UW Privacy Office

Share Data

Last updated on July 31, 2023

ON THIS PAGE:


Overview

Data sharing occurs when an entity provides personal data to another entity that would not otherwise have access to the data for the same or for a different purpose than the data were originally collected. The UW’s values and Privacy Principles guide the University’s personal data request and sharing processes and decisions to minimize the potential risks and support the well-being of the individuals we serve. Whether evaluating a data sharing request and sharing data internally at the UW or externally beyond the UW, it is important, and sometimes required, that UW units ensure the use of the data are consistent with the purpose the data are collected and that proper agreements are in place for managing the data-sharing relationship.

The data request process and agreements summarized on this page help establish clear accountability and protect data.

Data requests

The data request process (available winter 2023) establishes a common understanding of the information needed from a data requestor and by a data approver to evaluate and make an informed decision about a data request. It streamlines the process by requesting the necessary information at the beginning and documenting UW’s assessment and decisions in a consistent format. It helps demonstrate due diligence.

Internal UW agreements

Internal Data Processing Memorandum of Understanding

The UW’s Internal Data Processing Memorandum of Understanding (MOU) is an MOU that clarifies the data sharing purpose, roles, and responsibilities between two or more UW units. Review the Internal MOU webpage to learn more about, and resources available to assist UW units with the MOU.

External (third-party) agreements

Business Associate Agreement

The Health Information Portability and Accountability Act (HIPAA) requires a Business Associate Agreement (BAA) with each Business Associate. UW Medicine maintains the UW Business Associate Agreement and provides support for its use.

A Business Associate is identified as an entity or individual who:

  • is not a workforce member of the UW;
  • will be or is performing a service or activity “for” or ‘on behalf of” the UW or UW Medicine, and;
  • that service or activity involves the use or disclosure of Protected Health Information (PHI).

Data Processing Agreement

The UW Data Processing Agreement (DPA) is an agreement between the UW and a third party. The DPA helps establish the purpose and parameters for data processing and clarifies roles and responsibilities. In some instances, such as when data processing is governed by a law or regulation, a written DPA is required.

Review the DPA webpage for more information about, and for resources available to assist UW units with the DPA.

Retired agreements

Personal Data Processing Agreement

The Personal Data Processing Agreement (PDPA) was retired in 2021 and replaced with the DPA for certain third-party agreements that involve personal data. Contracts that rely on PDPA terms should be reviewed and updated with the DPA.

Data Security and Privacy Agreement

The Data Security and Privacy Agreement (DSPA) was retired in 2018 and replaced with the DPA for certain third-party agreements that involve personal data. Contracts that rely on DSPA terms should be reviewed and updated with the DPA.