UW Privacy Office

Confidential Data Risk Guide Overview

Announcing the Retirement of the UW Confidential Data Risk Guide (CDRG)

Following consultation with numerous UW partners about priorities, capacity, and conditions, the UW Privacy Office will retire the “UW Confidential Data Risk Guide” (CDRG) on Friday, March 1, 2019.

The CDRG was initially developed in partnership with UW Information Technology (UW-IT) and the Office of the Chief Information Security Officer (CISO) to help UW employees make informed decisions about how to properly protect and manage UW confidential data when using UW and/or 3rd party systems and services.  While this need continues, maintenance of the CDRG has demanded increasing levels of resources and expertise across the UW to: keep the guidance up-to-date; identify and prioritize possible systems and services to add to the CDRG; evaluate corresponding requirements, controls and contract language; and capture the associated advice/guidance in the CDRG.

Given current priorities in UW-IT, Office of the CISO, and UW Privacy Office, there are no longer resources available to sustain the CDRG. The leadership from these offices has collectively decided to retire the CDRG in order to invest their limited resources into other higher-priority initiatives.

Please direct future inquiries regarding IT systems and services, information security, or policies and practices, to help@uw.edu.

For information about the collection or use of personal data, incidents or data breaches involving personal data, or privacy-related policies and practices, please contact the UW Privacy Office at uwprivacy@uw.edu.

 

Description:

Screenshot of the confidential risk guide

The UW Confidential Data Risk Guide (CDRG) is intended to help you make informed decisions about protecting UW Confidential data. It has not been designed as a step-by-step workflow process, but as a flexible tool that allows you to find information and guidance.

A logical starting place is to select the type of confidential data you are working with. You may select one or multiple types. Click the button to view the definition for that data type:

You will be presented with the definition, as well as any known applicable law(s) or regulation(s) governing that data type.

Once you have selected all the data types of interest, you may select or search for a specific service. With the data type(s) and a service selected, you will be presented with the following guidance:

  • An evaluation of whether the combination of data type(s) and specific service is Allowed, Restricted, or Not Allowed. (See definitions in the FAQs below.)
  • A list (if applicable) of restrictions you are required to implement prior to use.

Please note that the guidance provided by CDRG is not intended to grant permission to use a service or publicly share or publish data without the appropriate risk evaluation and UW Data Custodian approval.

Use the guide

Confidential Data Risk Guide FAQs

1. How do I use this guidance?

This risk guide is intended to help you make informed decisions about protecting UW Confidential data while using computing services—whether offered by the UW or outside providers.

You may search or select via service or data type. The guide will indicate if the combination of service and data type is:

  • Allowed
  • Restricted
  • Not allowed

Regardless of the result, guidance on the safe use of the service may be presented. If Not allowed is the result, we have made efforts to explain why.

2. If a service is listed as allowed, does it mean I can freely use it?

No. Due care about sharing and protecting UW Confidential data remain important. The detailed view may provide specific guidance regarding secure use of the service. Nonetheless, other security controls may be necessary in order to safely use a specific service. For more information on the appropriate controls, refer to the UW Policies, Standards, and Guidelines. Your risk management decisions should be documented.  The UW Privacy Office and Office of the CISO are available for further consultation.

Neither this risk guide nor the confidential data types should be misconstrued as granting permission to use services, publicly share or publish data that is not included therein.

3. What does it mean if a service is listed as Restricted?

Restricted means specific guidance and restrictions have been published within the CDRG. The detailed view will list the specific guidance and restriction regarding the use of the service. Nonetheless, additional controls may be necessary in order to safely use a specific service. For more information on the appropriate controls, refer to the UW Policies, Standards, and Guidelines. Your risk management decisions should be documented. The UW Privacy Office and Office of the CISO are available for further consultation.

Neither this risk guide nor the confidential data types should be misconstrued as granting permission to use services, publicly share, or publish data that is not included therein.

4. Why was this guide created?

Virtually every day a new computing product or service becomes available. For this reason we created the Confidential Data Risk Guide. It is intended to help you make informed decisions about protecting UW Confidential data while using computing services.

Not all possible services are listed or otherwise included in the guidance. If you don’t see the service you are considering, see #5 below.

5. What should I do if a service is not listed?

Contact uwprivacy@uw.edu and provide detailed information such as:

  • The provider of the service
  • Name of the service
  • Data type you are working with
  • Whether or not you have a signed agreement/contract with the service provider
  • Any other relevant information

6. What should I do if I don’t find a matching data type?

The Other Confidential data type may be the closest match; however, if you believe the data type needs to be included as its own type, please contact uwprivacy@uw.edu.

7. What is UW Confidential Data?

The UW Confidential data type identifies the data entrusted to UW that must be protected according to laws or regulations that bestow an information security or privacy obligation on the UW. Additionally, the information security and privacy policies identify the controls or safeguards needed to appropriately protect institutional information.

You may select one or multiple types of data. Each type is defined; simply click on the data type button and you will be presented with the definition and any known applicable law(s) or regulation(s) governing that data type.

8. How will I know if the guidance changes?

Check this guide periodically. If a major service change occurs, we will communicate through the “Expansive Thinking” section on our home page, the Privacy contacts list, and, as needed, other communication channels. To subscribe to our contacts list, email uwprivacy@uw.edu.

Resources