ON THIS PAGE:
Overview
Including protection as one of the UW’s Privacy Principles helps ensure UW units and University personnel safeguard data in a way that:
- Supports the well-being of individuals.
- Addresses privacy-related laws and regulations that require the implementation of specific controls.
- Aligns with UW’s ethical obligations.
- Is consistent with industry best practices.
The data protection controls recommended as part of UW’s Design for Privacy approach are informed by commonalities in privacy-related laws and regulations. [1] These privacy practices should be incorporated throughout the data lifecycle — from collection to destruction — where appropriate. As technology advances and the legal landscape evolves, there is potential for recommended privacy-related controls to change.
Where to start
Learn about and implement data protection controls in a privacy context [2]
The UW Privacy Office encourages UW units and University personnel to integrate privacy controls when implementing new or enhancing existing systems or business processes. Doing so in the early stages is efficient and is more effective at mitigating risk and protecting individuals’ personal data than retroactively incorporating data protection controls.
Step 1: Limit access to personal data
Following the Principle of Least Privilege as defined in APS 2.2, “Access privileges to any University information or information system for any individual shall be limited to only what they need to have to be able to complete their assigned duties or functions.”
Supervisors should:
- Review their staff access to personal data and ensure that only individuals needing access to complete their assigned job responsibilities have access.
- Ensure that their staff have reviewed and completed the Access and Use Agreement for UW Data and Information Systems.
UW personnel should carefully review the Access and Use Agreement for UW Data and Information Systems to ensure they are aware of their responsibilities.
Step 2: Learn about and use encryption
Encryption is the process of obscuring information, often through a cryptographic scheme, to make the information unreadable without special knowledge, i.e., the use of code keys. Encryption is a privacy best practice and mentioned in the General Data Protection Regulation (GDPR) as a potential way to mitigate risk, and certain breach notification requirements may be mitigated using encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed. [3]
Wherever possible, personal data should be encrypted at rest and in transit.
UW personnel should refer to the Office of the Chief Information Security Officer’s guidance to learn about data encryption.
Step 3: Anonymize or pseudonymize personal data when possible
Privacy best practices promote data anonymization and pseudonymization as methods for reducing the risk of harm to individuals.
UW personnel responsible for implementing new or enhancing existing systems and business processes should:
- Learn about data anonymization and pseudonymization by reading the white paper written by the Privacy Office.
- Consider data anonymization or pseudonymization where possible.
Step 4: Complete privacy assessments when requested
Privacy assessments assist UW units with their responsibility for evaluating potential privacy-related impacts when implementing new or enhancing existing systems or business processes and can assist with identifying appropriate privacy-related safeguards.
UW personnel should:
- Complete privacy assessments when requested by the Privacy Office.
- Implement recommended privacy practices.
Step 5: Learn about incident and data breach management
When things do not go as planned and an incident or data breach occurs, be prepared to respond appropriately to assess the risk of harm to individuals and the compliance obligations for the UW.
UW personnel should review Privacy Office guidance about reporting incidents and data breaches and additional steps to take (or avoid) to minimize harm in the event of an incident or data breach.
Additional information
NOTE: The Privacy Office works closely with the Office of the Chief Information Security Officer (CISO), which is responsible for the University’s policies and approach to information security. Additional security controls may be required of UW organizations in APS 2.6.
Resources
In addition to the guidance on this page, we recommend University personnel familiarize themselves with the following resources:
- UW Records Management Office.
- UW APS 2.6 Information Security and Privacy: Roles, Responsibilities, and Definitions.
References
[1] As the first comprehensive privacy regulation, the European Union General Data Protection Regulation has informed subsequent laws and regulations in the US and elsewhere.
[2] The steps included on this page are informed by the EU GDPR Compliance Checklist.
[3] Quoted from International Association of Privacy Professionals. (n.d.) Glossary of Privacy Terms.