UW Privacy Office

Respect Individuals’ Requests

Last updated on July 31, 2023

Data Subject Requests

ON THIS PAGE:


Overview

A data subject is an individual about whom personal data has been collected at the UW and who may request certain actions in relation to their personal data. The workflow on this page leads UW units through the process of referring data subjects to the appropriate UW resources or gathering information directly from the requestor and consulting with the Privacy Office to determine how the UW should respond to a data subject request.

While detailed, carefully following this process will help ensure that the UW unit is responding in the best interest of the UW and the data subject. Laws that govern data subject requests may require a response within a fixed timeframe (e.g., 30 days per the European Union General Data Protection Regulation), and other laws (e.g., records retention) may prevent UW from carrying out the request as submitted by the data subject.

It is important to review a data subject request as soon as it is received and follow the workflow below.

Data Subject Request Workflow

Step 1: Understand key terms

Data subjects may include students, employees, alumni, donors, patients, event ticket holders, library patrons, and others.

Data subjects may request actions, such as access to, correction of, or erasure of their own personal data in connection with a privacy-related law, regulation, or consumer right – these are called “data subject requests.”

Step 2: Understand the types of requests data subjects can make

Certain privacy-related laws include rights designed to give data subjects greater control over their personal data. Generally, data subjects may exercise available rights by submitting a request to an organization that processes their personal data.

At the UW, data subject requests may relate to one or more privacy-related laws. The tables in this section briefly describe types of data subject requests that may emerge under selected privacy-related laws. These broad descriptions are intended to be illustrative only, are not exhaustive, and may not include all nuances of the respective laws.

European Union’s General Data Protection Regulation (EU GDPR)

Type of Data Subject Request Description
Access Confirming the existence of processing; obtaining a copy of personal data; and obtaining other information about the processing.
Rectification Amending or correcting personal data that is inaccurate or incomplete.
Erasure Deleting or destroying personal data. Also referred to as the right to be forgotten.
Restricted Processing Limiting how personal data is processed.
Data Portability Obtaining personal data in a common and reusable format (ex. machine readable); transferring personal data from one organization to another.
Objection Preventing new processing and/or ending existing processing.

Family Educational Rights and Privacy Act (FERPA)

Office of the University Registrar – FERPA for Students

Type of Data Subject Request Description
Inspection Accessing and reviewing personal data (i.e., personally identifiable information in education records).
Amendment Amending or correcting personal data that is inaccurate or incomplete.
Restricted Release Preventing the release of personal data contained in directory information.

Health Insurance Portability and Accountability Act (HIPAA)

Download UW Medicine Joint Notice of Privacy Policy [pdf]

Type of Data Subject Request Description
Inspection Accessing and reviewing personal data (i.e., protected health information in medical records); obtaining a copy of personal data.
Amendment Amending or correcting personal data that is inaccurate or incomplete.
Restricted Use Preventing certain individuals or entities from accessing personal data.
Nondisclosure Preventing disclosure of self-paid services to a data subject’s (i.e., a patient’s) health plan.
Confidential Communications Determining the method for provider-data subject communications (ex. email, mobile phone, etc.).
Notice of Disclosures Obtaining a list of instances of past personal data disclosure.
Complaints Filing privacy-related complaints with a provider or the US Department of Health and Human Services.

Step 3: Know where and how data subjects can make a data subject request

The resources and processes below are for individuals to request information about their data:

UW departments or units with questions about responding to a public records request rather than a Data Subject Request, please contact the Office of Public Records and Open Public Meetings directly.

Step 4: Document efforts using the Data Subject Request Checklist

A data subject request is often submitted via email. However, departments and units may receive a data subject request by other verbal or written methods (e.g., in-person, via phone, mailed correspondence, etc.). If a unit receives a request from a data subject, the UW unit should use the step-by-step Data Subject Request Checklist to document its efforts receiving, triaging, and responding to a data subject request in a timely manner. This checklist assumes that data subject requests are received via email.

Download Data Subject Request Checklist [docx]

Step 5: Verify the identity of the data subject

UW units must verify the data subject requester’s identity before taking any action on the data subject’s request. This important step helps ensure that the UW is not acting on a data subject request that is improperly submitted in a data subject’s name by an individual who is not the data subject.

To verify a data subject is in fact the requestor, a UW unit receiving a data subject request should request the minimum necessary and relevant information about the requestor. The information used to verify the requestor should be used for comparison against the information the UW unit already has about the requestor.

The type of request and the nature of the personal data held by a UW unit will inform how verification confidence is balanced with the need to minimize verification burdens on data subjects. Regardless of the context, do not request Social Security Numbers from data subjects.

Step 6: Triage the Data Subject Request

Prior to taking action on any data subject request, UW units will need to assess the following:

  • Does the request relate to other UW units?
  • Should the request be shared or redirected elsewhere?
  • Has it been determined whether the individual has privacy rights under one or more laws or regulations?
  • Do relevant UW records retention schedules (or other obligations) prevent deletion of personal data at a data subject’s request?

If an individual references the EU GDPR, the UW unit should try to glean from the request whether personal data was initially provided to the UW while the data subject was physically located in the European Economic Area. If EU GDPR could relate to the data subject’s request, inform the UW Privacy Office as indicated in the Data Subject Request Checklist.

Step 7: Consult the UW Privacy Office

Privacy-related laws may include rights that can be exercised by individuals. In order to determine whether and how the UW ought to respond to the data subject request, it is important for UW units to promptly consult with the UW Privacy Office for guidance on how to respond to a data subject request. The Data Subject Request Checklist includes, as a matter of process, consultation with the UW Privacy Office.

Please provide the following information via email at uwprivacy@uw.edu when consulting with the UW Privacy Office:

  • The date the request was received.
  • A copy of the data subject request.
  • Description of UW records that have or have not yet been located. Please do not send the actual records to the UW Privacy Office.
  • Applicable UW records retention schedules (if a request relates to deletion).
  • A list of other departments or units that may also have UW records related to the request.

As some data subject requests may be time-sensitive, UW units do not need to locate all records before engaging with the UW Privacy Office. The UW Privacy Office can advise on the next steps while a department or unit continues to locate relevant UW records.

Step 8: Address the request

After the previous steps are complete, the UW unit should understand the actions that it may or may not be able to take to address the request. The UW unit should document these decisions, the date of the decision, and the name of person accountable for the decision on the Data Subject Request Checklist or in other tools or systems that are used to maintain records in your UW department or unit. Proceed with the appropriate steps.

Step 9: Communicate with the data subject

Before communicating with a data subject via email, review the Data Subject Request Checklist to (a) identify instances when a UW unit should communicate with a data subject and, (b) learn what to include in the communication. Limiting communications to the standard language provided in the Data Subject Request Checklist helps the UW avoid inconsistent or confusing exchanges with data subjects.

If (a) you believe the standard email language is not suitable for a specific data subject request, or (b) a data subject has made a request verbally or in writing without the use of email, consult with the UW Privacy Office before communicating with the data subject.

FAQs

Frequently asked questions about Data Subject Requests

Can my department or unit simply delete personal data upon request without following all of the steps detailed in the Data Subject Request Checklist?

Last updated on July 31, 2023

No. First, departments and units must verify the identity of a data subject who has submitted a request. Further, it is important to understand whether a right to deletion exists before taking any action. The Data Subject Request Checklist includes, as a matter of process, consultation with the UW Privacy Office to explore what action, if any, may need to be taken. Lastly, UW records retention schedules (or other obligations) may prevent deletion of personal data at a data subject’s request.