UW Privacy Office

October 13, 2020

Practice caution with 3rd-party software

(Email sent from Tom Lewis and Ann Nagel)

As we continue to work, teach, and do research remotely, UW-IT and the UW Privacy Office have seen an increase in vendors offering free or affordable solutions to our UW colleagues. While these offers may seem like great solutions, it is important to know that a great number of free and affordable software, including subscription services, come with substantial data privacy risks. Many companies make these offers in order to acquire personal data about individuals, which directly improves the company’s marketability or financial well-being. They may reuse or resell personal data without regard for the UW’s employees, students, or other constituents. Two safeguards can help mitigate these risks to privacy: a personal data processing agreement and the IT Vendor Risk Management process.

Personal Data Processing Agreement

A personal data processing agreement (PDPA) is required any time the UW engages a vendor in delivering goods, services, or IT solutions that involve personal data. It doesn’t matter if the solution is free, less than $10K, or more than $10K. Personal data is broadly defined as any record or information relating to an identified or identifiable natural person. The agreement workflow on the Privacy Office website helps individuals identify if and when a PDPA is required in order to uphold UW’s values and principles related to privacy and addresses laws and regulations that govern the protection of personal data.

IT Vendor Risk Management process

Moreover, and especially if you want to integrate this software with other UW enterprise systems such as Canvas, UW-IT asks that you use its IT Vendor Risk Management process. In addition to protecting privacy by incorporating the PDPA, this process manages and mitigates a host of other risks. Many vendors have gone through this process; as a result, their software can be integrated with Canvas or used standalone. Learn more about the approved software vendors.

Thank you for your help in protecting the privacy of UW community members.

Please share this message with faculty and staff in your organization. This message was sent to the UW Administrators, Privacy Steering Committee, Data Governance Committees, IT Governance, Data Trustees, Data Custodians, Computing Directors Group, TechSupport, Privacy Office contact list, Student Data Council, Faculty Council on Teaching and Learning, Faculty Senate Chairs

TOM LEWIS
Director / Academic Experience Design & Delivery
UW Information Technology
University of Washington
help@uw.edu

ANN W. NAGEL
University Privacy Officer
Associate Vice Provost / Privacy
UW Privacy Office / Academic and Student Affairs
privacy.uw.edu
privacy@uw.edu