Skip to content

APS 2.2 University Privacy Policy

Table of Contents

    d

(Approved by the Chief Health System Officer, UW Medicine and Vice President for Medical Affairs by authority of Executive Order No. 1 and the Vice President and Vice Provost for UW Information Technology by authority of Executive Order No. 63)    

1.  Purpose

This policy statement sets forth ways in which the University of Washington’s workforce members are required to protect the privacy of institutional information, specifically personally identifiable information, in any form (including, but not limited to, electronic or paper). This policy statement includes:

  • Rules regarding how University workforce members should create, collect, use, and disclose the three categories of institutional information: confidential information, restricted information, or public information.
  • A required “Website Terms and Conditions of Use” statement and an “Online Privacy Statement” to support University goals for transparency.

University workforce members shall consult, as appropriate, Administrative Policy Statement 2.4 and other relevant Administrative Policy Statements for further understanding of information security and privacy roles, responsibilities, and definitions; information systems security; minimum data security standards; and incident management.

2.  Scope

This policy applies to:

  • University workforce members; and
  • Institutional information within the possession, custody, or control of the University.

3.  Information Security and Privacy Laws and Regulations, and University Rules and Policies

A. Subject Matter Experts

The University Privacy Official and the University Chief Information Security Officer shall create and maintain an online list of:

  1. Information security and privacy laws and regulations that impart a duty upon the University; and
  2. University-wide information security and privacy policies, standards, and guidelines that apply to institutional information.

The University Chief Information Security Officer shall manage the online list.

B. Identifying a Subject Matter Expert

The University Privacy Official and University Chief Information Security Officer shall consult with the appropriate executive head of the major University organization to identify the appropriate subject matter expert(s) for information security and privacy laws and regulations.


C. Subject Matter Expert Obligations

Each subject matter expert identified on the list of information security and privacy laws and regulations shall create and maintain a website on compliance with the law or University rules or policies for which he or she is the subject matter expert. The website shall identify a primary point of contact for questions.

Where more than one subject matter expert has a role in a law, or University rules or policies, the subject matter expert shall collaborate with the other applicable subject matter experts.


D. Conflicts

If a University workforce member perceives a conflict between two or more information security or privacy laws and regulations, or University rules or policies, he or she shall consult with the subject matter experts. If the subject matter experts are unable to resolve the conflict, they shall consult with the following individuals:

  • University Privacy Official, or his or her designee;
  • University Chief Information Security Officer; and;
  • University data custodians relevant to the institutional information.

As needed, the University Privacy Official and the University Chief Information Security Officer will consult with a representative for the University Division of the Attorney General’s Office.

A. Subject Matter Experts

The University Privacy Official and the University Chief Information Security Officer shall create and maintain an online list of:

  1. Information security and privacy laws and regulations that impart a duty upon the University; and
  2. University-wide information security and privacy policies, standards, and guidelines that apply to institutional information.

The University Chief Information Security Officer shall manage the online list.

B. Identifying a Subject Matter Expert

The University Privacy Official and University Chief Information Security Officer shall consult with the appropriate executive head of the major University organization to identify the appropriate subject matter expert(s) for information security and privacy laws and regulations.


C. Subject Matter Expert Obligations

Each subject matter expert identified on the list of information security and privacy laws and regulations shall create and maintain a website on compliance with the law or University rules or policies for which he or she is the subject matter expert. The website shall identify a primary point of contact for questions.

Where more than one subject matter expert has a role in a law, or University rules or policies, the subject matter expert shall collaborate with the other applicable subject matter experts.


D. Conflicts

If a University workforce member perceives a conflict between two or more information security or privacy laws and regulations, or University rules or policies, he or she shall consult with the subject matter experts. If the subject matter experts are unable to resolve the conflict, they shall consult with the following individuals:

  • University Privacy Official, or his or her designee;
  • University Chief Information Security Officer; and;
  • University data custodians relevant to the institutional information.

As needed, the University Privacy Official and the University Chief Information Security Officer will consult with a representative for the University Division of the Attorney General’s Office.

4.  General Rules on Collection, Use, and Disclosure of Institutional Information

University workforce members shall follow the general rules in this section if the use and disclosure of institutional information is not covered by laws and regulations or University rules or policies.

A. Confidential Information

The definition of confidential information is found in Administrative Policy Statement 2.4; the controls for protecting confidential information can be found in Administrative Policy Statement 2.6; and examples can be found on the UW Data Classification web page. The privacy principles associated with confidential information include: Respect the laws and regulations that impart a duty upon the University with regard to confidential information. Guidance may be provided by the subject matter experts.

Create and collect only what is needed for legitimate University purposes.

The principle of least privilege, whereby individuals authorize access, use, and disclosure only to those who need to use or receive it as appropriate to fulfill authorized job duties or activities for the University. Recipients of confidential information shall limit or restrict further disclosure as appropriate.

Social Security numbers (SSN), driver’s license numbers, and financial account numbers are confidential information and shall not be collected, used, or disclosed unless allowed under a generally applicable University standard (e.g., the Social Security Number Standard). Exceptions or amendments to the applicable University standard must be reviewed and endorsed by the relevant data custodian(s) before being submitted by the relevant data custodian(s) to the University Privacy Official and University Chief Information Security Officer for final approval.

B. Restricted Information

The definition of restricted information is found in Administrative Policy Statement 2.4; the controls for protecting confidential information can be found in Administrative Policy Statement 2.6; and examples can be found on the UW Data Classification web page. The privacy principles associated with restricted information include:

Respect the guidance of the executive heads of the major UW organizations and the relevant data trustee or data custodian for restricted information.

Create and collect only what is reasonably needed for legitimate University purposes.

The principle of least privilege, whereby individuals authorize access, use, and disclosure only to those who need to receive it as appropriate to fulfill authorized job duties or activities for the University or as otherwise authorized by management, the relevant data trustees, or data custodians.

C. Public Information

Create, collect, use, and disclose public information to fulfill the University’s mission.

5.  Institutional Information Classifications

In some cases, the combination or removal of data elements of institutional information may change the classification category. If the classification category changes, University workforce members shall protect the institutional information commensurate with the updated information classification category.

6.  “University of Washington Website Terms and Conditions of Use” Statement and the “University of Washington Online Privacy Statement”

The “University of Washington Website Terms and Conditions of Use” statement and the “University of Washington Online Privacy Statement” serve a variety of important functions, including informing visitors to University websites about the potential uses of information, defining acceptable behavior, and limiting University liability.

University websites, including, but not limited to, websites for education, research, patient care, and service areas (internal and external to the University), shall have clearly visible links on the websites to the most recent “University of Washington Website Terms and Conditions of Use” statement and the most recent “University of Washington Online Privacy Statement.” In addition, University web pages, including, but not limited to, web pages for education, research, patient care, and service areas (internal and external to the University), shall have the same clearly visible links where circumstances warrant, such as web pages that request information from the web page user or on web pages containing content that needs protection.

Depending upon the web page content or users, the “University of Washington Website Terms and Conditions of Use” statement and the “University of Washington Online Privacy Statement” may have to be amended or supplemented to meet legal or policy requirements associated with the web page content or users. Such amendments or supplements must be reviewed and endorsed by the relevant executive head of the major University organization before being submitted by the relevant executive head of the major University organization to the University Privacy Official, or his or her designee, and the University Chief Information Security Officer for approval.

University employees who permit third parties to use a University-owned domain (including the placement of websites) shall ensure that the third party is contractually obligated to have a “Website Terms and Conditions of Use” statement and an “Online Privacy Statement” that complies with all applicable laws and regulations and is consistent with the “University of Washington Website Terms of Use” statement and the “University of Washington Online Privacy Statement.”

7.  Restrictions on Unsolicited Emails

To avoid or reduce Internet fraud, University units, including, but not limited to education, research, patient care, and service areas (internal and external to the University), and University workforce members shall not:

  • Send unsolicited email (where the recipient has not granted permission for the message to be sent) to individuals that asks them to reply with confidential information; and
  • Send unsolicited emails to individuals that ask them to click embedded links to University web self-service transactions that require entry of confidential information.

Unsolicited email does not include email sent from a University unit, including, but not limited to, education, research, patient care, and service areas (internal and external to the University), to individuals who receive services from, or have an ongoing relationship with, the unit.

8.  Policy Maintenance

The University Privacy Official and University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.

9.  Additional Information

For further information on this policy statement contact:

November 4, 2011; RC, June 20, 2012.