UW Privacy Office
Glossary of Privacy Terms
Last updated on September 2, 2022
This glossary defines various privacy terms that appear on the UW Privacy Office’s website and in its published materials. The UW Privacy Office may periodically update this glossary. Accordingly, you are encouraged to visit this page from time to time for updates.
- Anonymized Data
- Data that are not personal data because the data and/or information does not relate to an identified or identifiable natural person; or the data subject is not or no longer identifiable as direct and indirect identifiers are not present. That absence of identifiers may be due to aggregation, data suppression, data generalization, or added noise. Anonymization is irreversible; anonymized data cannot be re-identified.
- Business Associate Agreement or BAA
- Per UW Medicine Compliance, an agreement used with Business Associates (as defined by HIPAA) that includes terms and conditions that are intended to protect patients’ Protected Health Information.
- Controller
- The person or entity that determines the purpose and means for Data Processing.
- Data Breach
- Any technical or physical incident or set of circumstances that lead to the unauthorized, accidental, or unlawful access to, or destruction, loss, alteration, or disclosure of, Personal Data.
- Data Processing
- Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, access, use, disclosure by transmission, dissemination, combination, restriction or destruction.
- Data Processing Agreement
- An agreement used with third parties that includes terms and conditions that are intended to protect personal data. The UW DPA is published and maintained by the Privacy Office and ensures legal compliance with myriad laws and upholds UW values.
- Data Subject Request
- A request to exercise rights available under any applicable law with respect to Personal Data.
- De-identified Data
- Direct and known indirect identifiers (perhaps contextually identified by a particular law or regulation, e.g., HIPAA) have been removed or mathematically manipulated to break the linkage to identities. Re-identification may still be possible through a variety of techniques.
- Personal Data
- Any records or information relating to an identified or identifiable natural person, such as name, identification number, location data, online identifiers, or factor(s) specific to physical, physiological, genetic, mental, economic, cultural, or social identity or characteristics, or is identified as personally identifiable data (or a similar term) by any applicable law.
- Processor
- The person or entity that performs Data Processing on behalf of the Controller.
- Pseudonymized Data
- Information from which direct identifiers have been eliminated, transformed or replaced by other values, but indirect identifiers may remain intact. Re-identification may occur where there is failure to secure the pseudonymization method or key used, and/or when reverse engineering is successful.
- Research
- Per the UW Office of Research, an activity that meets either definition below:
- First Definition: Research is a systematic investigation, including research development, testing, and/or evaluation, designed to develop or contribute to generalizable knowledge.
- Second Definition: The activity is research if both of the following conditions are met:
- *The intent of the activity is to develop information about a drug, medical device (including diagnostic tests), or biologic substance for submission to the federal Food and Drug Administration (FDA), and
- *The activity involves the prospective physical use of drug, medical device (including diagnostic tests), or biologic substance, in a way that is not completely up to the discretion of a clinical practitioner.
- Special Categories of Personal Data
- Any records or information relating to minors, older adults or seniors, criminal offenses, citizenship and/or immigration status, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data used to identify a natural person, health, sex life, or sexual orientation. Please note that Special Categories of Personal Data, as defined by EU GDPR, are narrower than the UW’s definition that appears in this Glossary.
- Standard Contractual Clauses
- Terms and conditions published by European Commission for transfers of personal data from the European Economic Area and Switzerland to certain countries (such as the United States) that do not have laws that protect Personal Data in comparable ways to the General Data Protection Regulation.
- Third Party
- A non-UW person or entity that is not the subject of the personal data.
- Third-Party Partner
- In the TrustArc Privacy Management Platform, a non-UW person or entity that is not the subject of the personal data or a vendor or supplier (e.g. other federal or state agencies, research sponsors, etc.).
- Third-Party Vendor
- In the TrustArc Privacy Management Platform, a non-UW person or entity that provides goods or services to the UW and is not the subject of the personal data (e.g., supplier).