UW Privacy Office

Data Inventory

ON THIS PAGE:


Overview

To better assist all areas of the University in our shared responsibility to protect personal data, the UW Privacy Office is leading an effort to create a centralized, standardized, and maintained inventory of the business processes, systems, and third-party relationships. The collaborative process we are implementing to build our institutional data inventory supports our Office’s goal of building awareness about UW’s Privacy Principles and the Privacy by Design framework.

Benefits

A data inventory helps all areas of the University:

  • Aggregate essential information for strategic, tactical, and operational decisions at UW.
  • Identify and document the accountable and responsible individuals for the business process, system, and third-party relationships through an enterprise-wide data inventory.
  • Inventory and map the flow of data across the UW and with third parties.
  • Create a common understanding about where, how, and why personal data are processed (e.g., collected, used, managed etc.).
  • Evaluate how the use of personal data aligns with the University’s Privacy Principles and addresses our academic, humanitarian, ethical, and legal obligations.

UW Units will be required to create an inventory of the systems, business processes, and third-party relationships that they are responsible for in the TrustArc Privacy Management Platform.

Step 1: Learn what to inventory

The Data Inventory Hub in TrustArc hosts three types of records that document third-party relationships, systems, and business processes associated with data processing. You only need to create records for the third-party relationships that you are responsible for and the systems and business processes that you own.

TrustArc defines these terms as follows:

Third party
Within TrustArc, a third party can be a partner or a vendor. A partner is generally any third party that is not a vendor (such as a sponsor or affiliate). A vendor is a supplier or service provider that provides technology or expertise to an organization for a given business purpose (e.g, Salesforce).
System
An application, database, or other technological system or process that processes data for a particular business purpose (e.g, CRM software).
Business process
An operation within a company that processes data for a specific business purpose (e.g., HR Recruiting, Marketing, Student Admissions etc.) by using one or more systems to process data.

Step 2: Plan your approach

Both new and existing data processing need to be inventoried.

General project plan

  • Identify who will be involved.
  • Take training.
  • Develop workflows:
    • Identify existing items to be inventoried. Any time existing data processing has not yet been inventoried, your unit needs to inventory its multiple third-party relationships, business processes, and/or systems.
    • Plan to inventory new items as needed. Any time you are planning a new form of data processing, which may involve existing or new relationships with a third party, business process, and/or system, you will need to create records in the data inventory.
  • Prioritize existing items to inventory and gather information.

Prepare to inventory existing items

Identify existing third-party relationships, systems, and business processes that need to be inventoried.

Review your unit’s business activities:

  • When do you work with personal data?
  • What systems are involved?
  • What third parties are involved?

Review the systems your unit owns:

  • What third parties are involved?
  • Do other units use the system you own? If yes, inventory early.

Tips:

  • Only inventory what your unit owns/is responsible for.
  • If you own a related third-party relationship, system, and business process, inventory them in that order.
  • If you don’t, link to the relevant record created by the unit that owns the third-party relationship or system.

Inventory timeline goalposts

  • December 2022: Academic data, high-risk data processing, and business processes, systems, and/or third-party relationships that the Privacy Office communicates to units as needing to be inventoried.
  • February 2023: Youth and human resources data.
  • April 2023: Advancement data.
  • June 2023: Research data.
  • August 2023: Finance data.
  • October 2023: Property and space management data.

Step 3: Request access and get started

For more information about access to the Data Inventory Hub and how to proceed with creating third party, system, and business process records please visit our Data Inventory User Guide.

Starting in autumn 2022, please view the Data Inventory Hub as your workspace for documenting information about your unit’s third-party relationships, systems, and business processes. Our Data Inventory User Guide provides more detail about the kinds of information required by TrustArc and is identified as essential for UW units to inventory as well as resources to help you get started. You will be able to save your work in progress and return to complete the record if needed.

Please prepare accordingly by registering to attend a TrustArc training and support session.

Step 4: Review and fill in the gaps

After you have drafted your third party, system, and business process records, be sure to review the information for accuracy and completeness.

Step 5: Complete records

Third party and system records do not need to be sent to the Privacy Office after you complete them. Let business process owners using your system know that you have completed the record.

Business process records should be sent to the Privacy Office after they are complete, following the steps outlined in the Data Inventory User Guide.

If the data processing is high risk, we will send you a privacy assessment to complete. If the data processing is not high risk, no further action is needed.

Step 6: Update periodically

To ensure that the data inventory can assess risk accurately, please periodically review and update your records. This includes updating records when a contract expires and when systems move from design to production or to decommissioned status.

Example use cases

Unit responsible for managing the third-party relationship, owns the system, and owns the business process:

  • Identifies data processing to inventory following the inventory timeline in Step 2.
  • Creates records in the following order: Third party, system, and then business process.

Unit responsible for managing the third-party relationship and/or owns a system that is used by other units for their business processes:

  • Identifies data processing to inventory following the inventory timeline in Step 2.
  • Within those data processing domains, prioritizes the third-party relationships and/or systems that are used by the most units.
  • If needed, communicates with business process owners using their third party or systems that the records are complete in TrustArc.

Unit owns a business process that relies on a system owned by another unit:

  • Identifies data processing to inventory following the inventory timeline in Step 2.
  • If needed, updates the business process record when the third party and system records are completed by the owning unit.