Skip to content

APS 2.5 Information Security and Privacy: Incident Reporting and Management

Table of Contents

    d

(Approved by the President per delegations of authority Executive Order No. 4, Executive Order No. 6, and Executive Order No. 63)    

1.  Purpose

This policy establishes how the University handles unforeseen events that impact the privacy or result in a breach of personal data and/or compromise the security of information systems and information technology.

2.  Scope

All University departments, auxiliary enterprises, and service centers that conduct processing of personal data or manage information systems and information technology on behalf of the University are required to comply with this policy.

3.  Definitions

Please see Administrative Policy Statement 2.4 for Definitions and Roles and Responsibilities.

4.  Incident Reporting by Workforce Members

Workforce members must report an unforeseen event, a potential or confirmed breach of personal data, or an information security incident promptly to the office responsible for responding to and/or managing the incident as noted in this policy.

Directed by responsible offices, workforce members must provide full assistance needed for incident management processes. Workforce members must use the principle of least privilege to limit information sharing and communications to what individuals need to know to be able to complete their assigned duties or functions. Workforce members also must handle evidence and manage records carefully, including marking records as draft or final and retaining or purging recrods according to the applicable records management processes and retention schedules.

Diagrams to assist workforce members in determining where to report an incident are available on the UW Privacy Office website. Processes and procedures for workforce members to report an incident are published on the websites of responsible offices.

5.  Incident Management by Responsible Offices

The offices responsible for managing incidents or potential or confirmed data breaches are identified in this section. Each of these offices must maintain and publish processes and procedures for the following types of incidents and potential or confirmed data breaches.

A. Human Subject Information and Reportable New Information for Research

Communication to human subjects or third parties affected by an incident will be made as directed by the Institutional Review Board and carried out in accordance with applicable legal, regulatory, or contractual requirements.

Guide to Reporting New Information and the related Standard Operating Procedures and forms for human subject research are available on the Human Subjects Division website.

B. Information Security Incidents

Incident reporting and management processes for information security events that adversely impact the confidentiality, integrity, or availability of University information, infrastructure technology, or information systems are available on the Office of the Chief Information Security Officer website.

The Associate Vice President for Information Security and University Chief Information Security Officer coordinates with the Assistant Vice Provost for Export Controls on incidents that may involve the disclosure of Controlled Unclassified Information (except for Covered Defense Information) and Export Controlled Information.

The Associate Vice President for Information Security/ University Chief Information Security Officer and the UW Medicine Chief Information Security Officer coordinate and collaborate on incidents that adversely impact the shared interest of the University and UW Medicine.

C. Personal Data Breaches

Communication to persons, other than patients or human subjects, about incidents, potential or confirmed data breaches, or exposure of personal data will be made as directed by the University Privacy Officer.

The University Privacy Officer will coordinate the University’s response with University leadership, University Media and Communications, the Attorney General’s Office, and external regulators or third parties.

Incident reporting and management processes for incidents, potential or confirmed data breaches, or exposure of personal data, other than protected health information under the authority of the HIPAA Privacy Officials or human subjects under the authority of the Institutional Review Board, are available on the UW Privacy Office website.

D. Protected Health Information (PHI) at Health Sciences Healthcare Components

Incident reporting and management processes for Protected Health Information (PHI) incidents within the Healthcare Components are available on the Health Science Administration website.

Communication to patients affected by a potential or confirmed data breach or incident at Health Sciences Healthcare Components will be made as directed by the Executive Director of Health Sciences Administration and Health Sciences Healthcare Component HIPAA Privacy Official, and carried out in accordance with applicable legal, regulatory, or contractual requirements.

The Executive Director of Health Sciences Administration and Health Sciences Healthcare Component HIPAA Privacy Official will coordinate the University’s response with University leadership, University Media and Communications, the Attorney General’s Office, and external regulators or third parties.

E. Protected Health Information at UW Medicine

The UW Medicine Chief Compliance Officer and HIPAA Privacy Official will direct communication with patients affected by a potential or confirmed data breach or other patient-involved incident at UW Medicine.

The UW Medicine Chief Compliance Officer and HIPAA Privacy Official will coordinate the University’s response with University leadership, University Media and Communications, the Attorney General’s Office, and external regulators or third parties.

Incident reporting and management processes for Protected Health Information incidents within UW Medicine are available on the UW Medicine Compliance website.

F. National Security Classified Information and Covered Defense Information

Incident reporting and management processes for National Security Classified Information and Covered Defense Information are available by contacting the University Facility Security Officer.

6.  Processes and Procedures

Each office responsible for incidents or data breaches must develop, maintain, and follow processes and procedures that at a minimum include the following elements for each incident or potential or confirmed data breach:

  • Report by workforce members;
  • Assignment of an incident manager;
  • Identification and preservation of evidence;
  • Assessment of risk to the institution, potential harm to individuals, and compliance with applicable laws and regulations;
  • Containment action(s) to stop harm caused by the incident, if any;
  • Communication plan(s), including communication to the President, the Provost, and the Board of Regents;
  • Mitigation effort to address the weakness that caused the incident;
  • Recovery or restoration of the affected system(s) or service(s) back to an operational state; and
  • Management of records according to the applicable records retention schedule.

7.  Responsible Office and Additional Information

For further information on this policy, contact:

8.  History

November 4, 2011; January 7, 2016; February 4, 2020.