UW Privacy Office

Confidential Data Risk Guide Overview

Screenshot of the confidential risk guide

The UW Confidential Data Risk Guide (CDRG) is intended to help you make informed decisions about protecting UW Confidential data. It has not been designed as a step-by-step workflow process, but as a flexible tool that allows you to find information and guidance.

A logical starting place is to select the type of confidential data you are working with. You may select one or multiple types. Click the button to view the definition for that data type:

You will be presented with the definition, as well as any known applicable law(s) or regulation(s) governing that data type.

Once you have selected all the data types of interest, you may select or search for a specific service. With the data type(s) and a service selected, you will be presented with the following guidance:

  • An evaluation of whether the combination of data type(s) and specific service is Allowed, Restricted, or Not Allowed. (See definitions in the FAQs below.)
  • A list (if applicable) of restrictions you are required to implement prior to use.

Please note that the guidance provided by CDRG is not intended to grant permission to use a service or publicly share or publish data without the appropriate risk evaluation and UW Data Custodian approval.

Use the guide

Confidential Data Risk Guide FAQs

1. How do I use this guidance?

This risk guide is intended to help you make informed decisions about protecting UW Confidential data while using computing services—whether offered by the UW or outside providers.

You may search or select via service or data type. The guide will indicate if the combination of service and data type is:

  • Allowed
  • Restricted
  • Not allowed

Regardless of the result, guidance on the safe use of the service may be presented. If Not allowed is the result, we have made efforts to explain why.

2. If a service is listed as allowed, does it mean I can freely use it?

No. Due care about sharing and protecting UW Confidential data remain important. The detailed view may provide specific guidance regarding secure use of the service. Nonetheless, other security controls may be necessary in order to safely use a specific service. For more information on the appropriate controls, refer to the UW Policies, Standards, and Guidelines. Your risk management decisions should be documented.  The UW Privacy Office and Office of the CISO are available for further consultation.

Neither this risk guide nor the confidential data types should be misconstrued as granting permission to use services, publicly share or publish data that is not included therein.

3. What does it mean if a service is listed as Restricted?

Restricted means specific guidance and restrictions have been published within the CDRG. The detailed view will list the specific guidance and restriction regarding the use of the service. Nonetheless, additional controls may be necessary in order to safely use a specific service. For more information on the appropriate controls, refer to the UW Policies, Standards, and Guidelines. Your risk management decisions should be documented. The UW Privacy Office and Office of the CISO are available for further consultation.

Neither this risk guide nor the confidential data types should be misconstrued as granting permission to use services, publicly share, or publish data that is not included therein.

4. Why was this guide created?

Virtually every day a new computing product or service becomes available. For this reason we created the Confidential Data Risk Guide. It is intended to help you make informed decisions about protecting UW Confidential data while using computing services.

Not all possible services are listed or otherwise included in the guidance. If you don’t see the service you are considering, see #5 below.

5. What should I do if a service is not listed?

Contact uwprivacy@uw.edu and provide detailed information such as:

  • The provider of the service
  • Name of the service
  • Data type you are working with
  • Whether or not you have a signed agreement/contract with the service provider
  • Any other relevant information

6. What should I do if I don’t find a matching data type?

The Other Confidential data type may be the closest match; however, if you believe the data type needs to be included as its own type, please contact uwprivacy@uw.edu.

7. What is UW Confidential Data?

The UW Confidential data type identifies the data entrusted to UW that must be protected according to laws or regulations that bestow an information security or privacy obligation on the UW. Additionally, the information security and privacy policies identify the controls or safeguards needed to appropriately protect institutional information.

You may select one or multiple types of data. Each type is defined; simply click on the data type button and you will be presented with the definition and any known applicable law(s) or regulation(s) governing that data type.

8. How will I know if the guidance changes?

Check this guide periodically. If a major service change occurs, we will communicate through the “Expansive Thinking” section on our home page, the Privacy contacts list, and, as needed, other communication channels. To subscribe to our contacts list, email uwprivacy@uw.edu.

Resources