UW Information Systems Security

1)

Revised Code of Washington (RCW)

Applicable Revised Codes of Washington include the following:

• RCW 5.60.060, Who Are Disqualified — Privileged Communications (communications made to a public officer in official confidence, when the public interest would suffer by disclosure).

• Chapter 9.73 RCW — Violating Right of Privacy (Privacy Act).

• RCW 9A.48.100 — Malicious Mischief — "Physical Damage" Defined.

• RCW 9A.52.110, 9A.52.120, and 9A.52.130 — Computer trespass.

• RCW 19.190.020 — Unpermitted or Misleading Electronic Mail — Prohibition (Unsolicited Electronic Mail Act).

• Chapter 40.14 RCW — Preservation and Destruction of Public Records (records management, retention, and destruction).

• RCW 42.17.020 — Definitions (public records "writing" inclusive of graphics and computer records).

• RCW 42.17.260 — Documents and Indexes to Be Made Public

• RCW 42.17.310 — Certain Personal and Other Records Exempt (private and vital public records that are exempt from disclosure).

• RCW 42.52.050 — Confidential Information — Improperly Concealed Records.

• RCW 43.105.041 — Powers and Duties of Board (the powers of the Information Services Board (ISB), and its authority to develop statewide or interagency technology standards and policy).

• RCW 43.105.200 — Application to Institutions of Higher Education (ISB policy exemptions for institutions of higher education).

• Chapter 70.02 RCW — Medical Records — Health Care Information Access and Disclosure (Uniform Health Care Information Act).

• RCW 70.24.105 — Disclosure of HIV Antibody Test or Testing or Treatment of Sexually Transmitted Diseases — Exchange of Medical Information.

• RCW 71.05.390 through 71.05.420 — Mental health records.

• RCW 71.34.340 — Information Concerning Treatment of Minors Confidential — Disclosure — Admissible as Evidence with Written Consent (mental health care record of juveniles).

Applicable Washington Administrative Codes include the following:

• Chapter 478–120 WAC — Student Conduct Code for the University of Washington.

• Chapter 478–124 WAC — General Conduct Code for the University of Washington

• Chapter 478–140 WAC — Rules and Regulations for the University of Washington Governing Student Education Records.

• Chapter 478–276 WAC — Governing Access to Public Records.

• Chapter 292–130 WAC — Agency Organization — Public Records (protection and management of public records).

3)

The Washington Information Services Board is Washington State's nine-member policy-making body for information technology. Applicable Washington Information Services Board publications include the following:

• Information Technology Security Policy.
• Information Technology Security Standards.
• Information Technology Security Guidelines.

4)

United States Code (U.S.C.)

Applicable United States Codes include the following:

• (5 U.S.C. Sec. 552) Freedom of Information Act (FOIA) — provisions for access to many types of records that are exempt from access under the Privacy Act, including many categories of personal information.

• (5 U.S.C. Sec. 552a) Privacy Act—collection, notification, disclosure, and handling requirements of personal data.

• (15 U.S.C. Sec. 6501 et seq.; 16 C.F.R. Sec. 312) Children's Online Privacy Protection Act of 1998 — requirements that a Web site directed at children less than 13 years of age obtain "verifiable parental consent" before collecting personal information from children.

• (18 U.S.C. Sec. 1029) Fraud and Related Activity in Connection with Access Devices — prohibitions and penalties associated with unauthorized possession and fraudulent use of access tokens, passwords, etc.

• (18 U.S.C. Sec. 1030) Fraud and Related Activity in Connection with Computers — related to prohibitions associated with unauthorized access and use of electronic systems.

• (18 U.S.C. Sec. 1362) Communication Lines, Stations, or Systems — prohibitions associated with malicious or willful destruction or intent to destroy or disrupt communications systems within the U.S.

• (18 U.S.C. Sec. 2510 et seq.; 47 U.S.C. Sec. 605) Wiretap Statutes — prohibitions associated with the use of eavesdropping technology and the interception of electronic mail, radio communications, data transmission, and telephone calls without consent.

• (18 U.S.C. Sec. 2701 et seq.) Electronic Communications Privacy Act — prohibitions for persons tampering with computers or accessing certain computerized records without authorization. The act also prohibits providers of electronic communications services from disclosing the contents of stored communications.

• (18 U.S.C. Sec. 2703) Requirements for Government Access — rules for government agencies for obtaining disclosure of an electronic communication from a provider of such services.

• (20 U.S.C. Sec. 1232g) Family Education Rights and Privacy Act (FERPA) — the protection, accessibility, and disclosure of educational records and the ability to ensure their completeness and accuracy by a student or the parent of a minor student.

• (29 U.S.C. Sec. 102, et seq.) Employee Retirement Income Security Act — employer requirements to provide employees access to information about their accrued retirement benefits.

• (39 U.S.C. Sec. 3623) Mail Privacy Statute — prohibitions associated with opening mail without a search warrant or the addressee's consent.

• (42 U.S.C. Sec. 242m) — prohibitions of disclosure of data collected by the National Centers for Heath Services Research and of health statistics that would identify an individual in any way.

• (42 U.S.C. Sec. 2000e et seq.) Equal Employment Opportunity Act — restrictions on the collection and use of information that would result in employment discrimination based on race, sex, religion, national origin, and a variety of other characteristics.

• (47 U.S.C. Sec. 1001) Communications Assistance for Law Enforcement — preserving law enforcement's ability to engage in lawful electronic surveillance in the face of new technological developments.

• (Pub. L. 104-191 Sec. 262, 264: 45 C.F.R. Sec. 160-164) Health Insurance Portability and Accountability Act — the security and privacy of individually identifiable health information that is maintained or transmitted by a covered entity. In addition, this act requires covered entities to apply many of its provisions to their business associates, researchers, employers, and others.

• (Pub. L. 107-056) Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 — a variety of special laws specific to countering terrorist acts including expanded investigative options for law enforcement and a student monitoring program (exceptions to FERPA).

5)

The UW is a recipient of federal grant money and a contracted service provider of federal Medicare and Medicaid programs through the Medical Center. Therefore, this policy also is designed to conform to best practices and planning set forth in Office of Management and Budget (OMB) policies. OMB is a federal organization that works cooperatively with grantmaking agencies and the grantee community. OMB leads development of government-wide policy to ensure that grants are managed properly and that federal dollars are spent in accordance with applicable laws and regulations.

Federal OMB Circular NO. A-130 provides uniform information resources management policies as required by many federal executive orders and acts including:

• 44 U.S.C. Sec. 35 — Paperwork Reduction Act of 1980.
• 5 U.S.C. Sec. 552a — Privacy Act.
• 40 U.S.C. Sec. 759 — Computer Security Act of 1987.