ON THIS PAGE:
- Why providing privacy notice is important
- When providing notice is required
- Example UW Privacy Notices
- Elements of Privacy Notification
- Standard Privacy Notification Language
Why providing privacy notice is important
A privacy notice offers transparency to constituents regarding how any personal information they provide to the University of Washington (UW) will be used, retained, shared and secured, contributing to the protection of trusted relationships.
Privacy notices should be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language;
- actionable where necessary, with specific and explicit choices highlighted; and
- easy to find – consider using a variety of channels to communicate privacy notice information: link the privacy notice to each webpage, reference or include specific privacy notice information directly on forms collecting personal information, etc.
When providing notice is required
Providing a privacy notice when collecting personal data is considered a “best practice,” and in certain cases providing a privacy notice may be required by law (for example, providing a patient privacy notice under HIPAA).
European Union’s General Data Protection Regulation
Under the European Union’s General Data Protection Regulation (EU GDPR), explicit notice (or in some limited cases, consent) is required when collecting personal data under the following circumstances:
- Initially, when collecting personal data from residents of the European Union, or
- The first time UW contacts someone residing in the EU whose data it did not obtain directly, or
- When using data for a purpose that is different from the one originally stated when initially collected.
EU GDPR privacy notice is NOT required when:
- The data subject already has the required notification information
- It would be impossible
- The UW did not collect the data and is using it for archiving, scientific or historical research, or statistical purposes, as long as that research/statistical/archiving meets certain safeguards, including, but not limited to standards relating to technical and organizational security measures, data minimization, and using pseudonymisation where appropriate.
Standard Notification Language for Collection and Use of Personal Data is below (compliant with EU GDPR requirements).
Notification or Consent Workflow for EU GDPR
Consult the workflow below to determine whether to provide privacy notice or obtain consent when collecting or processing personal data about people located/living in the European Union:
Please contact UW Privacy for Workflow accessibility support.
Example UW Privacy Notices
Review an example of UW Privacy Notices.
Elements of Privacy Notification
Basic elements:
- Who you are (include name and contact details);
- What you are going to do with their information (your purpose and how information will be used, retained, secured, and deleted);
- If the collection or protection of personal data is part of a statutory or contractual requirement or obligation;
- What data elements are required or optional;
- With whom their information will be shared, including any third-parties; and
- Brief explanation of possible consequences should personal data not be provided.
EU GDPR elements:
When providing a privacy notice to people residing in the European Union, please review the Privacy Policy for EU GDPR.
All Basic elements above PLUS the elements below are required:
- Name and contact information for UW’s Privacy Officer.
- Reference to the UW retention schedule for the length of time data will be retained or link to the UW Records Management Services website
- (At least one) lawful basis for processing:
- Necessary for the performance of a contract to which the individual is part of or to take steps at the data subject’s request prior to entering into a contract;
- Necessary for compliance with a legal obligation;
- Necessary to protect the vital interests of the individual or another natural person;
- Necessary for the performance of a task carried out in the public interest or as required by an official authority;
- Necessary for the purposes of the legitimate interests pursued by the controller or by a third party as long as the purpose does not negate the interests or fundamental rights and freedoms related to the protection of personal data; or
- The individual data subject has given consent for specific purpose.
- Whether the UW will share personal data with and/or transfer personal data to another organization or to an international organization.
- Individuals’ rights to:
- Access, rectify or request erasure their data
- Restrict processing of their data
- Object to processing
- Withdraw their consent without detriment
- Take their data with them (portability)
- Complain
- If you are using automated decision-making: the existence of automated decision-making, and meaningful information about the logic involved and its significance and consequences of such processing for the individual.
Standard Privacy Notification Language
Note: This language is for the collection of personal data that requires notification. If controllers use alternative notification language, they are responsible for confirming it includes the required elements of notification.
University of Washington
[insert UW Unit Name]
Notification for Collection and Use of Personal Data
You are notified that by [describe your process, for example: completing this form, continuing through this process, signing up for this service, etc.], the University of Washington (UW) is collecting certain data about you. UW [insert official unit name] is collecting data in order to [process your application for, sign you up for, and/or provide the service, event, or program described.]
UW may also use this data to comply with its legal obligations. Data records will be maintained for at least their minimum required retention according to the applicable UW Records Retention Schedule(s):
- [Insert title and hyperlink to applicable retention schedule(s) within the relevant – UW Records Retention Schedule]
Records will be accessed by those who have a legitimate UW-related business need to access them.
[ADD IF RELEVANT: Some of your data may be processed by automated decision-making. Insert additional information about the logic involved, and the significance or consequences of such processing]
For additional information, to request access to or a copy of your personal data, or to request certain data be removed, you may contact [insert name, title, and contact information of UW data controller.]
If your data protection related questions or concerns are not addressed after contacting the organization area to which you provided data, you may also contact Jane Yung, Vice President and Chief Compliance and Risk Officer, University Privacy Officer, uwprivacy@uw.edu.