UW Privacy Office

UW Standard for European Union General Data Regulation (EU GDPR)

Approved by UW Privacy Official, Version 01, 4-25-2018 

Note: This standard will be updated periodically as EU GDPR goes into effect and additional official information about the regulations becomes available. For more information see the update history at the end of the standard.

Table of Contents

  1. Overview
  2. Purpose
  3. Scope
  4. Applicability
  5. Roles and Responsibilities
  6. Definitions
  7. Personal Data Use Record Requirement
  8. Notification Requirement
  9. Consent Requirement
  10. Online Monitoring Activity
  11. Data Sharing or Transfer Requirement
  12. Incident Management Requirement
  13. Retention of Personal Data Requirement
  14. Policy Maintenance
  15. Additional Information
  16. Relevant Policies
  17. Revision History

I.         Overview

At the UW, there are situations in which it is imperative that we protect the privacy and confidentiality of individuals’ information. As we pursue our academic, research, health-care and business activities, it is vital that we each understand our humanitarian, ethical and legal aspects of individuals’ privacy.

The European Union General Data Protection Regulation (EU GDPR) broadly applies to data about people who reside in the European Union. The EU GDPR limits when and how personal data can be collected, stored, processed and used.  It also provides individuals with certain rights related to their personal data, including notice or consent, rights of access, and in some cases, requests for deletion.

Under the EU GDPR, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is an actual person (not a corporation or other business entity) who can be identified, directly or indirectly, by reference to:

          • Any identifiers, such as name, ID, location data, online identifier; or
          • Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

II.         Purpose

This standard is intended to assist UW units interpret, identify resources and establish the foundational elements for compliance with the following related to the EU GDPR:

            • Registering use of personal data
            • Providing notice to individuals about the collection and use of personal data
            • Obtaining consent from individuals in certain circumstances
            • Tracking or monitoring individuals’ website activity
            • Specifying data sharing terms and conditions in contracts that share or transfer personal data
            • Reporting incidents or data breaches
            • Retaining personal data

Ongoing efforts will further interpret and provide resources for EU GDPR, including its alignment or conflict with other laws related to personal data at the UW.


III.         Scope

All areas of the University of Washington that collect or process personal data about individuals that reside in the EU.


IV.         Applicability

All activities at the UW that collect or process personal data about individuals that reside in the EU. EU GDPR defines “processing” very broadly to include, for example, analyzing, storing and deleting.


V.         Roles and Responsibilities

Controller:

Individual responsible for decisions about the collection, use and protection of personal data. At UW, controllers are analogous to business owners, system owners or principal investigators who make management level decisions about the confidentiality, integrity and availability of information for which they are responsible. Controllers may advise executive heads of major University organizations about the financial resources necessary to protect data according to laws and UW rules/policies. Controllers collaborate with the Data Protection Officer on issues related to the protection of personal data.

Data Protection Officer (DPO):

Appointed by the UW President and Provost to a develop a cohesive strategy for protecting personal data and developing policies, training and resources that assist UW units in assessing and implementing necessary protections for personal data. The DPO performs a review of data protection or privacy-related impact or risk assessments and leads the response to and management of incidents involving personal data or allegations of privacy violations. If needed, the DPO reports incidents to external regulators. The DPO for UW is:

Ann Nagel
Institutional Privacy Official
Associate Vice Provost for Privacy
uwprivacy@uw.edu

Processor:

Individual responsible for processing, analyzing, storing and deleting personal data on behalf of the controller. Processors are analogous to technical owners, system operators, or research staff, who are responsible for the activities or operations associated with the use of the data or information system. Processors collaborate with the Data Protection Officer on issues related to the protection of personal data.


VI.         Definitions

Personal data:

Any information relating to an identified or identifiable natural person. An identifiable natural person is an actual person who can be identified, directly or indirectly, by reference to:

            • Any identifiers, such as name, ID, location data, online identifier; or
            • Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Personal data breach:

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Special categories of personal data:

Any data that:

            • Reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
            • Are genetic data or biometric data sufficient to uniquely identify a natural person.
            • Are concerning a natural person’s sex life or sexual orientation.

 


VII.         Personal Data Use Record Requirement

At the UW, the personal data use registry assists the UW in documenting pertinent information that assists the UW in being a responsible steward of personal data. Controllers and processors must make a record of their use of personal data by completing the UW Privacy Office personal data use registry.

A. Elements of Personal Data Use Record

The record includes the following pertinent information, which may also be used to meet additional requirements related to assessing the nature, scope, context and purpose for collecting and using personal data:

            1. Identification of the controller and/or processor
            2. Purpose for collecting, using, or sharing personal data
            3. Location of data storage
            4. Categories of personal data included in the data set
            5. How long the data will be retained
            6. Whether notification or consent is provided to the individuals
            7. If personal data are routinely shared with other parties internal or external to the UW

VIII.         Notification Requirement

At the UW, privacy notices offer transparency to constituents regarding how any personal information they provide to the University of Washington (UW) will be used, retained, shared and secured.

Under EU GDPR notification must be provided at the time personal data is obtained. Thus, notification is required the first time you contact someone whose data you did not directly obtain, or when using data for a purpose that is different than the one originally stated when the data was collected. If notification is required, then as a best practice, the UW standard notification form includes the required elements of notification in understandable language. See UW Privacy Office, Provide Privacy Notice webpage for more information.

The use of personal data requiring notification must be recorded in the personal data use registry maintained by the UW Privacy Office.

Notification is not required if:

            • The data subject already has the required notification information
            • It would be impossible.
            • The UW did not collect the data and is using it for archiving, scientific or historical research, or statistical purposes, as long as that research/statistical/archiving meets certain safeguards, including, but not limited to standards relating to technical and organizational security measures, data minimization, and using pseudonymisation where appropriate.

A. Elements of Notification

Notification under EU GDPR must include all of the following elements:

            1. Name and contact information for the controller(s) (or controller’s representative(s)) and Data Protection Officer.
            2. Purpose of processing including the controller’s legitimate interest and one of the following lawful bases for processing:
              1. Necessary for the performance of a contract to which the individual is part of or to take steps at the data subject’s request prior to entering into a contract;
              2. Necessary for compliance with a legal obligation;
              3. Necessary to protect the vital interests of the individual or another natural person;
              4. Necessary for the performance of a task carried out in the public interest or as required by an official authority;
              5. Necessary for the purposes of the legitimate interests pursued by the controller or by a third party as long as the purpose does not negate the interests or fundamental rights and freedoms related to the protection of personal data; or
              6. The individual has given consent for the specific purpose.
            3. If the UW is required to collect the personal data as part of a statutory or contractual requirement and there are possible consequences if the individual does not provide the personal data.
            4. The primary, and, if applicable, secondary or supplemental uses of the personal data.
            5. Recipient or types of recipients of the data.
            6. Whether the UW intends to share (transfer) personal data to an organization located in another country or to an international organization.
            7. Reference to the UW retention schedule for length of time data will be retained or an explanation of how that time period will be determined.
            8. Individuals’ rights to:
              1. Access, rectify or request erasure their data
              2. Restrict processing of their data
              3. Object to processing
              4. Withdraw their consent without detriment
              5. Take their data with them (portability)
              6. Complain
            9. If you are using automated decision-making: the existence of automated decision-making, and meaningful information about the logic involved and its significance and consequences of such processing for the individual.

 


IX.         Consent Requirement

At the UW, consent promotes trusted relationships when collecting or using special categories of personal data. Under EU GDPR, consent is intended to promote transparency, fairness, lawfulness, integrity and accuracy.

The controller is required to obtain valid consent from the individual if consent is the lawful basis being relied upon for processing personal data or if the data meets the definition of special categories of personal data. If consent is required, then as a best practice, the UW standard consent form includes the required elements of consent in understandable language. See UW Privacy Office, Obtain Consent webpage for more information.

The use of personal data requiring consent must be recorded in the personal data use registry maintained by the UW Privacy Office.

A. Lawful Basis for Processing

Following is a description of the lawful bases for processing personal data:

            1. Necessary for the performance of a contract to which the individual is part of or to take steps at the data subject’s request prior to entering into a contract;
            2. Necessary for compliance with a legal obligation;
            3. Necessary to protect the vital interests of the individual or another natural person;
            4. Necessary for the performance of a task carried out in the public interest or as required by an official authority;
            5. Necessary for the purposes of the legitimate interests pursued by the controller or by a third party as long as the purpose does not negate the interests or fundamental rights and freedoms related to the protection of personal data; or
            6. The individual has given consent for the specific purpose.

If consent is being used as the lawful basis to process data, UW must be able to demonstrate, through documentation, that the consent was informed, clear and specific, freely given, as well as unambiguous and actively given. Individuals must be allowed to withdraw their consent at any time.

B. Special Categories of Personal Data

The controller must obtain consent from an individual prior to special categories of personal data being obtained from the individual unless the purpose is for a defined legitimate use.

Legitimate uses of special categories of personal data that do not require consent:

            1. To carry out specific obligations or rights of UW or data subject in employment;
            2. To protect the vital interests of the individual or another person when the individual is physically or legally incapable of providing consent;
            3. For legal defense;
            4. For various healthcare-related reasons, including assessing working capacity of employee, when the individuals involved in processing have duties of confidentiality;
            5. For various specified public health related reasons;
            6. For archiving, scientific or historical research or statistical purposes; or
            7. If processing relates to personal data which the individual manifestly makes public.

Note that other laws that relate to protection of personal data at the UW may still require consent even if EU GDPR does not require consent.

C. Elements of Consent

Consent must include all of the following elements in understandable language:

            1. Name and contact information for the controller(s) (or controller’s representative(s)) and Data Protection Officer.
            2. Lawful basis and purpose(s) of processing.
            3. Recipients or types of recipients of the data and their reliance on this consent.
            4. Reference to the UW retention schedule for length of time data will be retained or an explanation of how that time period will be determined.
            5. Individuals’ rights to:
              1. Access, rectify, or request erasure of their data
              2. Restrict processing of their data
              3. Object to processing
              4. Withdraw their consent without detriment
              5. Take their data with them to another entity
              6. Complain
            6. Notice that subsequent withdrawal of consent does not impact the lawfulness of prior data processing.

D. Valid Consent

Consent is only valid if it is:

            1. Informed by including the required elements of consent (above).
            2. Freely given and not a condition of receiving a product or service unless the information being provided is required for the delivery of the product or service. Additionally, the controller is required to allow the individual to withdrawal consent without detriment.
            3. Specific to the purpose and use and not bundled with other terms and conditions.
            4. Clear and prominently presented information about the purpose and use and whether consent is being sought or given.
            5. Active and Unambiguous with an opt-in approach. Passive, default and auto-box tick approaches are invalid.

E. Invalid Consent

Conversely, consent may not be valid if:

            1. There are doubts over whether the Data Subject has consented.
            2. The Data Subject doesn’t realize they have consented.
            3. No clear record demonstrating the Data Subject consented can be produced.
            4. There was no genuine free choice over whether to opt in.
            5. The Data Subject would be penalized for refusing consent.
            6. There is a clear imbalance of power between the Controller and the Data Subject.
            7. It was a precondition of a service, but the processing is not necessary for that service.
            8. It was bundled with other terms and conditions in an unclear way.
            9. The consent request was vague or unclear.
            10. Auto-ticked opt-in boxes or other methods of default consent were used.
            11. The Controller was not specifically identified.
            12. Data Subjects were not informed of their right to withdraw consent.
            13. Data Subjects cannot easily withdraw consent.
            14. The purposes or uses have evolved.

 


X.         Online Monitoring Activity

(Section in progress)

 


XI.         Data Sharing or Transfer Requirement

(Section in progress)

 


XII.         Incident Management Requirement

At the UW, there are various laws that relate to the protection of personal data and set forth requirements about how UW must respond to personal data breaches. For the EU GDPR, organizations are required to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.

Controllers and processors must promptly notify the DPO if a potential or actual personal data breach has occurred. The DPO will work closely with other University personnel to investigate and manage internal reporting procedures. Additionally, the DPO will determine if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, and if the UW must:

            • Inform the relevant supervisory authority or external regulator; or
            • Inform the individuals whose personal data was involved in the personal data breach.

 


XIII.         Retention of Personal Data Requirement

State law requires that the UW retain all records that reflect the transaction of public business, construed broadly. At the UW, the University General Records Retention Schedule is the primary source of retention requirements for the records created and received by the UW. The schedule describes retention periods for records that are common to most UW units. A UW unit may also use a supplementary Departmental Schedule developed in conjunction with Records Management Services or UW Medicine Records Management Services.

Under the EU GDPR, the controller must specify the period that the personal data will be retained or how the retention period will be determined. Such determinations must be included in notification, consent, agreements and documents that describe the purpose and use of personal data about individuals the reside in the EU. Carefully review the relevant records retention schedule(s) or consult with the appropriate Records Management Services department to determine what period of retention to specify when collecting personal data.


XIV.         Policy Maintenance

This standard will be updated periodically as EU GDPR goes into effect and additional official information about the regulations becomes available. The University Privacy Official shall review and approve this standard at least every three years or more frequently as needed to respond to changes in the regulatory environment. For more information see the update history at the end of the standard.

XV.         Additional Information

For further information on this standard contact:

UW Privacy Office
uwprivacy@uw.edu

 


XVI.         Relevant Policies

This standard is intended to assist UW units in complying with EU GDPR and the following UW Policies:

APS 2.2 Privacy Policy
APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
APS 2.5 Information Security and Privacy Incident Management Policy
APS 2.6 Information Security Controls and Operational Practices

 


XVII.         Revision History

Version 01 — Published 4-25-2018

 

Standard Notification Language for UW Units

See the UW Privacy webpage Provide Privacy Notice

Standard Consent Language for UW Units

See the UW Privacy webpage Obtain Consent