Data inventory and Privacy by Design use cases
At the UW, the data inventory assists UW units and people responsible for making informed decisions about the purpose and use of data. The use cases on this page illustrate how the inventory is used to include privacy in the design of UW data processing activities. In each example, the user is unsure or has not considered whether the data are high-risk or if laws or regulations relate to the data processing. In addition, they are interested in, but do not know how to include Privacy by Design.
Using examples from the University context, the use cases also demonstrate how to inventory different types of data processing. More use cases will be added based on trend analysis and requests from TrustArc users.
Please use the following supplemental resources to help you complete data inventory records:
An overview of the inventory and process:
How to create third party, system, and business process records:
For other questions register to attend Support Hours for TrustArc via our Event Calendar or contact uwprivacy@uw.edu.
Audiences
The executive heads of major University organizations are chancellors, vice presidents, vice provosts, deans, the Executive Director of Health Sciences Administration, and other individuals who report to and have delegated executive authority from the President and/or the Provost. These individuals are responsible for implementing, documenting, and maintaining sufficient processes, procedures, and delegations of authority to comply with the requirements in the information security and privacy policies. This includes accountability for risks, compliance obligations, budgets, and financial costs associated with University information security and privacy, including incidents and data breaches within their organizational area(s).
APS 2.4 says executive heads of major University organizations (i.e., chancellors, vice presidents, vice provosts, deans, etc.) are “responsible for implementing, documenting, and maintaining sufficient processes, procedures, and delegations of authority to comply with the requirements in the information security and privacy policies.”
Each use case refers to audiences that may be delegated by an executive head of a major University organization to make privacy-related decisions related to data processing. This may include:
- Principal investigators.
- Faculty/Instructors/academic personnel.
- Staff (e.g., people with the authority to make decisions about the use of personal data).
- IT/Technical staff.
NOTE: The person responsible for making privacy-related decisions may inventory items themselves or delegate the record manager responsibility to another individual. When data inventory records are created in TrustArc, the person responsible for making privacy-related decisions is documented using the following roles. For descriptions of these roles please review the TrustArc Privacy Management Platform section on access.
- Third party contact.
- System owner.
- Business process owner.
Types of TrustArc records
The tags correspond to the types of records in TrustArc:
- Third Party.
- System.
- Business Process.
Use cases
Sharing data with a third party
UW Activity | Sharing personal data with a third party to perform professional services, such as data analysis, surveys, or consulting. |
Audience | Principal investigators, faculty, staff. |
When to inventory in TrustArc | During the planning and design stage. |
Types of TrustArc records | The agreement is inventoried as a third party record.
The analysis, survey, or consulting is inventoried as a business process record. (If all of these are part of the agreement, they may be inventoried as one business process if the processes are not complex. If complex, create separate business process records.) |
Who creates the TrustArc records | Responsibility for inventorying a third party is held by the UW unit that is responsible for the relationship/executes/holds the agreement.
Enterprise-wide agreements and systems should be inventoried by the high-level organization that is responsible for the agreement (e.g., UW-IT). Agreements for systems or services with unique instances should be inventoried by each UW unit responsible for that agreement. The UW researcher, faculty, or staff member responsible for the data analysis, surveys, or consulting conducted by the third party creates a business process record. |
Benefit(s) | By inventorying the data analysis, survey, or consulting project in TrustArc, the user is provided a summary of the risk, including whether the proposed activity is considered high-risk. The privacy team can review the profile with the user and kick-off an assessment that walks the user through Privacy by Design concepts for related business processes. This includes but is not limited to advising on whether the activity aligns with Privacy Principles, an agreement is needed, notice or consent is needed, data minimization or inclusive practices are being followed. |
Misc. notes (if applicable) | If responsibility for an agreement will eventually transfer from one UW unit to another, the UW unit that is currently responsible can create the record and ask the UW Privacy Office to transfer ownership of the record when the agreement transfers. |
Procuring a new system
UW Activity | A UW unit leader is considering procuring or has procured a system that will share personal data with the vendor, such as for storing or other types of data processing. |
Audience | Principal investigators, faculty, staff, IT/technical staff. |
When to inventory in TrustArc | When the system is initially being considered by the unit. |
Types of TrustArc records | The agreement is inventoried as a third party record.
The system is inventoried a system record. The intended use of the system is inventoried as a business process. Depending on the complexity of the system and nature of work activities more than one business process record may be needed. |
Who creates the TrustArc records | Responsibility for inventorying a third party is held by the UW unit that is responsible for the relationship/executes/holds the agreement.
Enterprise-wide systems should be inventoried by the high-level organization that is responsible for the agreement and system (e.g., UW-IT). Unique instances of systems should be inventoried by each UW organization/unit responsible for the agreement and system. Sub-agreements should be inventoried by the UW unit that is responsible for that sub-agreement. The work activities that will use the system should be inventoried by the UW unit that owns the business process. |
Benefit(s) | By inventorying the system and any anticipated business processes in TrustArc the user is provided with a risk profile. The privacy team can review the profile with the user and kick-off an assessment that walks the user through Privacy by Design concepts. This includes but is not limited to advising on whether an agreement is needed, notice or consent is needed, data minimization principles. |
Misc. notes (if applicable) | If responsibility for a system’s agreement will eventually transfer from one UW unit to another, the UW unit that is currently responsible can create the record and ask the UW Privacy Office to transfer ownership of the record when the agreement transfers. |
Storing data on enterprise-wide storage platform
UW Activity | A UW unit stores personal data on an enterprise-wide storage platform like UW SharePoint, UW OneDrive, or UW Google Drive. |
Audience | Staff, faculty, principal investigators. |
When to inventory in TrustArc | During the planning and design stage. |
Types of TrustArc records | The agreement for the storage platform is inventoried as a third party record.
The storage system is inventoried a system record. The intended use of the storage system is inventoried as a business process. Multiple business process records may be needed for complex uses. |
Who creates the TrustArc records | Responsibility for inventorying a third party is held by the UW unit that is responsible for the relationship/executes/holds the agreement.
Enterprise-wide systems should be inventoried by the high-level organization that is responsible for the system and related agreement (e.g., UW-IT). The UW unit that owns the business process involving cloud computing creates the business process record. In the business process record the appropriate system record can be selected. If the system record has not been created, and it is owned by a different UW entity, the business process owner can enter the data elements, and processing purposes in the business process record and link the appropriate system record when that record is available later. |
Benefit(s) | By inventorying this item in TrustArc, the user is provided a risk profile for the project. The privacy team can review the profile with the user and kick-off an assessment, that walks the user through Privacy by Design concepts. This includes but is not limited to advising on data minimization principles. |
Misc. notes (if applicable) | N/A. |
Storing data on a non-enterprise-wide storage platform
UW Activity | A UW unit stores personal data in a UW unit instance of a cloud-based storage platform, such as Dropbox. |
Audience | Staff, faculty, principal investigators. |
When to inventory in TrustArc | As soon as possible. |
Types of TrustArc records | The agreement for the storage platform is inventoried as a third party record.
The storage system is inventoried a system record. The intended use of the storage system is inventoried as a business process. Multiple business process records may be needed for complex uses. |
Who creates the TrustArc records | Unique instances of systems should be inventoried by each UW organization/unit responsible for the system and related agreement.
The UW unit that owns the business process involving cloud computing creates the business process record. The system record representing the instance of the system they own should be selected in the business process record. |
Benefit(s) | By inventorying the cloud storage in TrustArc, the user is provided a risk profile for the project. The privacy team can review the profile with the user and kick-off an assessment, that walks the user through privacy by design concepts. This includes but is not limited to advising on data minimization principles. |
Misc. notes (if applicable) | N/A. |