- d
1. Purpose
This policy statement establishes roles, responsibilities, and definitions that are used consistently throughout University information security, privacy, and data protection policy. It also describes enforcement mechanisms should an individual fail to comply with the policy.
2. Roles and Responsibilities Related to Information Security, Privacy, or Data Protection
A. Assistant Vice Provost for Research/ Director of the Human Subjects Division
The Assistant Vice Provost for Research and Director of the Human Subjects Division provides oversight and coordination of privacy and confidentiality for participants and data in human subjects research. Specific responsibilities include:
- Oversee the creation and maintenance of privacy and confidentiality policies, standards, and guidelines for human subjects research.
- Work with the Health Insurance Portability and Accountability Act Privacy Official for UW Medicine and the HIPAA Privacy Official for the Health Sciences Healthcare Components to ensure a consistent approach to the research-related components of the HIPAA Privacy Rule; oversee the granting of HIPAA-related waivers for research activities.
- Triage, coordination, and/or management of investigations and resolutions of potential or confirmed data breaches involving identifiable human research data, and notification of outside agencies regulating human research.
The Assistant Vice Provost for Research and Director of the Human Subjects Division reports to the Associate Vice Provost for Research Administration and Integrity.
B. Associate Vice President for Information Security/ University Chief Information Security Officer (CISO)
Provides information security vision, strategy, and coordination across the University. Specific responsibilities include:
- Coordinate and document information security program activities including institutional risk assessments related to University information security practices;
- Oversee the creation and maintenance of the University information security related policies, standards, and guidelines;
- Provide support for compliance with information security related laws, regulations, standards, and contractual requirements;
- Provide oversight, direction, and management for information security incident investigations, including forensics analysis; and
- Serve as the University’s liaison with law enforcement and other outside authorities who may need to be informed about an information security incident.
The Associate Vice President for Information Security and University Chief Information Security Officer reports to the Vice President of UW Information Technology and Chief Information Officer.
C. Associate Vice Provost for Privacy/ University Privacy Officer/ University Data Protection Officer
Provides privacy vision, strategy, and coordination for a comprehensive and cohesive approach to protecting the privacy of personal data across the University. Specific responsibilities include:
- Develop, in consultation with University leadership, universal privacy principles that uphold University values;
- Oversee and approve privacy related policies and standards that apply to more than one organization or involve more than one type of data at the University;
- Coordinate confidentiality agreements, consent forms, notice of privacy practices, or related opt-in/opt-out choices for areas other than those under the authority of the Institution Review Board or protected health information under the authority of the HIPAA Privacy and Security Officials;
- Provide oversight, management, and direction for investigations and potential or confirmed data breaches involving personal data, other than protected health information, and make the final determination of notification to individuals and outside parties for areas other than those under the authority of the Institution Review Board or protected health information under the authority of the HIPAA Privacy and Security Officials;
- Advise colleagues on ways to balance the broad nature of privacy risk and harms; and
- Evaluate and make recommendations for the release or sharing of personal data to third parties or external service providers.
- Serve as the University’s liaison with external authorities who may have a privacy related inquiry or complaint, or who need to be informed about a potential or confirmed data breach for areas other than those under the authority of the Institution Review Board or protected health information under the authority of the HIPAA Privacy and Security Officials.
The Associate Vice Provost for Privacy and University Privacy Officer reports to the Vice Provost for Academic and Student Affairs.
The Associate Vice Provost for Privacy and University Privacy Officer is also the University Data Protection Officer as required by the European Union General Data Protection Regulation (EU GDPR). This position provides oversight and direction for tasks required by the EU GDPR in relation to all personal data at the University except protected health information under the authority of the HIPAA Privacy and Security Officials. The University Data Protection Officer is accountable to the President and reports to the Vice Provost for Academic and Student Affairs.
D. Data Trustees
Data trustees typically report to the President and/or to the Provost and Executive Vice President for Academic Affairs and have written delegated authority to approve policies, standards, and guidelines related to the management of data within their area of responsibility and to appoint data custodians for their subject area domains.
E. Data Custodians
Data custodians are appointed by (and typically report to) data trustees to help define, interpret, and implement external requirements and internal policies, standards, and guidelines related to the management of data within their subject area domains and areas of responsibility.
Data custodians of personal data collaborate and coordinate with the University Privacy Officer to ensure a consistent approach to privacy across subject areas and across the University.
F. Executive Director of Health Sciences Administration/ HIPAA Privacy Official for Health Sciences Healthcare Components
The HIPAA Privacy Official for Health Sciences Healthcare Components provides oversight for HIPAA Privacy Rule policies and program development, implementation, and enforcement matters for Health Sciences Healthcare Components.
The HIPAA Privacy Official for Health Sciences Healthcare Components collaborates and coordinates with the HIPAA Privacy Official for UW Medicine to ensure there is a consistent approach to HIPAA across the UW HIPAA designation.
The HIPAA Privacy Official for Health Sciences Healthcare Components has the following responsibilities related to Protected Health Information:
- Ensure effective coordination and documentation of HIPAA privacy program activities;
- Recommend resources necessary to accomplish program objectives;
- Approve HIPAA privacy program policies and procedures that are equivalent to and consistent with UW privacy policies;
- Direct completion of related risk assessment activities;
- Respond to urgent and emergent issues, manage data breaches, and interpret data breach notification requirements;
- Serve as the contact point for patients who wish to exercise their privacy rights;
- Educate workforce members about their responsibilities related to patient privacy; and
- Work closely with senior leadership and compliance staff to enforce HIPAA privacy policies.
The HIPAA Privacy Official for Health Sciences Healthcare Components is accountable to the President and the Provost. The Executive Director of Health Sciences Administration and HIPAA Privacy Official for Health Sciences Healthcare Components reports to the President and the Provost.
G. Executive Heads of Major University Organizations
The executive heads of major University organizations are chancellors, vice presidents, vice provosts, deans, the Executive Director of Health Sciences Administration, and other individuals who report to and have delegated executive authority from the President and/or the Provost. These individuals are responsible for implementing, documenting, and maintaining sufficient processes, procedures, and delegations of authority to comply with the requirements in the information security and privacy policies. This includes accountability for risks, compliance obligations, budgets, and financial costs associated with University information security and privacy, including incidents and data breaches within their organizational area(s).
H. System Owners
System owners are responsible for the overall development, implementation, operation, and maintenance of an information system. This includes privacy by design and information security controls and operational practices related to University information and information systems for their area of responsibility. System owners advise executive heads of major University organizations on the resources necessary to develop and implement controls to help protect University information and information systems.
I. University Facility Security Officer
The University Facility Security Officer supervises and directs security measures necessary for implementing applicable security requirements of the National Industrial Security Program Operating Manual and related federal requirements for National Security Classified Information and Covered Defense Information.
J. UW Medicine: Chief Compliance Officer/ HIPAA Privacy Official/ Data Protection Officer
The HIPAA Privacy Official provides oversight for the HIPAA Privacy Rule policies and program development, implementation, and enforcement matters for UW Medicine. The HIPAA Privacy Official for UW Medicine collaborates and coordinates with the HIPAA Privacy Official for Health Sciences Healthcare Components to ensure a consistent approach to HIPAA across the UW HIPAA designation. Specific responsibilities include the following:
- Ensure effective coordination and documentation of HIPAA privacy program activities among UW Medicine;
- Recommend resources necessary to accomplish program objectives;
- Approve HIPAA privacy program policies and procedures compatible with UW privacy and EU GDPR policies;
- Direct completion of related risk assessment activities;
- Respond to urgent and emergent issues, manage data breaches, and interpret data breach notification requirements;
- Serve as the contact point for individuals who wish to exercise their privacy rights under HIPAA;
- Educate workforce members about their responsibilities related to privacy; and
- Work closely with senior leadership and compliance staff to enforce HIPAA privacy policies.
The UW Medicine HIPAA Privacy Official/ Chief Compliance Officer is also the Data Protection Officer as required by the EU GDPR. This position provides oversight and direction for tasks required by the EU GDPR in relation to protected health information. The UW Medicine Data Protection Officer collaborates and coordinates with the University Data Protection Officer to ensure a consistent approach to EU GDPR across the University.
The UW Medicine HIPAA Privacy Official/ Chief Compliance Officer/ Data Protection Officer is accountable to the President and reports to UW Medicine/ Executive Vice President for Medical Affairs/ Dean of the School of Medicine, University of Washington.
K. UW Medicine: Chief Information Security Officer (CISO), HIPAA Security Official
The HIPAA Security Official provides oversight for the HIPAA Security Rule standards, program development, and implementation for UW Medicine. The HIPAA Security Official for UW Medicine collaborates and coordinates with the UW Medicine Chief Compliance Officer/ HIPAA Privacy Official to ensure a consistent approach to HIPAA across the UW HIPAA designation. Specific responsibilities include the following:
- Ensure effective coordination and documentation of HIPAA security program activities in UW Medicine;
- Recommend resources necessary to accomplish program objectives;
- Direct completion of related HIPAA security risk assessment activities;
- Educate workforce members about their responsibilities related to security; and
- Work closely with senior leadership and compliance staff to enforce HIPAA security policies.
The UW Medicine CISO also provides information security vision, strategy, and coordination across UW Medicine. The UW Medicine CISO collaborates and coordinates with the Associate Vice Provost for Privacy / University Privacy Officer / University Data Protection Officer, to ensure a consistent approach to protection of personal data across the University. Specific responsibilities include:
- Coordinate and document information security program activities including risk assessments related to UW Medicine information security practices;
- Oversee the creation and maintenance of the UW Medicine information security related policies, standards, and guidelines compatible with the University policies, standards, and guidelines;
- Provide support for compliance with information security related laws, regulations, standards, and contractual requirements;
- Provide oversight, direction, and management for UW Medicine information security incident investigations, including forensics analysis; and
- Serve as the UW Medicine’s liaison with law enforcement and other outside authorities who may need to be informed about UW Medicine information security incidents, other than incidents involving personal data under the authority of the Associate Vice Provost for Privacy/ University Privacy Officer/ University Data Protection Officer.
The UW Medicine Chief Information Security Officer reports to the UW Medicine Chief Information Officer with dotted line reporting to the UW Medicine Chief Health System Officer/Vice President for Medical Affairs.
L. Workforce Members
Workforce members are employees, trainees, students, volunteers, and other entities or persons who perform work for the University.
Workforce members consult with and follow the applicable laws, regulations, and University policies and related standards and guidelines. Workforce members who are granted access and privileges to University information or information systems, are to access and use University information and information systems only to fulfill authorized job duties or activities for the University.
When University employees who are workforce members provide third-party access to or use of personal data or information covered by University policy, the employees are responsible for including terms and conditions in an agreement or contract that require compliance with applicable information security and privacy laws and University policy.
3. Definitions
The following are terms used in University policies on information security and privacy as well as standards and guidelines issued pursuant to University policy.
Access Control System—Physical, administrative, or technical controls that grant and restrict individual access to information systems.
Authentication—A systematic method for establishing proof of individual identity when an individual accesses an information system.
Authorization—The process to define which individuals are allowed access to an information system and what privileges are allowed for each individual.
Availability—University information and information systems accessible by authorized individuals.
Confidential Information—University information that is sensitive in nature and typically subject to federal or state regulations. Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University.
Confidentiality—University information and information systems are not accessed, acquired by, used, or disclosed to unauthorized parties.
Controlled Unclassified Information—Information, categorized and listed in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and U.S. government-wide policies but is not classified under U.S. Presidential Executive Order 13526 or the Atomic Energy Act, as amended.
Controlled Unclassified Information does not include classified information or information a contractor possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, a government agency or an entity acting for a government agency.
Covered Defense Information—Controlled Unclassified Information that is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the University by or on behalf of the U.S. Department of Defense in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Covered Defense Information includes all unclassified information related to a classified contract that has not been approved for public release.
Data Breach—Any technical or physical incident or set of circumstances that leads to the unauthorized, accidental, or unlawful access to, or destruction, loss, alteration, or disclosure of personal data.
Data Processing—Any operation(s) performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, or destruction.
Data Subject Request—A request from an individual data subject to exercise rights available under any applicable law with respect to personal data.
Export Controlled Information—Unclassified technical data subject to the Export Administration Regulations (EAR) (15 CFR Parts 730-774) or the International Traffic in Arms Regulations (ITAR) (22 CFR Parts 120-130) which are listed on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR) or the United States Munitions List (22 CFR Part 121 of the ITAR.) Export Controlled Information includes information, proprietary data, trade secrets, and software related to export controlled items. Export Controlled Information does not include the results of “fundamental research” which is defined as basic and applied research results in science and engineering where the resulting information is ordinarily published, without sponsor or governmental approval, and shared broadly with the scientific community. Research results may be considered export controlled if a sponsor or governmental agency has placed restrictions on who may generate, access, or disseminate information resulting from the research.
Facility Security Clearance—An administrative determination made by the United States Government, that from a national security viewpoint, a company is eligible for access to national security information of a certain category (and all lower categories) or award of a classified contract.
Information Security Incident—An event that adversely impacts the confidentiality, integrity, or availability of University information, infrastructure technology, or information systems.
Integrity—University information or information systems that have not been altered or corrupted by chance or by malice.
National Security Classified Information—Official information, owned by the U.S. government or entrusted to the U.S. government by another country, that has been determined, pursuant to U.S. Presidential Executive Order 13526 or any predecessor order, to require protection against unauthorized disclosure in the interest of national security and which has been so designated. National Security Classified Information is information created or received by an agency of the federal government or a government contractor that would damage national security if improperly released. National Security Classified Information is designated to indicate its classified level. The three levels of classification defined by U.S. Presidential Executive Order 13526 are Confidential, Secret, and Top Secret.
Personal Data—Any records or information relating to an identified or identifiable natural person, such as name, identification number, location data, online identifiers, or factor(s) specific to physical, physiological, genetic, mental, economic, cultural, or social identity or characteristics, or is defined as personally identifiable data, personally identifiable information, or a similar term under law or regulation.
Principle of Least Privilege—Access privileges to any University information or information system for any individual shall be limited to only what they need to have to be able to complete their assigned duties or functions.
Principle of Separation of Duties: Whenever practical, no one person shall be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.
Privacy by Design or Privacy by Default—The protection of personal data by embedding privacy practices into University operations, business processes, information systems, and technologies, including: at the earliest design stage when initially determined that data processing will involve personal data; during data processing; and at the conclusion of the information lifecycle when personal data is no longer needed for the purpose for which it was collected or created by the University.
Protected Health Information (PHI)—See Glossary of Terms for UW Medicine Privacy Policies.
Public Information—University information that is published for public use or has been approved for public use by the appropriate University authority.
Restricted Information—University information that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure.
Subject Area Domains—University information is organized according to specific high-level subject area domains for the purpose of assigning accountability and responsibility over data that spans one or more organizations. Subject area domains include but are not limited to: human resources, student academics, student financial aid, finance and administrative, youth programs, advancement, healthcare, athletics.
System of record—An information system that holds University information or data designated as the most accurate representation of the meaning and context of University information or data elements, which are recorded as facts and used if/as needed to resolve discrepancies in information or data.
University Information—All information which is created, received, maintained, or transmitted by the University.
University information can be:
- Contained in any form including but not limited to documents, databases, spreadsheets, email, or websites;
- Represented in any form including but not limited to letters, numbers, words, pictures, sounds, symbols, or any combination thereof;
- Communicated in any form including but not limited to handwriting, printing, photocopying, photographing, or web publishing; and
- Recorded upon any form including but not limited to papers, maps, films, prints, discs, drives, memory sticks, or other information systems.
4. Governance
A. Privacy Steering Committee
Chartered by the Provost to advise the UW Privacy Office and University leadership on an approach to protecting individuals’ privacy and to ensure consistent reporting on privacy activities, risks, and policies across the University. This committee helps uphold the UW values and guide strategic decisions about the purpose and use of personal data.
B. Data Governance Committees
Chartered by the Provost to address data strategy and stewardship responsibilities for the University. The scope of the charge includes all academic, business, and administrative research data on all UW campuses, remote sites, medical centers, and all academic support units.
C. Managerial Group for Classified Research and Contracts
Specific members of University management personnel who are required to be appropriately cleared in connection with the University’s Facility Security Clearance, and who are responsible for classified United States government contracts and the protection of national security information at the University.
D. UW Medicine Compliance Governance Group
UW Medicine executive-level committee for development of strategic compliance plans, approval of enterprise compliance program initiatives and policies, and establishment of risk management plans.
E. UW Medicine IT Strategic Oversight Committee
UW Medicine executive-level committee that approves IT Services’ support of UW Medicine’s business and care strategies, goals, and objectives.
F. UW Medicine Security Program Executive Committee (SPEC)
SPEC provides oversight and direction for the UW Medicine information security program strategy and execution. Serves as the senior executive advisory group to the UW Medicine Chief Health System Officer for information security risks and is the point of accountability for the UW Medicine information security program.
The University reserves the right to pursue appropriate legal action to recover any financial losses suffered as the result of a violation of University policy on information security and privacy.
5. Additional Information and Responsible Office
For further information on this policy contact:
- UW Privacy Office
- Office of the Chief Information Security Officer
6. History
November 4, 2011; RC, June 20, 2012; February 4, 2020.