(Approved by the Chief Health System Officer, UW Medicine and Vice President for Medical Affairs by authority of Executive Order No. 1 and the Vice President and Vice Provost for UW Information Technology by authority of Executive Order No. 63)
University workforce members shall consult, as appropriate, Administrative Policy Statement 2.4 and other relevant Administrative Policy Statements for further understanding of information security and privacy roles, responsibilities, and definitions; information systems security; minimum data security standards; and incident management.
This policy applies to:
University workforce members shall follow the general rules in this section if the use and disclosure of institutional information is not covered by laws and regulations or University rules or policies.
A. | Confidential
Information The definition of confidential information is found in Administrative Policy Statement 2.4; the controls for protecting confidential information can be found in Administrative Policy Statement 2.6; and examples can be found on the UW Data Classification web page. The privacy principles associated with confidential information include:
|
|
B. | Restricted Information The definition of restricted information is found in Administrative Policy Statement 2.4; the controls for protecting confidential information can be found in Administrative Policy Statement 2.6; and examples can be found on the UW Data Classification web page. The privacy principles associated with restricted information include:
|
|
C. | Public Information Create, collect, use, and disclose public information to fulfill the University's mission. |
In some cases, the combination or removal of data elements of institutional information may change the classification category. If the classification category changes, University workforce members shall protect the institutional information commensurate with the updated information classification category.
The "University of Washington Website Terms and Conditions of Use" statement and the "University of Washington Online Privacy Statement" serve a variety of important functions, including informing visitors to University websites about the potential uses of information, defining acceptable behavior, and limiting University liability.
University websites, including, but not limited to, websites for education, research, patient care, and service areas (internal and external to the University), shall have clearly visible links on the websites to the most recent "University of Washington Website Terms and Conditions of Use" statement and the most recent "University of Washington Online Privacy Statement." In addition, University web pages, including, but not limited to, web pages for education, research, patient care, and service areas (internal and external to the University), shall have the same clearly visible links where circumstances warrant, such as web pages that request information from the web page user or on web pages containing content that needs protection.
Depending upon the web page content or users, the "University of Washington Website Terms and Conditions of Use" statement and the "University of Washington Online Privacy Statement" may have to be amended or supplemented to meet legal or policy requirements associated with the web page content or users. Such amendments or supplements must be reviewed and endorsed by the relevant executive head of the major University organization before being submitted by the relevant executive head of the major University organization to the University Privacy Official, or his or her designee, and the University Chief Information Security Officer for approval.
University employees who permit third parties to use a University-owned domain (including the placement of websites) shall ensure that the third party is contractually obligated to have a "Website Terms and Conditions of Use" statement and an "Online Privacy Statement" that complies with all applicable laws and regulations and is consistent with the "University of Washington Website Terms of Use" statement and the "University of Washington Online Privacy Statement."
To avoid or reduce Internet fraud, University units, including, but not limited to education, research, patient care, and service areas (internal and external to the University), and University workforce members shall not:
Unsolicited email does not include email sent from a University unit, including, but not limited to, education, research, patient care, and service areas (internal and external to the University), to individuals who receive services from, or have an ongoing relationship with, the unit.
The University Privacy Official and University Chief Information Security Officer shall review and approve this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment, prior to being sent for final approval by those who have been delegated executive authority. The University Chief Information Security Officer shall manage the review process.
For further information on this policy statement contact:
November 4, 2011; RC, June 20, 2012.