UW Privacy Office

Privacy FAQs

General Privacy FAQs

Where is the online list of information security and privacy laws?

It can be found here: https://privacy.uw.edu/laws/

What are the University-wide Rules/Policy Statements that apply to Institutional Information?

They can be found here: https://privacy.uw.edu/policies/

How do I determine the Subject Matter Expert(s) for an information security or privacy law?

Go to the Privacy “Laws” webpage and click on the link for a specific law. On the Laws webpage the Subject Matter Expert(s) are listed by name and title. As an example, see /laws/coppa/

Where are the UW Web Site Terms and Conditions of Use?

They can be found here: http://www.washington.edu/online/terms

Where is the UW Online Privacy Statement?

May I republish the UW Web Site Terms and Conditions of Use and the UW Online Privacy Statement to my unit’s specific website (e.g. collegename.uw.edu)

No. Given the importance of the information being communicated in the Website Terms and Conditions of Use (Terms) and Online Privacy Statement (Privacy Statement), it was decided that the documents should always have the UW institutional brand, look, feel, and format. For this reason, the University Privacy Policy requires that University websites, including, but not limited to, websites for education, research, patient care, and service areas (internal and external to the University), have clearly visible links on the Terms and Privacy Statement.

May I replace the name University of Washington with my college, school, department or unit’s name?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the UW, linking to one source will eliminate your need to update the webpages for your college, school, department or unit’s name.

How do I determine if an email is unsolicited under the University Privacy Policy?

Many UW units depend daily on email as a source of communication. When creating communications there are four key questions you should consider to determine if the communication is unsolicited:

  • Do you and your unit have a pre-established relationship with the individuals you are contacting?
  • Can the individuals you are contacting reasonably be expected to understand and know the pre-established relationship?
  • Is the communication from a trusted address and crafted to help individuals understand their relationship and why they are receiving the message?
  • Is the context of the communication in line with the pre-existing relationship?

If the answer to any of these questions is “no” the email is unsolicited.
Depending on the content and type of communication there may be other questions you should consider as well.

May I send individuals an email that requires them to log into a webpage (e.g. to take a survey, join a collaborative working group, or access a system/application) with a username and password?

If the email is deemed to be unsolicited, as described in question 9 directly above, the email would violate section 7 of Administrative Policy Statement 2.2, University Privacy Policy.

The link to such a webpage would ask users to enter a password, which is considered Confidential Information.

Can you provide examples of email messages that may or may not be deemed unsolicited?

Yes, please contact uwprivacy@uw.edu.

 


 

Website Terms of Use and Online Privacy Statement FAQs

Which websites or webpages are required to link to the Website Terms and Conditions of Use and Online Privacy Statement?

The requirement applies to University education, research, patient care, and service areas (internal and external to the University).

Are the Website Terms and Conditions of Use and Online Privacy Statement required or recommended?

The Website Terms and Conditions of Use and Online Privacy Statement serve a variety of important functions, including informing visitors to University websites about the potential uses of information, defining expected support behavior, and limiting University liability. Administrative Policy Statement 2.2, University Privacy Policy, makes such links a requirement.

What if I already have my own privacy statement?

The Online Privacy Statement and Website Terms and Conditions of Use best represent the University’s position regarding information privacy. The University will only recognize the statements contained within the Online Privacy Statement and Website Terms and Conditions of Use.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on websites that are part of the uw.edu or washington.edu domain and involve other organizations or higher education institutions, such as research consortiums?

Yes. If either of the University Website Terms and Conditions of Use and Online Privacy Statement contradict the collection and use of information by such a group, it is your responsibility to identify the particular language creating the concern and present your findings to the Executive Head of the Major Organization to which the consortium members from the University report. The Executive Head is then responsible for presenting suggested language to the UW Privacy Office at uwprivacy@uw.edu.

How should I format my webpage with a clearly visible link to the Website Terms and Conditions of Use and Online Privacy Statement?

Please see the footer on the University homepage at www.washington.edu for an example of how to link to the Online Privacy Statement and Website Terms and Conditions of Use.

Can I copy rather than link to the Website Terms and Conditions of Use and Online Privacy Statement?

No. In the event that the Online Privacy Statement or Website Terms and Conditions of Use need to be revised or updated by the University, linking to one source keeps your department or unit’s webpages up-to-date with the most recent version.

What if my webpage links to an external social media or networking site, such as Flickr, YouTube, or Facebook?

A clearly visible link to the Online Privacy Statement and Website Terms and Conditions of Use should be present on the webpage the user will leave to visit the external site. Please see the footer of the University homepage at www.washington.edu for an example of how to link to the documents.

Are the Website Terms and Conditions of Use and Online Privacy Statement required on my department’s social networking webpage, such as Facebook or Twitter?

External social media websites, such as Twitter and Facebook, are subject the Terms of Use and Privacy Policies of each hosting company. In such cases, it is important to follow the suggestions in the answer to question 7 above.

 


 

Youth Privacy FAQs

When does the Children’s Online Privacy Protection Act apply?

COPPA applies to:

  • Operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children;
  • Operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and
  • Websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

What do I do if COPPA applies to our youth program?

Consult with the UW Privacy Office or Office for Youth Programs Development. We’ll collaborate with you to review your program activities associated with the COPPA requirements.

How might we protect the privacy of those involved in our youth program?

Embrace “Privacy by Design,” building privacy directly into the information lifecycle. By integrating privacy in all processes, including registration, communications, marketing, engagement, evaluation, and ultimately through deletion of personal information, it helps anticipate and prevent privacy invasive events before they happen.

Should all UW youth program websites link to the UW Online Privacy Statement and Website Terms and Conditions of Use?

Yes, if your youth program or website is operated or led by the UW then the website should be consistent with and link to the UW Online Privacy Statement and UW Website Terms and Conditions of Use. These are living documents, and will change over time. Youth programs should periodically review  and confirm their program activity is consistent with these documents.

Our youth program is federally funded – must we conform to the UW’s privacy requirements, or should we conform to those of our federal funding agency?

It depends upon the contract requirements. Please consult with the UW Privacy Office to assess whether your contract requirements can be achieved through the UW Privacy Principles, the UW Online Privacy Statement, and other privacy protections in place, or if other specific controls are warranted.

May individuals working for our Youth program take and share photos or videos of program participants?

Youth programs should determine whether anyone working on behalf of the program (employees, interns, volunteers, etc.) will be expected to capture photo or video images of participants for any programmatic reason (such as sharing information on blogs/websites, providing updates to participants and their families, for inclusion in future marketing materials, etc.).

If your program will be capturing photos/images:

  • Be clear and transparent in all program materials about this intent, the types of images which will be captured and how they will be used.
  • Explicitly seek photo/video consent from program participants’ parents/guardians as part of your registration process.
  • Allow for and accommodate any “opt-out” preferences.
  • Train all those working on behalf of the youth program about appropriate capture and use of photos/videos, to ensure behavior consistent with your plans.

Does our Youth program responsibility for managing photos/videos extend to program participants or others (parents, visitors)?

Each program should discuss and communicate photo/video expectations for participants and related others. Where necessary, share any cautions or restrictions around taking and sharing photo images of participants.

What data should we (and should we not) collect about youth program participants?

Your organization is responsible for managing the privacy risks associated with all of your youth program data. The purpose for collecting specific types of data, during registration or at other times, should be meaningful, lawful, and explicitly stated and shared with participants’ parents/guardians. Give careful thought to collecting, using, and sharing the minimum set of information necessary to achieve your purpose and manage privacy risk. This includes any data shared with external partners/vendors even if using a vendor service offered at no additional cost.

Under what circumstances may we have an external partner/vendor handle our youth program information such as registration process(es), evaluations, etc.?

If data will be shared with an external partner or vendor, a Data Security and Privacy Agreement (DSPA) should be negotiated, signed, and in place.  The DSPA controls risk, enables innovation, and seeks a balance that is fair, clear, and practical by communicating data security and privacy goals when contracting with vendors. See the Office of the CISO’s External Data Sharing website for additional information about the DSPA.

What should I do if I still have questions?

Please consult with the UW Privacy Office at uwprivacy@uw.edu or UW Office for Youth Programs Development and Support at uwminors@uw.edu with any additional questions or concerns. Our Offices work in close collaboration to resolve questions as they are shared with us.