UW Privacy Office

Privacy FAQs

General Privacy FAQs

What is the definition of University Personal Data in the Personal Data Processing Agreement (PDPA)?

“University Personal Data” or “UPD means any records or information relating to an identified or identifiable natural person, such as name, identification number, location data, online identifiers, or factor(s) specific to physical, physiological, genetic, mental, economic, cultural, or social identity or characteristics, or is identified as personally identifiable data (or a similar term) by any applicable law, that:

  1. is created, received, or maintained by the University and transmitted to, accessed by, or otherwise made available to Vendor in connection with the Vendor’s performance of the Work;
  2. is created or compiled by the Vendor in performing the Work; or
  3. is appended to, aggregated with, or associated with any University Personal Data originating from the University that was transmitted to or accessed by the Vendor in connection with the Vendor’s performance of the Work.

Notwithstanding the foregoing, UPD does not include personal data relating to Vendor or Subcontractor personnel or personal data that is acquired from non-UW sources and is processed by Vendor not in association with the Work.

What is Data Processing?

“Data Processing” means any operation(s) performed on University Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction or destruction.

Where is the online list of information security and privacy laws?

It can be found here: https://privacy.uw.edu/laws/

What are the University-wide Rules/Policy Statements that apply to Institutional Information?

They can be found here: https://privacy.uw.edu/policies/

How do I determine the Subject Matter Expert(s) for an information security or privacy law?

Go to the Privacy “Laws” webpage and click on the link for a specific law. On the Laws webpage the Subject Matter Expert(s) are listed by name and title. As an example, see /laws/coppa/

Where are the UW Web Site Terms and Conditions of Use?

They can be found here: http://www.washington.edu/online/terms

Where is the UW Online Privacy Statement?

May I republish the UW Web Site Terms and Conditions of Use and the UW Online Privacy Statement to my unit’s specific website (e.g. collegename.uw.edu)

No. Given the importance of the information being communicated in the Website Terms and Conditions of Use (Terms) and Online Privacy Statement (Privacy Statement), it was decided that the documents should always have the UW institutional brand, look, feel, and format. For this reason, the University Privacy Policy requires that University websites, including, but not limited to, websites for education, research, patient care, and service areas (internal and external to the University), have clearly visible links on the Terms and Privacy Statement.

May I replace the name University of Washington with my college, school, department or unit’s name?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the UW, linking to one source will eliminate your need to update the webpages for your college, school, department or unit’s name.

How do I determine if an email is unsolicited under the University Privacy Policy?

Many UW units depend daily on email as a source of communication. When creating communications there are four key questions you should consider to determine if the communication is unsolicited:

  • Do you and your unit have a pre-established relationship with the individuals you are contacting?
  • Can the individuals you are contacting reasonably be expected to understand and know the pre-established relationship?
  • Is the communication from a trusted address and crafted to help individuals understand their relationship and why they are receiving the message?
  • Is the context of the communication in line with the pre-existing relationship?

If the answer to any of these questions is “no” the email is unsolicited.
Depending on the content and type of communication there may be other questions you should consider as well.

May I send individuals an email that requires them to log into a webpage (e.g. to take a survey, join a collaborative working group, or access a system/application) with a username and password?

If the email is deemed to be unsolicited, as described in question 9 directly above, the email would violate section 7 of Administrative Policy Statement 2.2, University Privacy Policy.

The link to such a webpage would ask users to enter a password, which is considered Confidential Information.

Can you provide examples of email messages that may or may not be deemed unsolicited?

Yes, please contact uwprivacy@uw.edu.


Personal Data Privacy Agreement (PDPA) FAQs

How was the PDPA developed?

The PDPA was developed by the UW Privacy Office in consultation with the UW Division of the Attorney General’s Office. Before publication, the UW Privacy Office piloted the PDPA with selected UW departments and their contractors. In addition, we hosted five information sessions to gather and incorporate feedback from our UW colleagues. Throughout the process key stakeholders were informed about the development and publication of the PDPA and related self-help resources.

Who completes the Description of Data Processing Exhibit (the “Exhibit”) which appears at the end of the PDPA?

  • Sections 1-3 may be completed by the contractor and/or the UW department or unit. If completed by the contractor then the UW department or unit must confirm that the contractor’s details are accurate and complete. Each party to the PDPA should provide its contact information.
  • Section 4 or 5 may be completed by the contractor and/or UW department or unit.
  • Section 6 must be completed by the contractor if the contractor will engage in data processing governed by EU GDPR. The contractor is required to provide details about its subcontractors

Who signs the PDPA?

Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about and signing the PDPA.

Can a contractor destroy (rather than transfer to UW) personal data when the purpose for data processing is fulfilled or the underlying contract is terminated?

UW departments and units are required to retain records in accordance with applicable UW Retention Schedules. Accordingly, the data should be transferred to the UW so the UW can determine when the data has reached the end of its legally approved records retention schedule, and how to completely purge, rather than simply delete, the data.

What happens if a Data Security and Privacy Agreement (DSPA) was signed in the past?

The PDPA replaces the DSPA for contracts that involve personal data. Departments and units should introduce the PDPA for a contractor’s existing and/or new goods or services that involve personal data.

What should happen if the information that appears in the Description of Data Processing Exhibit (“Exhibit”) changes over time?

UW departments and units are responsible for working with their contractor to update or create a new Exhibit whenever the nature of and purpose for data processing, categories of data subjects, and/or types of personal data change.

I need help with the PDPA. Can the UW Privacy Office help me?

The UW Privacy Office developed a variety of resources to facilitate use of the PDPA including training sessions and self-help tools. If you have leveraged all of the resources and still require help, you may request assistance through the PDPA Support Request Form.

I requested support using the UW Privacy Office’s PDPA Support Request Form. When can I expect assistance?

The UW Privacy Office is a small office with limited resources. We work through requests in an order that is based on (a) when requests are received through the PDPA Support Request Form, and (b) the relative priority of PDPA-related requests when evaluated against our office’s other responsibilities and work in progress.

Can my request for PDPA support be expedited?

If your department needs immediate or expedited support and a request has already been submitted through the PDPA Support Request Form, please have the VP, Dean, Chancellor, AVP, Associate or Assistant Dean, or an equivalent leader in your department or unit email uwprivacy@uw.edu and state if there is:

  1. Extreme time sensitivity;
  2. A critical process that may be negatively impacted; or
  3. Imminent risk of inappropriate processing of personal data by a contractor.

Requests for expedited support should include the name of the individual who originally submitted a request using the PDPA Support Request Form and the date of that submission. Please note, given the limited resources in the UW Privacy Office, that escalating your support request may result in delays to other support requests that are already in our queue.

A contractor has proposed modifications to the PDPA. My department or unit does not have individuals with privacy or legal expertise. Additionally, the contractor’s data processing does not meet the threshold articulated in the PDPA Support Request Form for modification support. Can the contractor’s proposed modifications be accepted?

The UW Privacy Office does not recommend modifying any terms or conditions that appear in the PDPA. Vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). Accordingly, these individuals, or their designee(s), are responsible for making decisions about PDPA-related risks.

What do I do if a potential contractor refuses to enter into a PDPA?

When a potential contractor refuses to enter into a PDPA, a department or unit should inquire about the basis for the contractor’s refusal.

If a potential contractor generally opposes having any privacy terms or conditions govern its provision of services to the UW, a department or unit may need to find a different contractor. Departments and units cannot allow contractors to process University Personal Data when that processing is not governed by privacy terms and conditions.

If a potential contractor refuses to enter into a PDPA because privacy commitments are addressed in another agreement (ex. the underlying service agreement or another data processing agreement), departments and units are responsible for ensuring that the alternate agreement provides the same level of protection as the PDPA. Notably, a potential contractor’s published privacy notice (sometimes also referred to by contractors as a privacy statement or privacy policy) is not equivalent to and cannot replace an agreement between UW and the contractor.

Please be aware that the language in the PDPA reflects the numerous laws and regulations that may apply to the UW. Accordingly, unmodified PDPAs will likely (a) address UW’s unique compliance needs more meaningfully than a contractor’s own privacy terms and conditions, and (b) result in more consistent and predictable contractor engagements across the UW with respect to privacy. For these reasons, departments and units should always work to utilize the PDPA instead of a contractor’s alternate agreement.

What do I do if a potential contractor mistakenly insists that its services do not involve University Personal Data (UPD) processing?

Processing includes any operation(s) performed on UPD, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, access, use, disclosure by transmission, dissemination, combination, restriction or destruction.

If a potential contractor insists that storing UPD in its cloud solution does not constitute processing, explain to that potential contractor that cloud storage does in fact constitute an operation performed on UPD even if the potential contractor will not view, reference, or retrieve the stored UPD.

If a potential contractor insists that the de-identification or anonymization of UPD does not constitute processing, explain to that potential contractor that de-identification and anonymization both involve adaption and alteration (i.e., operations performed on UPD). While such adaption and alteration may result in data that no longer relates to an identified or identifiable person, the mechanism by which that result is achieved constitutes UPD processing.

What do I do if a contractor strikes the EU GDPR-specific language in Subsection F(1)(c) of the PDPA because personal data governed by EU GDPR will not actually be processed?

The compliance language under Subsection F(1) of the PDPA indicates that a “…contractor shall conduct all Work and Data Processing in full compliance with any and all applicable statutes, regulations, rules, standards and orders…” Further, the specific laws listed under Subsection F(1) are illustrative and may not apply depending on the nature of the contractor’s actual processing.

As written, the PDPA does not require contractors to comply with legal obligations that do not relate to the actual processing.  For this reason, modifications are not needed and the EU GDPR-specific language should not be stricken.


 

Website Terms of Use and Online Privacy Statement FAQs

Which websites or webpages are required to link to the Website Terms and Conditions of Use and Online Privacy Statement?

The requirement applies to University education, research, patient care, and service areas (internal and external to the University).

Are the Website Terms and Conditions of Use and Online Privacy Statement required or recommended?

The Website Terms and Conditions of Use and Online Privacy Statement serve a variety of important functions, including informing visitors to University websites about the potential uses of information, defining expected support behavior, and limiting University liability. Administrative Policy Statement 2.2, University Privacy Policy, makes such links a requirement.

What if I already have my own privacy statement?

The Online Privacy Statement and Website Terms and Conditions of Use best represent the University’s position regarding information privacy. The University will only recognize the statements contained within the Online Privacy Statement and Website Terms and Conditions of Use.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on websites that are part of the uw.edu or washington.edu domain and involve other organizations or higher education institutions, such as research consortiums?

Yes. If either of the University Website Terms and Conditions of Use and Online Privacy Statement contradict the collection and use of information by such a group, it is your responsibility to identify the particular language creating the concern and present your findings to the Executive Head of the Major Organization to which the consortium members from the University report. The Executive Head is then responsible for presenting suggested language to the UW Privacy Office at uwprivacy@uw.edu.

How should I format my webpage with a clearly visible link to the Website Terms and Conditions of Use and Online Privacy Statement?

Please see the footer on the University homepage at www.washington.edu for an example of how to link to the Online Privacy Statement and Website Terms and Conditions of Use.

Can I copy rather than link to the Website Terms and Conditions of Use and Online Privacy Statement?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the University, linking to one source keeps your department or unit’s webpages up-to-date with the most recent version.

What if my webpage links to an external social media or networking site, such as Flickr, YouTube, or Facebook?

A clearly visible link to the Online Privacy Statement and Website Terms and Conditions of Use should be present on the webpage the user will leave to visit the external site. Please see the footer of the University homepage at www.washington.edu for an example of how to link to the documents.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on my department’s social networking webpage, such as Facebook or Twitter?

External social media websites, such as Twitter and Facebook, are subject the Terms of Use and Privacy Policies of each hosting company. In such cases, it is important to follow the suggestions in the answer to question 7 above.


 

Youth Privacy FAQs

Please refer to the Privacy and UW Youth Programs webpage for an expanded list of Youth Privacy FAQs.