UW Privacy Office

Collect and Use Data

Last updated on July 25, 2023

ON THIS PAGE:

Overview

When you work with personal data or access a system that processes personal data, it is important to only collect what you need, make sure you have practices to maintain data accuracy, and only use the data for the purpose for which you collect it. The Fair Information Practice Principles (FIPPs) offer guidance for appropriately collecting, maintaining, and using data. Units should follow the related principles [1]:

The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

The Purpose Specification Principle. The purposes for which personal data are collected should be specified no later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

The Use Limitation Principle. Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law.

Benefits

Using the FIPPs to guide personal data collection, maintenance, and use supports all areas of the University by:

  • Decreasing the potential risk of harm to individuals, by avoiding the collection of unnecessary or redundant data.
  • Demonstrating respect for individuals’ personal data.
  • Maintaining trusted relationships between individuals and the UW.
  • Meeting legal and ethical obligations and upholding UW’s Privacy Principles.
  • Improving the design and implementation of systems and business processes.
  • Creating clear workflows, transparency, and accountability for the use of personal data throughout the data lifecycle.

Where to start

The steps required to integrate the FIPPs may vary depending on the nature of your business process or system, and whether it is new or already in use. For new projects, these suggested steps can help you implement the FIPPs using a Privacy by Design mindset. These steps are also useful for reviewing and updating systems and business processes in active use.

Step 1: Be clear about purpose

Be clear about what you are trying to accomplish and how the use of specific personal data elements will help achieve your objective and make a positive difference for UW’s constituents.

Questions to consider include, but are not limited to:

  • What is the goal of implementing the new or improving the existing business process or system?
  • What is the purpose of each data element with respect to the goal?
  • How will individuals be informed about the purpose at the time the data are requested?

Step 2: Evaluate data collection

Carefully evaluate the data elements you need to successfully implement the system or business process. If certain data elements do not fulfill a purpose with respect to the system or business process, do not collect them.

Questions to consider include, but are not limited to:

  • What are the minimum data elements necessary to implement the new system/business process?
  • Is this data element necessary in order for this existing system/business process to work?
  • Is the collection and use of the specific data elements appropriate for this purpose?
  • Are the data collection practices designed to decrease errors or duplicates and increase quality data that can be relied on for the purpose?
  • Would the individuals expect their data for the specific objective?

Refer to guidance about appropriate collection and use of data and support for specific programs.

Step 3: Only use data for its intended purpose

Once data collection begins, only use the data for the designated purpose.

Questions to consider include, but are not limited to:

  • Is there a way to manage access and ensure data are only used for the purpose that they are collected?
  • Will access be based on the principle of least privilege, which means that individuals’ access is limited to only what they need to have to be able to complete their assigned duties or functions?
  • How will University personnel who are part of the business process or have access to the system be informed about the purpose and that data are only used for the purpose they are collected?

Ensure that all University personnel that use the personal data for their job-related duties have reviewed the Access and Use Agreement for UW Data and Information Systems. This agreement addresses the responsibilities University Personnel have for using and safeguarding data consistent with UW policies.

Step 4: Prepare a data retention plan

Keep the data only as you need it for its intended purpose and in accordance with published record retention schedules provided by UW Records Management.

Questions to consider include, but are not limited to:

  • Who is responsible for determining the appropriate data retention schedule?
  • What is the retention schedule?
  • Who is responsible for ensuring that data are properly destroyed at the end of the retention schedule?

Step 5: Ensure data are accurate

To ensure the well-being of the individuals whose data are used to fulfill the purpose, it is important to develop processes to ensure that accurate data are maintained.

Questions to consider include, but are not limited to:

  • What processes need to be implemented to maintain quality data that helps ensure accurate results?
  • How frequently do data need to be reviewed, updated, or revalidated?
  • How will we know data are accurate?

Step 6: Respect data subject requests

Provide opportunities for individuals to review data and to request corrections.

Questions to consider include, but are not limited to:

  • How will the system or business process incorporate the data request practices?
  • Who will be responsible for collaborating with the UW Privacy Office and addressing data subject’s requests?

Reference

[1] The Fair Information Practice Principles on this page are a subset of the full list duplicated from the International Association of Privacy Professionals website.