UW Privacy Office

Privacy FAQs

General Privacy FAQs

What is the definition of University Personal Data in the Personal Data Processing Agreement (PDPA)?

“University Personal Data” or “UPD means any records or information relating to an identified or identifiable natural person, such as name, identification number, location data, online identifiers, or factor(s) specific to physical, physiological, genetic, mental, economic, cultural, or social identity or characteristics, or is identified as personally identifiable data (or a similar term) by any applicable law, that:

  1. is created, received, or maintained by the University and transmitted to, accessed by, or otherwise made available to Vendor in connection with the Vendor’s performance of the Work;
  2. is created or compiled by the Vendor in performing the Work; or
  3. is appended to, aggregated with, or associated with any University Personal Data originating from the University that was transmitted to or accessed by the Vendor in connection with the Vendor’s performance of the Work.

Notwithstanding the foregoing, UPD does not include personal data relating to Vendor or Subcontractor personnel or personal data that is acquired from non-UW sources and is processed by Vendor not in association with the Work.

What is Data Processing?

“Data Processing” means any operation(s) performed on University Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction or destruction.

Where is the online list of information security and privacy laws?

It can be found here: https://privacy.uw.edu/laws/

What are the University-wide Rules/Policy Statements that apply to Institutional Information?

They can be found here: https://privacy.uw.edu/policies/

How do I determine the Subject Matter Expert(s) for an information security or privacy law?

Go to the Privacy “Laws” webpage and click on the link for a specific law. On the Laws webpage the Subject Matter Expert(s) are listed by name and title. As an example, see /laws/coppa/

Where are the UW Web Site Terms and Conditions of Use?

They can be found here: http://www.washington.edu/online/terms

Where is the UW Online Privacy Statement?

May I republish the UW Web Site Terms and Conditions of Use and the UW Online Privacy Statement to my unit’s specific website (e.g. collegename.uw.edu)

No. Given the importance of the information being communicated in the Website Terms and Conditions of Use (Terms) and Online Privacy Statement (Privacy Statement), it was decided that the documents should always have the UW institutional brand, look, feel, and format. For this reason, the University Privacy Policy requires that University websites, including, but not limited to, websites for education, research, patient care, and service areas (internal and external to the University), have clearly visible links on the Terms and Privacy Statement.

May I replace the name University of Washington with my college, school, department or unit’s name?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the UW, linking to one source will eliminate your need to update the webpages for your college, school, department or unit’s name.

How do I determine if an email is unsolicited under the University Privacy Policy?

Many UW units depend daily on email as a source of communication. When creating communications there are four key questions you should consider to determine if the communication is unsolicited:

  • Do you and your unit have a pre-established relationship with the individuals you are contacting?
  • Can the individuals you are contacting reasonably be expected to understand and know the pre-established relationship?
  • Is the communication from a trusted address and crafted to help individuals understand their relationship and why they are receiving the message?
  • Is the context of the communication in line with the pre-existing relationship?

If the answer to any of these questions is “no” the email is unsolicited.
Depending on the content and type of communication there may be other questions you should consider as well.

May I send individuals an email that requires them to log into a webpage (e.g. to take a survey, join a collaborative working group, or access a system/application) with a username and password?

If the email is deemed to be unsolicited, as described in question 9 directly above, the email would violate section 7 of Administrative Policy Statement 2.2, University Privacy Policy.

The link to such a webpage would ask users to enter a password, which is considered Confidential Information.

Can you provide examples of email messages that may or may not be deemed unsolicited?

Yes, please contact uwprivacy@uw.edu.



 

Personal Data Privacy Agreement (PDPA) FAQs

How was the PDPA developed?

The PDPA was developed by the UW Privacy Office in consultation with the UW Division of the Attorney General’s Office. Before publication, the UW Privacy Office piloted the PDPA with selected UW departments and their contractors. In addition, we hosted five information sessions to gather and incorporate feedback from our UW colleagues. Throughout the process key stakeholders were informed about the development and publication of the PDPA and related self-help resources.

Who completes the Description of Data Processing Exhibit (the “Exhibit”) which appears at the end of the PDPA?

  • Sections 1-3 may be completed by the contractor and/or the UW department or unit. If completed by the contractor then the UW department or unit must confirm that the contractor’s details are accurate and complete. Each party to the PDPA should provide its contact information.
  • Section 4 or 5 may be completed by the contractor and/or UW department or unit.
  • Section 6 must be completed by the contractor if the contractor will engage in data processing governed by EU GDPR. The contractor is required to provide details about its subcontractors

Who signs the PDPA?

Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about and signing the PDPA.

Can a contractor destroy (rather than transfer to UW) personal data when the purpose for data processing is fulfilled or the underlying contract is terminated?

UW departments and units are required to retain records in accordance with applicable UW Retention Schedules. Accordingly, the data should be transferred to the UW so the UW can determine when the data has reached the end of its legally approved records retention schedule, and how to completely purge, rather than simply delete, the data.

What happens if a Data Security and Privacy Agreement (DSPA) was signed in the past?

The PDPA replaces the DSPA for contracts that involve personal data. Departments and units should introduce the PDPA for a contractor’s existing and/or new goods or services that involve personal data.

What should happen if the information that appears in the Description of Data Processing Exhibit (“Exhibit”) changes over time?

UW departments and units are responsible for working with their contractor to update or create a new Exhibit whenever the nature of and purpose for data processing, categories of data subjects, and/or types of personal data change.

I need help with the PDPA. Can the UW Privacy Office help me?

The UW Privacy Office developed a variety of resources to facilitate use of the PDPA including training sessions and self-help tools. If you have leveraged all of the resources and still require help, you may request assistance through the PDPA Support Request Form.

I requested support using the UW Privacy Office’s PDPA Support Request Form. When can I expect assistance?

The UW Privacy Office is a small office with limited resources. We work through requests in an order that is based on (a) when requests are received through the PDPA Support Request Form, and (b) the relative priority of PDPA-related requests when evaluated against our office’s other responsibilities and work in progress.

Can my request for PDPA support be expedited?

If your department needs immediate or expedited support and a request has already been submitted through the PDPA Support Request Form, please have the VP, Dean, Chancellor, AVP, Associate or Assistant Dean, or an equivalent leader in your department or unit email uwprivacy@uw.edu and state if there is:

  1. Extreme time sensitivity;
  2. A critical process that may be negatively impacted; or
  3. Imminent risk of inappropriate processing of personal data by a contractor.

Requests for expedited support should include the name of the individual who originally submitted a request using the PDPA Support Request Form and the date of that submission. Please note, given the limited resources in the UW Privacy Office, that escalating your support request may result in delays to other support requests that are already in our queue.

A contractor has proposed modifications to the PDPA. My department or unit does not have individuals with privacy or legal expertise. Additionally, the contractor’s data processing does not meet the threshold articulated in the PDPA Support Request Form for modification support. Can the contractor’s proposed modifications be accepted?

The UW Privacy Office does not recommend modifying any terms or conditions that appear in the PDPA. Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about PDPA-related risks.


 

Website Terms of Use and Online Privacy Statement FAQs

Which websites or webpages are required to link to the Website Terms and Conditions of Use and Online Privacy Statement?

The requirement applies to University education, research, patient care, and service areas (internal and external to the University).

Are the Website Terms and Conditions of Use and Online Privacy Statement required or recommended?

The Website Terms and Conditions of Use and Online Privacy Statement serve a variety of important functions, including informing visitors to University websites about the potential uses of information, defining expected support behavior, and limiting University liability. Administrative Policy Statement 2.2, University Privacy Policy, makes such links a requirement.

What if I already have my own privacy statement?

The Online Privacy Statement and Website Terms and Conditions of Use best represent the University’s position regarding information privacy. The University will only recognize the statements contained within the Online Privacy Statement and Website Terms and Conditions of Use.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on websites that are part of the uw.edu or washington.edu domain and involve other organizations or higher education institutions, such as research consortiums?

Yes. If either of the University Website Terms and Conditions of Use and Online Privacy Statement contradict the collection and use of information by such a group, it is your responsibility to identify the particular language creating the concern and present your findings to the Executive Head of the Major Organization to which the consortium members from the University report. The Executive Head is then responsible for presenting suggested language to the UW Privacy Office at uwprivacy@uw.edu.

How should I format my webpage with a clearly visible link to the Website Terms and Conditions of Use and Online Privacy Statement?

Please see the footer on the University homepage at www.washington.edu for an example of how to link to the Online Privacy Statement and Website Terms and Conditions of Use.

Can I copy rather than link to the Website Terms and Conditions of Use and Online Privacy Statement?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the University, linking to one source keeps your department or unit’s webpages up-to-date with the most recent version.

What if my webpage links to an external social media or networking site, such as Flickr, YouTube, or Facebook?

A clearly visible link to the Online Privacy Statement and Website Terms and Conditions of Use should be present on the webpage the user will leave to visit the external site. Please see the footer of the University homepage at www.washington.edu for an example of how to link to the documents.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on my department’s social networking webpage, such as Facebook or Twitter?

External social media websites, such as Twitter and Facebook, are subject the Terms of Use and Privacy Policies of each hosting company. In such cases, it is important to follow the suggestions in the answer to question 7 above.

 


 

Youth Privacy FAQs

When does the Children’s Online Privacy Protection Act apply?

COPPA applies to:

  • Operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children;
  • Operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and
  • Websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

What do I do if COPPA applies to our youth program?

Consult with the UW Privacy Office or Office for Youth Programs Development. We’ll collaborate with you to review your program activities associated with the COPPA requirements.

How might we protect the privacy of those involved in our youth program?

Embrace “Privacy by Design,” building privacy directly into the information lifecycle. By integrating privacy in all processes, including registration, communications, marketing, engagement, evaluation, and ultimately through deletion of personal information, it helps anticipate and prevent privacy invasive events before they happen.

Should all UW youth program websites link to the UW Online Privacy Statement and Website Terms and Conditions of Use?

Yes, if your youth program or website is operated or led by the UW then the website should be consistent with and link to the UW Online Privacy Statement and UW Website Terms and Conditions of Use. These are living documents, and will change over time. Youth programs should periodically review  and confirm their program activity is consistent with these documents.

Our youth program is federally funded – must we conform to the UW’s privacy requirements, or should we conform to those of our federal funding agency?

It depends upon the contract requirements. Please consult with the UW Privacy Office to assess whether your contract requirements can be achieved through the UW Privacy Principles, the UW Online Privacy Statement, and other privacy protections in place, or if other specific controls are warranted.

May individuals working for our Youth program take and share photos or videos of program participants?

Youth programs should determine whether anyone working on behalf of the program (employees, interns, volunteers, etc.) will be expected to capture photo or video images of participants for any programmatic reason (such as sharing information on blogs/websites, providing updates to participants and their families, for inclusion in future marketing materials, etc.).

If your program will be capturing photos/images:

  • Be clear and transparent in all program materials about this intent, the types of images which will be captured and how they will be used.
  • Explicitly seek photo/video consent from program participants’ parents/guardians as part of your registration process.
  • Allow for and accommodate any “opt-out” preferences.
  • Train all those working on behalf of the youth program about appropriate capture and use of photos/videos, to ensure behavior consistent with your plans.

Does our Youth program responsibility for managing photos/videos extend to program participants or others (parents, visitors)?

Each program should discuss and communicate photo/video expectations for participants and related others. Where necessary, share any cautions or restrictions around taking and sharing photo images of participants.

What data should we (and should we not) collect about youth program participants?

Your organization is responsible for managing the privacy risks associated with all of your youth program data. The purpose for collecting specific types of data, during registration or at other times, should be meaningful, lawful, and explicitly stated and shared with participants’ parents/guardians. Give careful thought to collecting, using, and sharing the minimum set of information necessary to achieve your purpose and manage privacy risk. This includes any data shared with external partners/vendors even if using a vendor service offered at no additional cost.

Under what circumstances may we have an external partner/vendor handle our youth program information such as registration process(es), evaluations, etc.?

If personal data is undergoing data processing by a third party, such as an external partner or vendor, a Personal Data Processing Agreement (PDPA) is required.  The PDPA sets forth the UW’s expectations for protecting personal data and managing privacy related risk when partnering or contracting with third parties.

What should I do if I still have questions?

Please consult with the UW Privacy Office at uwprivacy@uw.edu or UW Office for Youth Programs Development and Support at uwminors@uw.edu with any additional questions or concerns. Our Offices work in close collaboration to resolve questions as they are shared with us.