UW Privacy Office

Data Inventory

ON THIS PAGE:


Overview

To better assist all areas of the University in our shared responsibility to protect personal data, the UW Privacy Office is leading an effort to create a centralized and standardized inventory of the business processes, systems, and third-party relationships. The collaborative process we are implementing to build our institutional data inventory supports our Office’s goal of building awareness about UW’s Privacy Principles and the Privacy by Design framework.

Benefits

A data inventory helps all areas of the University:

  • Aggregate essential information for strategic, tactical, and operational decisions at UW.
  • Identify and document the accountable and responsible individuals for the business process, system, and third-party relationships through an enterprise-wide data inventory.
  • Inventory and map the flow of data across the UW and with third parties.
  • Create a common understanding about where, how, and why personal data are processed (e.g., collected, used, managed etc.).
  • Evaluate how the use of personal data aligns with the University’s Privacy Principles and addresses our academic, humanitarian, ethical, and legal obligations.

UW Units will be required to create an inventory of the systems, business processes, and third-party relationships in the TrustArc Privacy Management Platform.

Step 1: Learn what to inventory

The Data Inventory Hub in TrustArc hosts three types of records that document third-party relationships, systems, and business processes associated with data processing, which should be inventoried in the order below. TrustArc defines these terms as follows:

Third Party
Within TrustArc, a third party can be a partner or a vendor. A partner is generally any third party that is not a vendor (such as a sponsor or affiliate). A vendor is a supplier or service provider that provides technology or expertise to an organization for a given business purpose (e.g, Salesforce).
System
An application, database, or other technological system or process that processes data for a particular business purpose (e.g, CRM software).
Business Process
An operation within a company that processes data for a specific business purpose (e.g., HR Recruiting, Marketing, Student Admissions etc.) by using one or more systems to process data.

Step 2: Plan your approach

New data processing

Any time you are planning a new form of data processing, which may involve existing or new relationships with a third party, business process, and/or system, you will need to create records in the data inventory.

Existing data processing

Any time existing data processing has not yet been inventoried, your unit needs to inventory its multiple third-party relationships, business processes, and/or systems. Your approach may vary based on the nature of the third-party relationships, systems, and business processes used within your organization and unit.

The following considerations can help you prioritize your inventory timeline:

  1. Begin with highest risk data processing or a specific data domain with the goal of completing the inventory by the dates below:
    • December 2022: High-risk data processing and/or academic data domain.
    • February 2023: Youth and human resources.
    • April 2023: Advancement.
    • June 2023: Research.
    • August 2023: Finance.
    • October 2023: Property and space management.
  2. If you are the third-party contact and/or own a system that other units use for their business processes, consider entering those records first so that the business process records can be linked to the system record.

Example scenarios

  • Unit responsible for managing the third-party relationship, owns the system, and owns the business process:
    • Identifies data processing to inventory, beginning with academic and ending with property and space management data domains.
    • Creates records in the following order: Third party, system, and then business process.
  • Unit responsible for managing the third-party relationship and/or owns a system that is used by other units for their business processes:
    • Identifies data processing to inventory, beginning with academic and ending with property and space management data domains.
    • Within those domains, prioritizes the systems that are used by the most units.
    • If needed, communicates with business process owners using their systems about:
      • Requests for information about the data subject type(s), high-risk data collected, and processing purposes involved with the business process.
      • Timeline for completing third party and system records.
  • Unit owns a business process that relies on a system owned by another unit:
    • Identifies data processing to inventory, beginning with academic and ending with property and space management data domains.
    • If needed, responds to third party contacts and/or system owners about:
      • Requests for information about the data subject type(s), high-risk data collected, and processing purposes involved with the business process.
      • Waits to create business process record OR updates the business process record when the third party and system records are completed by the owning unit.

Step 3: Request access and get started

For more information about access to the Data Inventory Hub and how to proceed with creating third party, system, and business process records please visit our Data Inventory User Guide.

Starting in September 2022, please view the Data Inventory Hub as your workspace for documenting information about your unit’s third-party relationships, systems, and business processes. Our Data Inventory User Guide provides more detail about the kinds of information required by TrustArc and is identified as essential for UW units to inventory as well as resources to help you get started. You will be able to save your work in progress and return to complete the record if needed.

Please prepare accordingly by registering to attend a TrustArc training and support session.

Step 4: Review and fill in the gaps

After you have drafted your Third Party, system, and business process records, be sure to review the information for accuracy and completeness.

Step 5: Complete records

Third party and system records do not need to be sent to the Privacy Office after you complete them. Let business process owners using your system know that you have completed the record.

Business process records should be sent to the Privacy Office after they are complete, following the steps outlined in the Data Inventory User Guide.

If the data processing is high risk, we will send you a privacy impact assessment to complete. If the data processing is not high risk, no further action is needed.

Step 6: Update periodically

To ensure that the data inventory can assess risk accurately, please periodically review and update your records. This includes updating records when a contract expires and when systems move from design to production or to decommissioned status.