UW Privacy Office

Data Subject Requests

ON THIS PAGE:


Data Subjects

A data subject is an individual about whom personal data has been collected. At the UW, data subjects may include students, employees, alumni, donors, patients, event ticket holders, library patrons, and others.

Data subjects may request actions, such as access to, correction of, or erasure of their own personal data in connection with a privacy related law, regulation, or consumer right – these are called “data subject requests.”

This webpage includes resources for UW departments and units that receive data subject requests.

NOTE: It is important for the UW to review a data subject request, determine next steps as described below, and respond in a timely manner. If the individual has rights under a specific law or regulation, then the UW may need to respond to the request within a certain timeframe. Note that UW may not be able to fulfill the data subject request either because individuals may not have legal rights to make the request, OR because other laws (e.g., Records Retention) may constrain UW’s ability to take the action requested.

Make a Data Request

UW departments or units with questions about responding to a public records request rather than a Data Subject Request, please contact the Office of Public Records and Open Public Meetings directly.

Types of Data Subject Requests

Certain privacy-related laws include rights designed to give data subjects greater control over their personal data. Generally, data subjects may exercise available rights by submitting a request to an organization that processes their personal data.

At the UW, data subject requests may relate to one or more privacy-related laws. The table below briefly describes some of the types of data subject requests that may emerge under selected privacy-related laws. These broad descriptions are intended to be illustrative only, are not exhaustive, and may not include all nuances of the respective laws. Example laws that may be applicable have been listed alphabetically.

European Union’s General Data Protection Regulation (EU GDPR)

Type of Data Subject Request Description
Access Confirming the existence of processing; obtaining a copy of personal data; and obtaining other information about the processing.
Rectification Amending or correcting personal data that is inaccurate or incomplete.
Erasure Deleting or destroying personal data. Also referred to as the right to be forgotten.
Restricted Processing Limiting how personal data is processed.
Data Portability Obtaining personal data in a common and reusable format (ex. machine readable); transferring personal data from one organization to another.
Objection Preventing new processing and/or ending existing processing.

Family Educational Rights and Privacy Act (FERPA)

Office of the University Registrar – FERPA for Students

Type of Data Subject Request Description
Inspection Accessing and reviewing personal data (i.e., personally identifiable information in education records).
Amendment Amending or correcting personal data that is inaccurate or incomplete.
Restricted Release Preventing the release of personal data contained in directory information.

Health Insurance Portability and Accountability Act (HIPAA)

Download UW Medicine Joint Notice of Privacy Policy [pdf]

Type of Data Subject Request Description
Inspection Accessing and reviewing personal data (i.e., protected health information in medical records); obtaining a copy of personal data.
Amendment Amending or correcting personal data that is inaccurate or incomplete.
Restricted Use Preventing certain individuals or entities from accessing personal data.
Nondisclosure Preventing disclosure of self-paid services to a data subject’s (i.e., a patient’s) health plan.
Confidential Communications Determining the method for provider-data subject communications (ex. email, mobile phone, etc.).
Notice of Disclosures Obtaining a list of instances of past personal data disclosure.
Complaints Filing privacy-related complaints with a provider or the US Department of Health and Human Services.

Handling Data Subject Requests

UW departments and units must be mindful of the considerations that appear below when they handle data subject requests. Laws that govern data subject requests may require a response within a fixed timeframe (ex. 30 days per EU GDPR), and other laws may prevent UW from carrying out the request as submitted by the data subject. Accordingly, it is very important to review a data subject request as soon as it is received in order to determine next steps.

For step-by-step guidance relating to data subject requests, review the Data Subject Request Checklist information.

1. Receive and triage the Data Subject Request

a. Triage the Data Subject Request

A data subject request is often submitted via email. However, departments and units may receive a data subject request by other verbal or written methods (ex. in-person, via phone, mailed correspondence, etc.).

Additionally, data subjects may not directly reference rights using the terminology that appears in the “Types of Data Subject Requests” table above. Rather, data subjects may indirectly reference rights established by one or more laws. Prior to taking action on any data subject request, departments and units will need to assess the following:

  • In consultation with the Privacy Office, has it been determined whether or not the requested data subject right exists?
  • Should the request be shared or redirected elsewhere? Does it cross-organizational boundaries?
  • If a request pertains to data held by the department or unit, have they verified the identity of a data subject who has submitted the request?
  • Do relevant UW records retention schedules (or other obligations) prevent deletion of personal data at a data subject’s request?

Departments and units must be able to (a) recognize when an individual has made a data subject request, and (b) identify the nature of the data subject request.

b. Identify Specific Types of Data Subject Requests

The UW has specific resources and processes for responding to the below types of data subject requests:

  1. Release of records related to the Family Educational Rights and Privacy Act for Students. Review the Services and Resources for Students webpage;
  2. Access to protected health information maintained by UW Medicine. Review the Access Medical Records and Images webpage;
  3. Unsubscribe requests:
    • If a data subject requests removal from a mailing list, they may be able to adjust their communication settings by visiting the UW Preference Center and unsubscribing from selected or all mailing lists that are supported by UW Advancement. As a self-service tool, referral to the UW Preference Center does not require identity verification by a department or unit.
    • If the data subject has indicated the mailing list from which they would like to be removed, check that the referenced mailing list appears in the UW Preference Center. If a mailing list does not appear in the UW Preference Center, do not reply or otherwise communicate with the data subject until you have consulted with the UW Privacy Office.

    If a request directly or indirectly references rights established by multiple laws, data subjects may be directed to the FERPA and HIPAA resources listed above for the relevant parts of their larger data subject request.

  4. EU GDPR-related Data Subject Requests
    When EU GDPR applies to personal data processed by the UW, data subjects may have the ability to exercise the privacy-related rights described in the EU GDPR section of the “Types of Data Subject Requests” table above. Generally, organizations have 30 days to respond to a data subject request under EU GDPR.

    In order to determine whether EU GDPR applies to a request, departments and units should try to glean from the request whether personal data was initially provided to the UW while the data subject was physically located in the European Economic Area. If EU GDPR could relate to the data subject’s request, inform the UW Privacy Office as indicated in the Data Subject Request Checklist. When in doubt (ex. it is not clear from a data subject’s message whether EU GDPR applies to the request), inform the UW Privacy Office at uwprivacy@uw.edu.

2. Verify the identity of the data subject

To avoid acting on a data subject request that is improperly submitted in a data subject’s name by an individual who is not the data subject, departments and units must first verify the data subject’s identity.

A UW department or unit receiving a data subject request should request relevant information to verify that the data subject is in fact the requestor. When requesting relevant information, the nature of the data subject request must be considered. A request for relevant information must be limited to just those data points needed to help confirm the identity of the individual and for comparison against UW department or unit information.

The type of request and the nature of the personal data held by a department or unit will inform how verification confidence is balanced with the need to minimize verification burdens on data subjects. Regardless of context, Regardless of the context, do not request Social Security numbers from data subjects. Departments and units may not take any action on the data subject’s request or respond with any personal data until:

  • the data subject requester’s identity is successfully verified;
  • the individual privacy rights are confirmed (as noted below); and
  • The UW’s record retention requirements, in connection with the request, are reviewed. 

3. Consult the UW Privacy Office

Privacy-related laws may include rights that can be exercised by individuals. In order to determine whether and how the UW ought to respond to the data subject request, it is important for departments and units to promptly consult with the UW Privacy Office.

As indicated in the Data Subject Request Checklist, the UW Privacy Office will provide departments and units guidance on how to respond to a data subject request. Departments and units should engage with the UW Privacy Office at the earliest opportunity and provide the following via email to be sent to uwprivacy@uw.edu:

  • A copy of the data subject request with date received;
  • Descriptions of UW records that have or have not yet been located;
  • Governing UW records retention schedules (if a request relates to deletion); and
  • A list of other departments or units that may also have relevant UW records.

As some data subject requests may be time-sensitive, departments and units do not need to locate all records before engaging with the UW Privacy Office. The UW Privacy Office can advise on the next steps while a department or unit continues to locate relevant UW records. When emailing the UW Privacy Office, do not send the UW records you have located in your department or unit, rather only describe the kinds of records you have found or are working on finding.

When a department or unit consults with the UW Privacy Office, privacy office staff may request additional information or organize a time to discuss the data subject request. Department and unit cooperation is important and appreciated.

4. Additional Considerations

Communications with Data Subjects

The UW receives most data subject requests through email. Before communicating with a data subject via email, review the Data Subject Request Checklist below. The Data Subject Request Checklist (a) identifies instances when a UW department or unit should communicate with a data subject and, (b) provides the substance of those communications. Limiting communications to just the standard language in the Data Subject Request Checklist helps the UW avoid inconsistent or confusing exchanges with data subjects.

If (a) you believe the standard email language is not suitable for a specific data subject request, or (b) a data subject has made a request verbally or in writing without the use of email, consult with the UW Privacy Office before communicating with the data subject.

Data Subject Request Checklist

This Data Subject Request Checklist is intended to help departments and units with the intake and handling of data subject requests. It includes discrete steps for receiving a request, verifying the identity of a data subject, locating relevant records, and engaging the UW Privacy Office. This checklist assumes that data subject requests are received via email.

Download Data Subject Request Checklist [docx]

FAQs

Frequently asked questions about Data Subject Requests

Can my department or unit simply delete personal data upon request without following all of the steps detailed in the Data Subject Request Checklist?

No. First, departments and units must verify the identity of a data subject who has submitted a request. Further, it is important to understand whether a right to deletion exists before taking any action. The Data Subject Request Checklist includes, as a matter of process, consultation with the UW Privacy Office to explore what action, if any, may need to be taken. Lastly, UW records retention schedules (or other obligations) may prevent deletion of personal data at a data subject’s request.