UW Privacy Office

Privacy FAQs

ON THIS PAGE:


General Privacy FAQs

What is the definition of Personal Data?

See Glossary of Privacy Terms for all definitions.

What is Data Processing?

See Glossary of Privacy Terms for all definitions.

Where is the online list of information security and privacy laws?

They can be found on the Privacy Laws webpage.

What are the University-wide Rules/Policy Statements that apply to Institutional Information?

They can be found on the Privacy Policies webpage.

How do I determine the Subject Matter Expert(s) for an information security or privacy law?

Go to the Privacy Laws webpage and click on the link for a specific law. Each Laws webpage has the Subject Matter Expert(s) listed by name and title. As an example, review the COPPA webpage.

Where are the UW Web Site Terms and Conditions of Use?

Where is the UW Online Privacy Statement?

It can be found on the UW Online Privacy Statement webpage.

May I republish the UW Web Site Terms and Conditions of Use and the UW Online Privacy Statement to my unit’s specific website (e.g. collegename.uw.edu)

No. Given the importance of the information being communicated in the Website Terms and Conditions of Use (Terms) and Online Privacy Statement (Privacy Statement), it was decided that the documents should always have the UW institutional brand, look, feel, and format. For this reason, the University Privacy Policy requires that University websites, including, but not limited to, websites for education, research, patient care, and service areas (internal and external to the University), have clearly visible links on the Terms and Privacy Statement.

May I replace the name University of Washington with my college, school, department, or unit’s name?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the UW, linking to one source will eliminate your need to update the webpages for your college, school, department, or unit’s name.

How do I determine if an email is unsolicited under the University Privacy Policy?

Many UW units depend daily on email as a source of communication. When creating communications there are four key questions you should consider to determine if the communication is unsolicited:

  • Do you and your unit have a pre-established relationship with the individuals you are contacting?
  • Can the individuals you are contacting reasonably be expected to understand and know the pre-established relationship?
  • Is the communication from a trusted address and crafted to help individuals understand their relationship and why they are receiving the message?
  • Is the context of the communication in line with the pre-existing relationship?

If the answer to any of these questions is “no” the email is unsolicited.
Depending on the content and type of communication there may be other questions you should consider as well.

May I send individuals an email that requires them to log into a webpage (e.g. to take a survey, join a collaborative working group, or access a system/application) with a username and password?

If the email is deemed to be unsolicited, as described in question 9 directly above, the email would violate section 7 of Administrative Policy Statement 2.2, University Privacy Policy.

The link to such a webpage would ask users to enter a password, which is considered Confidential Information.

Can you provide examples of email messages that may or may not be deemed unsolicited?

Yes, please contact uwprivacy@uw.edu.

Data Privacy Agreement (DPA) FAQs

What happened to the Personal Data Processing Agreement (PDPA)?

The Data Processing Agreement for UW as Controller and Third Party as Processor is the same as the Personal Data Processing Agreement. The name change aligns UW terminology with industry practice and with prevailing legal terminology.

If I have a PDPA in place, do I now need a DPA?

Where a PDPA was appropriate for past agreements, it remains appropriate with the introduction of the name change from PDPA to DPA.

What happens if a Data Security and Privacy Agreement (DSPA) was signed in the past?

There are substantial differences between a DPA and the DSPA that was in place before May 2019. These differences address new requirements and obligations that impart a duty on the UW. UW units should introduce the appropriate DPA for a third party’s existing and/or new goods or services that involve personal data.

Is it possible to waive the DPA when contracting with a third party?

No. Since the introduction of the DPA (originally called the PDPA), it has been required when engaging a third party in data processing that involves personal data. A waiver has never been available.

Can I modify the DPA or accept a third party's modifications to a DPA?

The UW Privacy Office does not recommend modifying or negotiating a DPA unless you engage appropriate privacy or legal expertise. If the third party is unwilling to accept the DPA then you are responsible for ensuring equivalent terms and conditions are included in the agreement in order to address the privacy and data protection requirements that apply to the UW. If your agreement does not include the DPA or equivalent terms and conditions then your UW unit is responsible for the privacy risks, such as costs of non-compliance.

Who completes the Description of Data Processing Exhibit (the “Exhibit”) which appears at the end of the DPA for Controller to Processor relationships?

  • Sections 1-3 may be completed by the third party and/or the UW unit.  If completed by the third party, then the UW unit must confirm that the third party’s details are accurate and complete. Each party to the DPA should provide its contact information.
  • Section 4 or 5 may be completed by the third party and/or UW unit.
  • Section 6 must be completed by the third party if the third party will engage in data processing governed by EU GDPR. The third party is required to provide details about its sub-processors.

Who signs the DPA?

Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about and signing the DPA.

Can a third party destroy (rather than transfer to UW) personal data when the purpose for data processing is fulfilled or the underlying contract is terminated?

UW units are required to retain records in accordance with applicable UW Retention Schedules. Accordingly, the data should be transferred to the UW so the UW can determine when the data has reached the end of its legally approved records retention schedule, and how to completely purge, rather than simply delete the data.

What should happen if the information that appears in the Description of Data Processing Exhibit (“Exhibit”) changes over time?

UW units are responsible for working with their third party to update or create a new Exhibit whenever the nature of and purpose for data processing, categories of data subjects, and/or types of personal data change.

I need help with the DPA. Can the UW Privacy Office help me?

The UW Privacy Office developed a variety of resources to facilitate use of the DPA including online training and self-help tools. If you have leveraged all of the resources and still require help, you may request assistance through the DPA Support Request Form.

I requested support using the UW Privacy Office’s DPA Support Request Form. When can I expect assistance?

The UW Privacy Office is a small office with limited resources. We work through requests in an order that is based on (a) when requests are received through the DPA Support Request Form, and (b) the relative priority of DPA-related requests when evaluated against our office’s other responsibilities and work in progress.

Can my request for DPA support be expedited?

If your department needs immediate or expedited support and a request has already been submitted through the DPA Support Request Form, please have the VP, Dean, Chancellor, AVP, Associate or Assistant Dean, or an equivalent leader in your UW unit email uwprivacy@uw.edu and state if there is:

  1. Extreme time sensitivity;
  2. A critical process that may be negatively impacted; or
  3. Imminent risk of inappropriate processing of personal data by a third part.

Requests for expedited support should include the name of the individual who originally submitted a request using the DPA Support Request Form and the date of that submission. Please note, given the limited resources in the UW Privacy Office, that escalating your support request may result in delays to other support requests that are already in our queue.

A third party has proposed modifications to the DPA. My UW unit does not have individuals with privacy or legal expertise. Additionally, the third party’s data processing does not meet the threshold articulated in the DPA Support Request Form for modification support. Can the third party’s proposed modifications be accepted?

The UW Privacy Office does not recommend modifying any terms or conditions that appear in the DPA. Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about DPA-related risks.

What do I do if a potential third party refuses to enter into a DPA?

When a potential third party refuses to enter into a DPA, a UW unit should inquire about the basis for the third party’s refusal. The DPA reflects the numerous laws and regulations that may apply to the UW. Accordingly, unmodified DPAs will likely (a) address UW’s unique compliance needs more meaningfully than a third party’s own privacy terms and conditions, and (b) result in more consistent and predictable third party engagements across the UW with respect to privacy. For these reasons, UW units should always utilize the DPA first.

If a potential third party generally opposes having any privacy terms or conditions govern its provision of services to the UW, a department or UW unit may need to find a different third party. UW units cannot allow third parties to process Personal Data when that processing is not governed by privacy terms and conditions.

If a potential third party refuses to enter into a DPA because privacy commitments are addressed in another agreement (ex. the underlying service agreement or another data processing agreement), UW units are responsible for ensuring that the alternate agreement provides the same level of protection as the DPA.

A potential third party’s published privacy notice (sometimes also referred to by a third party as a privacy statement or privacy policy) and terms of service is not equivalent to and cannot replace an agreement between UW and the third party.

What do I do if a potential third party mistakenly insists that its services do not involve Personal Data processing?

Processing includes any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, access, use, disclosure by transmission, dissemination, combination, restriction or destruction.

If a potential third party insists that storing Personal Data in its cloud solution does not constitute processing, explain to that potential third party that cloud storage does in fact constitute an operation performed on Personal Data even if the potential third party will not view, reference, or retrieve the stored Personal Data.

If a potential  third party insists that the de-identification or anonymization of Personal Data does not constitute processing, explain to that potential third party that de-identification and anonymization both involve adaption and alteration (i.e. operations performed on Personal Data). While such adaption and alteration may result in data that no longer relates to an identified or identifiable person, the mechanism by which that result is achieved constitutes Personal Data Processing.

What do I do if a third party strikes the EU GDPR-specific language in Subsection F(1)(c) of the DPA because personal data governed by EU GDPR will not actually be processed?

The compliance language under Subsection F(1) of the DPA for Controller to Processor Relationship indicates that a “…third party shall conduct all Work and Data Processing in full compliance with any and all applicable statutes, regulations, rules, standards and orders…” Further, the specific laws listed under Subsection F(1) are illustrative and may not apply depending on the nature of the third party’s actual processing.

As written, the DPA does not require third parties to comply with legal obligations that do not relate to the actual processing.  For this reason, modifications are not needed, and the EU GDPR-specific language should not be stricken.

How was the DPA for Controller to Processor relationships developed?

The DPA for Controller to Processor relationships was developed by the UW Privacy Office in consultation with the UW Division of the Attorney General’s Office. Before publication, the UW Privacy Office piloted the DPA with selected UW units and their third parties. In addition, we hosted five information sessions to gather and incorporate feedback from our UW colleagues. Throughout the process key stakeholders were informed about the development and publication of the DPA and related self-help resources.

Website Terms of Use and Online Privacy Statement FAQs

Which websites or webpages are required to link to the Website Terms and Conditions of Use and Online Privacy Statement?

The requirement applies to University education, research, patient care, and service areas (internal and external to the University).

Are the Website Terms and Conditions of Use and Online Privacy Statement required or recommended?

The Website Terms and Conditions of Use and Online Privacy Statement serve a variety of important functions, including informing visitors to University websites about the potential uses of information, defining expected support behavior, and limiting University liability. Administrative Policy Statement 2.2, University Privacy Policy, makes such links a requirement.

What if I already have my own privacy statement?

The Online Privacy Statement and Website Terms and Conditions of Use best represent the University’s position regarding information privacy. The University will only recognize the statements contained within the Online Privacy Statement and Website Terms and Conditions of Use.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on websites that are part of the uw.edu or washington.edu domain and involve other organizations or higher education institutions, such as research consortiums?

Yes. If either of the University Website Terms and Conditions of Use and Online Privacy Statement contradict the collection and use of information by such a group, it is your responsibility to identify the particular language creating the concern and present your findings to the Executive Head of the Major Organization to which the consortium members from the University report. The Executive Head is then responsible for presenting suggested language to the UW Privacy Office at uwprivacy@uw.edu.

How should I format my webpage with a clearly visible link to the Website Terms and Conditions of Use and Online Privacy Statement?

Please see the footer on the University homepage for an example of how to link to the Online Privacy Statement and Website Terms and Conditions of Use.

Can I copy rather than link to the Website Terms and Conditions of Use and Online Privacy Statement?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the University, linking to one source keeps your department or unit’s webpages up-to-date with the most recent version.

What if my webpage links to an external social media or networking site, such as Flickr, YouTube, or Facebook?

A clearly visible link to the Online Privacy Statement and Website Terms and Conditions of Use should be present on the webpage the user will leave to visit the external site. Please see the footer of the University homepage for an example of how to link to the documents.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on my department’s social networking webpage, such as Facebook or Twitter?

External social media websites, such as Twitter and Facebook, are subject the Terms of Use and Privacy Policies of each hosting company. In such cases, it is important to follow the suggestions in the answer to question 7 above.

Youth Privacy FAQs

Please refer to the Youth Programs and Youth Programs FAQs webpages for an expanded list of Youth Privacy FAQs.