UW Privacy Office

Inventory Data

Last updated on December 22, 2023

ON THIS PAGE:


Overview

To better assist all areas of the University in our shared responsibility to protect personal data, the UW Privacy Office is leading an effort to create a centralized, standardized, and maintained inventory of business processes, systems, and third-party relationships. The data inventory is used to help all areas of the University manage impacts and risks associated with their work activities involving personal data. The collaborative process we are implementing to build our institutional data inventory supports our Office’s goal of building awareness about UW’s Privacy Principles and the Privacy by Design framework.

Benefits

A data inventory helps all areas of the University:

  • Aggregate essential information for strategic, tactical, and operational decisions at UW.
  • Identify and document the accountable and responsible individuals for the business process, system, and third-party relationships through an enterprise-wide data inventory.
  • Inventory and map the flow of data across the UW and with third parties.
  • Create a common understanding about where, how, and why personal data are processed (e.g., collected, used, managed etc.).
  • Evaluate how the use of personal data aligns with the University’s Privacy Principles and addresses our academic, humanitarian, ethical, and legal obligations.

Starting in autumn 2022, please view the Data Inventory Hub as your workspace for documenting information about your unit’s third-party relationships, systems, and business processes. UW Units will be required to create an inventory of the systems, business processes, and third-party relationships that they are responsible for in the TrustArc Privacy Management Platform.

Step 1: Learn about the UW Data Inventory

Please review the Data Inventory 101 videos for high-level overview of the UW Data Inventory.

The Data Inventory Hub in TrustArc hosts three types of records that document third-party relationships, systems, and business processes associated with data processing. You only need to create records for the third-party relationships that you are responsible for and the systems and business processes that you own. Both new and existing data processing need to be inventoried.

TrustArc defines these terms as follows:

Third party
Within TrustArc, a third party can be a partner or a vendor. A partner is generally any third party that is not a vendor (such as a sponsor or affiliate). A vendor is a supplier or service provider that provides technology or expertise to an organization for a given business purpose (e.g, Salesforce).
System
An application, database, or other technological system or process that processes data for a particular business purpose (e.g, CRM software).
Business process
An operation within a company that processes data for a specific business purpose (e.g., HR recruiting, marketing, student admissions, research, etc.) by using one or more systems to process data.

Step 2: Plan your approach

General project plan

  • Identify who will be involved.
  • Decide if you want TrustArc access or will use business process questionnaires to create records.
  • Review training resources.
  • Develop workflows:
  • Prioritize existing items to inventory.
  • Gather information to complete records.
  • Create, complete, and maintain inventory records.

Step 3: Prepare to inventory existing items

Identify existing items that need to be inventoried by your unit

  • What business processes involve personal data?
  • What systems involve personal data? Does your unit own or use the system?
  • What third parties are involved?
    • Vendors?
    • Who do you share data with?
    • Who do you receive data from?

Tips

  • Only inventory what your unit owns/is responsible for.
  • If you own a related third-party relationship, system, and business process, inventory them in that order.
  • If you don’t, link to the relevant record created by the unit that owns the third-party relationship or system.

Step 4: Request a business process questionnaire or direct TrustArc access

Once you know who will be involved, decide on the inventory pathway that makes sense for your team. There are two pathways to create data inventory records. You may decide to choose one route or combine the two approaches strategically to collaboratively inventory items with your colleagues. It could, for example, make sense for individuals who manage IT units to have TrustArc direct access, and for units that are primarily responsible for business processes to use the business process questionnaires. You can also start with one pathway and change at a later date.

Business process questionnaire

Last updated on December 22, 2023

The business process questionnaire route relies on a form that is sent to assignees via an email initiated by the Privacy Office.

  • Ideal for units with few items to inventory, or that only have business processes to inventory.
  • You do not need access to the TrustArc system to complete the form, but without TrustArc access you will not be able to access the final record or risk profile.
  • Request a business process form each business process that needs to be inventoried by emailing uwprivacy@uw.edu a list of business processes or a completed UW Data Inventory Project Plan 2.0. Please include the first and last name and UW email address of the UW employee(s) who will complete the business process questionnaire.
  • Guidance for business process questions is built-in to the form. While system and third parties can be inventoried using the form, the Data Inventory User Guide will be needed for a list of required fields and guidance.

Direct access to TrustArc

Last updated on December 22, 2023

Direct access to TrustArc is ideal for units with many records to inventory, especially third parties and systems, or who want insight into the risks associated with their data processing.

  • Submit a TrustArc access request form to get the access approval process started.
  • Use the Data Inventory User Guide and accompanying checklists for a list of required fields and guidance.
  • Edit any of your records at any time and access a complete list of the items you’ve inventoried.
  • Review the risk profile associated with your organization/unit.

Step 5: Create records

How to create third party, system, and business process records

Review these resources to learn how the data inventory in TrustArc functions as well as required information for completing third party, system, and business process records.

Step 6: Update periodically

Please review and update your records on a regular basis. This includes updating records when a contract expires and when systems move from design to production or to decommissioned status.

To ensure that the data inventory can assess risk accurately, the Privacy Office will send reminders to validate your records (timing to be determined).