).

UW Agreement Workflow for EU GDPR

Consult the Agreement Workflow for EU GDPR to determine whether you must complete a DSPA, an ADPS, or consult with the UW Privacy Office to identify the best agreement to use under the circumstances.

Contract/Agreement/Project Workflow

Confidentiality Agreements

There are many types and versions of Confidentiality Agreements at the University. UW Privacy is coordinating with other UW units to create a repository of confidentiality agreements that can be used by UW units or members.

Access and Use Agreements

In an effort to provide clear, concise, and consistent Access and Use Agreements for UW computing system users, the UW has a standard agreement. This agreement is already in place for a number of central systems, and has already been reviewed by the UW Division of the Attorney General’s Office. If the language needs to be modified to meet a specific need, then please call or email uwprivacy@uw.edu to discuss.