Privacy Assessments

Last updated: September 26, 2024

ON THIS PAGE:


Overview

A privacy assessment is a questionnaire that helps units analyze and manage impacts and risk of harm to individuals. Drawing from industry best practices and informed by the interoperability of international and domestic laws and regulations, a privacy assessment empowers units to make informed decisions about their business processes in the interest of the people UW serves.

Benefits

A privacy assessment helps all areas of the University:

  • Assess and make informed decisions about the impacts and risk of harm to individuals.
  • Identify and implement solutions to collect, use, and maintain data appropriately.
  • Uphold UW’s values and Privacy Principles and meet legal and ethical responsibilities related to personal data.

When a privacy assessment is required

UW Units will be required to complete a privacy assessment in the TrustArc Privacy Management Platform for business processes involving high-risk data processing. After you inventory your business process and any related third parties and/or systems, TrustArc will create a risk profile that will indicate when an assessment is needed. The high-risk data processing categories are summarized below and are described in more detail on the high-risk data processing page.

  • Automated decision-making.
  • Evaluation or scoring.
  • Systematic monitoring.
  • Sensitive or personal data.
  • Large scale data.
  • Matched or combined datasets.
  • Data concerning vulnerable subjects.
  • Innovative or new technology.
  • Interference with rights.
  • Risks to fundamental rights or freedoms of individuals.
  • Other high risks.

The Privacy Office will review data inventory records twice a week to identify business processes requiring a privacy assessment. Privacy assessments for existing high-risk business processes will follow the same data domain prioritization schedule as described in step 2 on the data inventory page, beginning with units with open advising tickets.

Step 1: Learn about privacy assessments, data inventory, and TrustArc

Review the following resources to learn essential, high-level background information. If you have additional questions after reviewing these resources, support hours for TrustArc are available and can be registered for on the Event Calendar.

UW Privacy Office:

TrustArc Videos:

Please contact uwprivacy@uw.edu for alternative training options while closed captioning and transcripts are in development.

Step 2: Determine the need for an assessment

Create data inventory records in TrustArc

To determine if a privacy assessment is needed, you will need to inventory your business process and any related third parties and/or systems in the TrustArc Privacy Management System Data Inventory. After your record(s) is/are entered, TrustArc will create a risk profile, which the Privacy Office will review to determine if an assessment is needed. Review the data inventory page for more information.

Step 3: Initiate assessment sent to you from the Privacy Office

If an assessment is required for the system or business process, you will receive an email from the Privacy Office via TrustArc inviting you to complete an assessment. Select “Begin Assessment” to get started.

Step 4: Complete assessment

Follow the prompts provided in the questionnaire to complete the assessment. The questionnaire includes a series of short-answer and multiple-choice questions, with opportunities to include supporting documents. You will be able to save your work in progress and return to complete the assessment if needed.

At your request, the Privacy Office can add other UW personnel as respondents to help you complete all or a portion of the assessment if needed. These individuals will not need to submit an access request to the Privacy Office for direct access to TrustArc.

After you submit the assessment a UW Privacy Office team member will review it.

Step 5: Provide additional information and/or address privacy concerns (if necessary)

The Privacy Office via TrustArc may request additional information or that steps be taken to address risks, impacts, or concerns. Once these have been resolved, send the assessment back for review and approval.

After your privacy assessment is approved

After the privacy assessment is approved, you may need to implement other privacy practices to enhance the way that privacy is incorporated into the design of the data processing activities.