Online Monitoring Guideline

Last updated on October 7, 2022

ON THIS PAGE:

• Purpose
• Preface
• Scope
• Review and Approval Process
• Roles and Responsibilities
• Effective Date
• Relevant Policies

---

Originally published September 20, 2017
Updated May 24, 2018

This guideline is dynamic and will be updated as we learn more about the use of online monitoring activities at the UW.

Preface

Monitoring online activities is important to protect institutional information, ensure the reliability of services, and create meaningful relationships with our community. In certain instances, monitoring online activity may be required or essential to the UW’s mission. However, the benefits and risks associated with online monitoring require careful review to ensure that such activities don’t compromise the UW’s values, academic freedom, policies, or privacy principles included in this guideline.

The evolution of technology, data science, artificial intelligence, and laws has a relationship to the dynamic definition of online monitoring included in the below “Scope” section of this guideline. No online monitoring should be initiated without the approval of the UW privacy officer as further described in this guideline.

Purpose

This guideline is intended to assist UW units in complying with the UW policies referenced at the end of this document and to set forth the UW’s aspirations and expectations for online monitoring activities. In general, online monitoring activities should be conducted in ways that:

• enable innovative uses of data and technology in a secure manner;
• respect privacy and uphold trusted relationships with the individuals the UW serves in the state of Washington and beyond;
• negate harm or conflict as a result of the monitoring activities;
• establish a clear, concise, and transparent approach for articulating and evaluating the benefits and risks associated with online monitoring in a public academic institution; and
• coordinate online terms of use, privacy statements, and other notices or consents needed for online monitoring activity.

Scope

This guideline applies to online monitoring activities, defined as all electronic actions that observe, track, intercept, disclose, process, store, or collect information about activities or states occurring on technology devices or systems when the observation or data collection is or can be associated with an individual, especially their geography, demography, identity, communications, or behaviors and actions. This includes all active and passive monitoring activities that are or can be directly or indirectly associated with an individual and are under the possession, custody, or control of the UW.

This guideline does not apply to logging that is required to fulfill a legal obligation, or to routine services used to determine the identity of an individual in order for the individual to fulfill job duties, as long as the collection and use of monitoring data are limited to the intended and core functionality of the system. Examples include, but are not limited to, systems that grant access to a building or office space or deliver email to the intended recipient(s).

Review and Approval Process

The review and approval process for online monitoring aims to assist organizations in upholding the UW’s values, academic freedom, policies, or privacy principles included in this guideline. Contact uwprivacy@uw.edu to engage in the process.

Privacy Principle: Due Care

Online monitoring data often consists of more than one type of data that may be related to an individual’s relationship with UW (e.g., faculty, staff, student, alumni, or member of the public). The combination and removal of data elements may change how the data is classified and whether it is:

• confidential information that is sensitive in nature and possibly subject to federal or state regulations;
• restricted information that is only circulated on a need-to-know basis; or
• public information that is available for public use.

Online monitoring data may be subject to more than one law or regulation, including laws that make information confidential or public. The data shall be retained as required by applicable laws and University records retention schedules.

Privacy Principle: Limited Data

To protect and respect the privacy of individuals, the risk associated with the intended and unintended uses of online monitoring data should be assessed prior to initiating the online monitoring activity. Online monitoring should not occur in the following situations:

1. Systems or services that the UW requires an individual to use in order to receive information or a service from the UW, when the UW does not provide an alternative medium for the interaction or any notice or choice to the user about the monitoring of their information.
2. Systems, services, webpages, or communications that are directed to or collect information from individuals under the age of 13.
3. Systems, services, or webpages that collect or exchange information about which individuals may have a reasonable expectation of privacy. Examples may include, but are not limited to, communications and webpages associated with safe campus, scheduling sensitive appointments (e.g. medical appointments), or hardship withdrawal.

Privacy Principle: Transparency

To fulfill the UW’s commitment to transparency and to provide individuals with meaningful information about the UW’s use of their information, online monitoring activities should include or refer to UW’s Online Privacy Statement and Website Terms and Conditions of Use.

Privacy Principle: User Choice

Additional notice or consent may be needed to meet the UW’s privacy principles and legal obligations or to ensure that the online monitoring activities uphold academic freedom. In such circumstances, the notice or consent should be meaningful and in a clear, concise, and easily accessible form.

Privacy Principle: Protection

When online monitoring occurs, administrative, physical, and technical safeguards must be implemented in accordance with the UW policies included in this guideline.

Roles and Responsibilities

Institutional Privacy Official and Associate Vice Provost for UW Privacy:

1. Establish and maintain a collaborative review and approval process that, as needed, includes other subject matter experts and data custodians.
2. Collaborate with business owners and technical owners to balance the benefits and risks associated with online monitoring.
3. Coordinate notice or consent for online monitoring activities.
4. Approve online monitoring at a system or function level when it is associated with or includes identifiable information about individuals.

UW Chief Information Security Officer:

1. Oversee the creation and maintenance of the UW’s information security related policies, standards, and guidelines.
2. Oversee institutional risk assessments related to the UW’s information security practices.
3. Provide support for compliance with information security related laws, regulations, standards, and contractual requirements.

Business owners and technical owners:

1. Collaborate with the privacy official and chief information security officer for the review and approval of online monitoring at a system or function level.
2. Collaborate with the privacy official to ensure that ongoing monitoring activities and use of monitoring data are consistent with this guideline.
3. When applicable and in consultation with the privacy official, provide meaningful notice or obtain consent in clear and plain language.
4. Collect, use, and maintain systems and data consistent with the UW’s policies.

Workforce members:

1. Only use online monitoring data for the specific and intended purpose for which the online monitoring was approved and the data was collected.
2. Only share online monitoring data with those who are authorized by the business and technical owner unless explicitly authorized by the business or technical owner of the source system(s).
3. Secure and maintain online monitoring data, in the source or side system, in a manner that’s consistent with the business and technical owner’s security practices for the source system.

Effective Date

This guideline is effective as of September 20, 2017, for all new online monitoring activity that takes place on or after the effective date. All existing online monitoring activity will have a grace period of one year from the effective date to allow time for UW units to establish outreach, complete the review and approval process, and/or implement changes to the systems or services.

Relevant Policies

This guideline is intended to assist UW units in complying with the following UW Policies:

• APS 2.2 Privacy Policy
• APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
• APS 2.5 Information Security and Privacy Incident Management Policy
• APS 2.6 Information Security Controls and Operational Practices