UW Privacy Office

Agreements

ON THIS PAGE:


Overview

There are various types of agreements that help uphold UW’s privacy principles, establish clear accountability, and protect data. The following is a high-level summary of the UW’s privacy or data-related agreements.

Internal UW Agreements

Access and Use Agreements

The Access and Use Agreement provides clear, concise, and consistent information about individuals’ access and right to use UW information systems and UW institutional information. It describes individuals’ responsibilities for protecting the privacy and security of all UW data they use regardless of how or where data are created, managed, or stored. This agreement is used by various information systems at UW.

Internal Data Processing Memorandum of Understanding

The UW’s Internal Data Processing Memorandum of Understanding (MOU) is an MOU between two or more UW units. This MOU should be used when the parties to the MOU are internal to the UW and the:

  • Data Processing involves special categories of Personal Data as defined in the Glossary of Privacy Terms;
  • Data Processing is high-risk processing as defined by the Privacy Steering Committee and published on our Privacy Assessments webpage;
  • UW Unit(s) and/or governance group have an interest or need to clarify purpose of Data Processing; and/or
  • UW Unit(s) and/or governance group have an interest or need to clarify roles and responsibilities or data protection requirements.

Internal Data Processing MOU

The Internal Data Processing MOU was developed collaboratively with the HR Data Domain Council and reviewed by the Attorney General’s Office, Privacy Steering Committee, and Board of Deans and Chancellors.

Third Party Agreements

Business Associate Agreement

A Business Associate is identified as an entity or individual who:

  • is not a workforce member of the UW;
  • will be or is performing a service or activity “for” or “on behalf of” the UW or UW Medicine, and;
  • that service or activity involves the use or disclosure of Protected Health Information (PHI).

HIPAA requires a Business Associate Agreement (BAA) with each Business Associate. UW Medicine maintains the UW Business Associate Agreement and provides support for its use.

Data Processing Agreement

The UW Data Processing Agreement (DPA) is an agreement between the UW and a Third Party. The DPA helps establish the purpose and parameters for Data Processing and clarifies roles and responsibilities. In some instances, such as when Data Processing is governed by a law or regulation, a written DPA is required.

Review the DPA webpage for more information about, and for resources available to assist UW units with the DPA.

Retired Agreements

Personal Data Processing Agreement

The Personal Data Processing Agreement (PDPA) was retired in 2021 and replaced with the Data Processing Agreement for certain third-party agreements that involve Personal Data. The PDPA was a comprehensive privacy rider and a direct precursor to the current DPA. As part of our continuous process improvement efforts, significant changes were addressed in the shift to the DPA. Contracts that rely on PDPA terms should be reviewed and updated as appropriate.

Data Security and Privacy Agreement

The Data Security and Privacy Agreement (DSPA) was retired in 2018 and replaced with the Data Processing Agreement for certain third-party agreements that involve Personal Data.