UW Privacy Office

Privacy Assessments

Privacy Impact Assessment for Personal Data Processing Activities (PIA)

The Privacy Impact Assessment for Personal Data Processing Activities (PIA) is intended to help departments and units assess:

The privacy impacts of processing personal data.  This requires identifying and weighing the potential benefits and possible harms to the individuals whose data are being processed and to the UW; and

The appropriateness of processing personal data.  Based upon the privacy impacts, this requires determining whether and how the data should be processed to fulfill the purpose while managing the possible harms to individuals and to the UW.

Use of this PIA helps uphold UW’s values and principles relating to privacy and helps address relevant laws and regulations relating to the protection of personal data.

The below Privacy Impact Assessment form will be updated as the UW evolves its privacy strategy and related operational practices. When completing a PIA, UW departments and units should always download the current version of the PIA form from this webpage.

Privacy Impact Assessment for Personal Data Processing Activities (download Word version)

Scope and Applicability

This PIA must be completed before a UW department or unit engages in a processing activity at the UW that involves personal data other than Protected Health Information (PHI) and when the processing activity meets any of the following criteria 1 – 6 below:

Criterion 1 – UW determines the means and purpose for the processing of personal data and the processing is:

  1. A systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning an individual or similarly significantly affect an individual;
  2. A systematic monitoring of a publicly accessible area on a large scale;
  3. Any record containing first name or first initial and last name in combination with the data elements defined as Personal Information according to State of Washing data breach law.
  4. A large-scale operation which processes considerable amounts of personal data, and could affect a large number of individuals;
  5. A new technology being used on a large scale and a PIA was not previously completed;
  6. A new kind of data processing (such as a new business process) and a PIA was not previously completed; and/or
  7. High risk to individuals and/or makes it difficult for individuals to exercise their rights.

(See Frequently Asked Questions for examples of high-risk, large-scale, and other processing activities that require a PIA.)

Criterion 2 – A technology project or acquisition that involves personal data, is approved or exempted by the UW-IT Vice President/Chief Information Officer (VP/CIO) per UW APS 2.3 Information Technology, Telecommunications and Networking Projects and Acquisitions Policy and the UW-IT VP/CIO requested and/or required a privacy impact assessment.

Criterion 3 – A mobile app that transparently or passively collects personal data and you are requesting it to be published in the UW app store, and the UW-IT Director of Academic Experience Design and Delivery requested and/or required a privacy impact assessment.

Criterion 4 – Any assessment or survey that involves personal data and the Office of Educational Assessment has requested and/or required a privacy impact assessment in order to utilize one of its services (e.g., population sampling, advertising the survey on MyUW).

Criterion 5 – The processing activity relates to a sponsored program that involves personal data other than PHI, and the sponsored program agreement(s) directly or indirectly references the European Union General Data Protection Regulation (EU GDPR).

Criterion 6 – A data request that involves personal data and the Data Custodian has requested and/or required a privacy impact assessment.

 

Submitting a PIA

The UW Privacy Office collaborates with various UW departments and units to facilitate and review PIAs as a function of the criteria above:

  1. If ONLY Criterion 1 applies, submit your PIA to the Privacy Office for review to uwprivacy@uw.edu

 

  1. If Criterion 1 AND any of Criteria 2 – 6 apply, submit your PIA to the UW department/unit/data custodian noted below. The respective organization will conduct an initial review of your PIA prior to submitting it to the Privacy Office for further review.

Criterion 2: Submit to the UW-IT VP/CIO as requested.
Criterion 3: Submit to the UW-IT Director of Academic Experience Design and Delivery.
Criterion 4: Submit to the Office of Educational Assessment.
Criterion 5: Submit to the Office of Sponsored Programs Reviewer handling your agreement.
Criterion 6: Submit to the Data Custodian who requested or required a PIA.

 

  1. If ANY of Criteria 2 – 6 apply but Criterion 1 does NOT apply, submit your PIA to the UW department/unit/data custodian noted in 2. above and to the UW Privacy Office (email to uwprivacy@uw.edu).  The UW Privacy Office will not review the PIA but needs to receive a copy for record-keeping.