(Approved by the President per delegations of authority Executive Order No. 4, Executive Order No. 6, and Executive Order No. 63)
This policy establishes how the University handles unforeseen events that impact the privacy or result in a breach of personal data and/or compromise the security of information systems and information technology.
All University departments, auxiliary enterprises, and service centers that conduct processing of personal data or manage information systems and information technology on behalf of the University are required to comply with this policy.
Please see Administrative Policy Statement 2.4 for Definitions and Roles and Responsibilities.
Workforce members must report an unforeseen event, a potential or confirmed breach of personal data, or an information security incident promptly to the office responsible for responding to and/or managing the incident as noted in this policy.
Directed by responsible offices, workforce members must provide full assistance needed for incident management processes. Workforce members must use the principle of least privilege to limit information sharing and communications to what individuals need to know to be able to complete their assigned duties or functions. Workforce members also must handle evidence and manage records carefully, including marking records as draft or final and retaining or purging recrods according to the applicable records management processes and retention schedules.
Diagrams to assist workforce members in determining where to report an incident are available on the UW Privacy Office website. Processes and procedures for workforce members to report an incident are published on the websites of responsible offices.
The offices responsible for managing incidents or potential or confirmed data breaches are identified in this section. Each of these offices must maintain and publish processes and procedures for the following types of incidents and potential or confirmed data breaches.
A. | Human Subject Information and Reportable New Information for Research Communication to human subjects or third parties affected by an incident will be made as directed by the Institutional Review Board and carried out in accordance with applicable legal, regulatory, or contractual requirements. Guide to Reporting New Information and the related Standard Operating Procedures and forms for human subject research are available on the Human Subjects Division website. |
||
B. |
Information Security Incidents Incident reporting and management processes for information security events that adversely impact the confidentiality, integrity, or availability of University information, infrastructure technology, or information systems are available on the Office of the Chief Information Security Officer website. The Associate Vice President for Information Security and University Chief Information Security Officer coordinates with the Assistant Vice Provost for Export Controls on incidents that may involve the disclosure of Controlled Unclassified Information (except for Covered Defense Information) and Export Controlled Information. The Associate Vice President for Information Security/ University Chief Information Security Officer and the UW Medicine Chief Information Security Officer coordinate and collaborate on incidents that adversely impact the shared interest of the University and UW Medicine. |
||
C. | Personal Data Breaches Communication to persons, other than patients or human subjects, about incidents, potential or confirmed data breaches, or exposure of personal data will be made as directed by the University Privacy Officer. The University Privacy Officer will coordinate the University’s response with University leadership, University Media and Communications, the Attorney General’s Office, and external regulators or third parties. Incident reporting and management processes for incidents, potential or confirmed data breaches, or exposure of personal data, other than protected health information under the authority of the HIPAA Privacy Officials or human subjects under the authority of the Institutional Review Board, are available on the UW Privacy Office website. |
||
D. | Protected Health Information (PHI) at Health Sciences Healthcare Components
Incident reporting and management processes for Protected Health Information (PHI) incidents within the Healthcare Components are available on the Health Science Administration website. Communication to patients affected by a potential or confirmed data breach or incident at Health Sciences Healthcare Components will be made as directed by the Executive Director of Health Sciences Administration and Health Sciences Healthcare Component HIPAA Privacy Official, and carried out in accordance with applicable legal, regulatory, or contractual requirements. The Executive Director of Health Sciences Administration and Health Sciences Healthcare Component HIPAA Privacy Official will coordinate the University's response with University leadership, University Media and Communications, the Attorney General's Office, and external regulators or third parties. |
||
E. | Protected Health Information at UW Medicine
The UW Medicine Chief Compliance Officer and HIPAA Privacy Official will direct communication with patients affected by a potential or confirmed data breach or other patient-involved incident at UW Medicine. The UW Medicine Chief Compliance Officer and HIPAA Privacy Official will coordinate the University's response with University leadership, University Media and Communications, the Attorney General's Office, and external regulators or third parties. Incident reporting and management processes for Protected Health Information incidents within UW Medicine are available on the UW Medicine Compliance website. |
||
F. | National Security Classified Information and Covered Defense Information Incident reporting and management processes for National Security Classified Information and Covered Defense Information are available by contacting the University Facility Security Officer at uwfso@uw.edu. |
Each office responsible for incidents or data breaches must develop, maintain, and follow processes and procedures that at a minimum include the following elements for each incident or potential or confirmed data breach:
For further information on this policy, contact:
November 4, 2011; January 7, 2016; February 4, 2020.