ON THIS PAGE:
Overview
The TrustArc Privacy Management Platform is a tool for helping the UW establish a privacy and data governance accountability framework. Such information creates a universal understanding of data and our shared responsibility for managing it for everyone’s benefit. Specifically, the platform helps all areas of the UW:
- Aggregate essential information for strategic, tactical, and operational decisions at UW.
- Create clarity about the purpose, categories, and appropriate use of data.
- Identify and document the accountable and responsible individuals for the business process, system, and third-party relationships through an enterprise-wide data inventory.
- Inventory and map the flow of data across the UW and with third parties.
- Assess and manage high-risk data processing through privacy assessments.
- Aggregate and map the interoperability of the 25+ laws and regulations that relate to the UW.
The Privacy Office is responsible for establishing a cohesive approach to privacy at the UW, including the UW’s data inventory and privacy assessments that are part of the TrustArc Privacy Management Platform. The scope of the TrustArc Privacy Management Platform extends to all UW locations and to all personal data other than data that are solely and uniquely protected health information.
Access
UW employees with the roles and responsibilities below may request access to the TrustArc Privacy Management Platform to add information to the UW’s data inventory or to respond to privacy assessments. In certain situations, individuals with access to TrustArc may be able to view information for other UW units, but will only be able to edit business process, system, or third party records that they own.
- Business process owner or the business process owner’s designee – Individual who is responsible for the overall development, implementation, operation, and maintenance of a business process/project/research study. This includes Privacy by Design and internal controls and operational practices related to the business process.
- System owner or the system owner’s designee – Individual who is responsible for the overall development, implementation, operation, and maintenance of an information system. This includes Privacy by Design and information security controls and operational practices related to the UW’s information and information systems for their area of responsibility.
- Third party contact or third party contact’s designee – Individual who is responsible for managing the UW’s relationship with the third party.
Access can be requested by individual employees or by a supervisor for their employees. If requested by an individual, the supervisor’s approval is required as part of the access request process.
Roadmap
In progress:
- Privacy assessment workflow.
- Supplemental training resources for TrustArc system users.
Complete:
- Determined what UW data elements and activities are considered high-risk and will require a privacy assessment.
- Confirmed that UW will use the privacy assessment templates provided by TrustArc rather than custom build a privacy assessment.
- Configured TrustArc system with foundational information about the UW, such as:
- Applicable laws and regulations.
- UW policies and policy requirements (e.g., UW Administrative Policy Statements, UW Medicine policies, Office of Research of policies).
- Data nomenclature for inventorying business processes, systems, data subjects (i.e., constituent populations), and high-risk data elements or activities.
- Established access request forms and workflows.
Governance
The Privacy Steering Committee advises the UW Privacy Office and UW leadership on the overall strategic approach to privacy at the UW.
The Personal Data Processing Task Force helped determine how to design, configure, and operationalize the TrustArc Privacy Management Platform.