Skip Navigation
 Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Knowing the Rules 

UW Electronic Information Privacy Policy on Personally Identifiable Information

  1. It is the policy of the University of Washington to ensure that its treatment, custodial practices, and uses of 'Personally Identifiable Information' are in full compliance with all related federal and state statutes and regulations, and demonstrate a rigorous commitment to core values of maximizing trust, integrity, and respect for privacy. In addition to fulfilling all mandatory compliance obligations, the UW is committed to do the utmost to ensure the privacy of 'Personally Identifiable Information' on individuals.

    Personally identifiable information is defined as data or other information which is tied to, or which otherwise identifies, an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information about them known.

    Personal information includes, but is not limited to, information regarding a person's home or other personal address, social security number, driver's license, marital status, financial information, credit card numbers, bank accounts, parental status, sex, race, religion, political affiliation, personal assets, medical conditions, medical records or test results, home or other personal phone numbers, non-university address, employee number, personnel or student records and so on.

    The scope of individuals covered includes all individuals on whom the University, or any part of the university, or any employee, student, volunteer or contractor etc. of the university, has or maintains personal information. This includes students, employees, donors, patients, alumni, prospects, applicants, ticket holders, referring physicians, research subjects, individuals identified in research files, volunteers and others.

  2. Personally Identifiable Information may only be released or provided to others as follows:
    1. To employees and/or officers of the University on an authorized need-to-know basis, and only to those individuals who are authorized to use such information as part of their official university duties, and with the requirements: that they keep that information confidential and use it only for, and to the extent required by, the official university business purposes that they are authorized to perform; and, that they do not further disclose or provide that information to others.

      For example supervisors, Deans, Chairs and others may have access to personal information in the personnel records of employees who report to them but, in general, only to those employees who do report to them and only for bona fide business purposes; faculty may have access to their students' academic records for teaching, advising, grading, admissions processing, and other authorized activities; police auditors and supervisors etc. may have access to security, surveillance access and similar information; authorized university computer systems, systems management, computer programming, and network personnel etc. may, in the conduct of their authorized duties, have access to files, transactions, cookies, profiles, messages, log records, call detail, voicemail, and network content etc. which may contain personally identifiable information; and, physicians, nurses, medical and support staff may have appropriate access to their patients' records in accordance with medical center policies as well as all federal and state laws and regulations.

    2. As part of the normal directory information, course listings, catalogs, and other official publications of the University or its departments insofar as that information does not provide personal information such as home address, home phone number, marital status, parental status, social security number, employee number, race, religion, or other personal or family information except in instances, and to the degree that it is explicitly and specifically approved by the individual(s).
    3. To external health care, governmental, educational, business, law enforcement, audit, etc. entities as, and to the extent required for the proper and efficient conduct of official University of Washington business transactions and processes (such as payroll processing and deposits, valid student record maintenance and requests, admissions processing, student loan processing, patient medical record and test results handling), approved by the responsible University official as specified in sections 3, 4, and 5 below. Handling of such information by third parties must by default always be with the strict requirements that they keep that information confidential and use it only for the official business purposes that they are authorized by the University to perform.
    4. In accordance with state and federal law concerning personal choice options concerning release of personally identifiable information.
  3. Excluding exceptions granted under sections 4, 5, and 6 below, any other release of personally identifiable information may only be made to the minimum extent (as determined by specific analysis in each instance of a request for such information) unavoidably required by law. Handling of such information by third parties must always be directed by the University to be with the strict requirement that they keep that information confidential and use it only for the official business purposes that they are authorized by the University to perform.

  4. Exceptions to this policy may only be made upon specific requests as approved by the authorized university officers responsible for such electronic information as specified in section 5 and 6 below, and only to the degree necessary to achieve the missions and business needs of the University. Any and all exceptions made must be documented with the Executive Vice President and reviewed periodically by the Privacy Officer.

  5. Responsibilities and authorities for personally identifiable information:
    1. Employee Personnel Information; Vice President for Human Resources
    2. Faculty Personnel Information; Provost and Executive Vice President
    3. Information on Students or applicants; Vice Provost for Student Life
    4. Patient Information and information about referring physicians; Executive Vice President for Medical Affairs. This includes medical and dental information in all units across the University.
    5. Personally identifiable information in computer system authentication, authorization, access, usage, profile, cookie or other such files or in telecommunications or network records; Vice President for UW Technology
    6. All other personally identifiable information including but not limited to information relating to alumni, athletic supporters, personally identifiable information in intellectual property or other technology transfer or royalty etc. records, personally identifiable information in contract and grant proposals, research records, notes and videos, surveillance tapes, and information on ticket holders, donors, consultants and contractors etc.; Executive Vice President

  6. No delegations of these authorities may be made except as follows:
    1. The Executive Vice President for Medical Affairs may and has delegated her or his authority to the Executive Director of Health Sciences and/or the Executive Director of UWMC and/or Executive Director of Harborview Medical Center.
    2. The Vice Provost for Student Life may and has delegated his or her authority to the Executive Director of Admissions and Records.
    3. The Provost and Executive Vice President may and has delegated her or his authority to the Vice Provost responsible for Academic personnel issues.
    4. The Vice President for Computing and Communications may and has delegated his or her authority to the C&C Director of University Computing Services and/or the C&C Director of Information Systems.
    5. The Executive Vice President may delegate her or his authority for staff employees to the Vice President for Human Resources.
  7. Privacy Officer - As an integral component of the University's commitment to privacy protection and compliance, the UW has an official University Privacy Officer. The University Privacy Officer is appointed by the President of the University and must be a senior member of the University's Administration. The position is responsible for strategic oversight and coordination of the University's privacy protection and compliance efforts. In addition to ensuring compliance with the University Privacy Policy and related laws, the Privacy Officer's role includes:
    1. Promptly relaying any credible evidence of or reports concerning violations of University privacy or security policy or law to the appropriate investigative authorities.
    2. Providing information as necessary to the University community about existing and emerging legal and compliance requirements with respect to privacy and related best practices. Ensure continuing notification to appropriate parties throughout the University about privacy policy and any revisions to the policy.
    3. Supporting security and privacy awareness and education program efforts.
    4. Supporting the development, implementation, and maintenance of information systems security and privacy policies and procedures where required in various areas, units, and functions across the University.
    5. Supporting monitoring and enforcement of privacy and security policies, and adoption of and adherence to best practices.
    6. Working to ensure that vendors, business partners, and others are aware of University privacy and security policies and that University procurement, contracting, and partnering processes not only emphasize adherence to privacy and security policies but, where appropriate, incorporate provisions which punish failures to properly address and comply with the policies.
    7. Helping provide direction and oversight concerning risk management practices associated with privacy and security issues and practices.
    8. Helping ensure that appropriate audit services and reporting are in place to detect violations and to evaluate the effectiveness of privacy and security policies and of compliance activities.
    9. Ensuring and overseeing periodic monitoring of the release of personally identifiable information to ensure continuing compliance with state and federal law.
    10. Ensuring review of exceptions to this policy as to their appropriateness and legality.
    11. Acting as an advocate for budget and resource requests related to ensuring the maintenance of effective information privacy and security programs.
  8. The Executive Director for Health Sciences is the University of Washington's Privacy Officer
  9. Policy Enforcement:
    1. If any university employee or student or teaching assistant or research assistant or other appointee, or any contractor or consultant or vendor to, or business partner to, the university discovers evidence of any apparent violations of this policy they must notify the Privacy Officer immediately and take care to preserve the evidence of violation. Failure to do so is grounds for disciplinary measures up to and including termination of employment or expulsion and other legal actions.
    2. The University should actively create a climate which encourages all members of the broad university community (including, but not limited to, patients, research subjects, vendors, external auditors, volunteers, students, research assistants, teaching assistants, faculty, staff, and all other employees, or third parties external to the university); partner institutions and the general public to report to the Privacy Officer instances of credible evidence of possible violations of privacy and security policy.
    3. If anyone (including patients, research subjects, vendors, external auditors, volunteers, students, partner institutions, or other third parties external to the university) discovers apparent evidence of any incidental violation of this policy they should report it to University Privacy Officer and the University will take appropriate actions to resolve the issue.
    4. If the University discovers violations of this policy substantially caused or perpetuated by careless or deliberate acts or inaction it will take disciplinary measures towards those involved up to and including termination of employment and/or expulsion and/or other legal actions.
    5. Upon discovery of plausible evidence that this policy or any other privacy or security policy has been or is being violated the University shall inform appropriate authorities to investigate and take appropriate actions to resolve the issue.
  10. This policy and policy document is to be and is maintained by the Vice President for Computing and Communications in consultation with the President, the Senior Vice President, the Provost and Executive Vice President, and the University's Privacy Officer. The current policy is to be published and posted in the official university Website in its current form by the Office of Computing & Communications. The document was most recently updated 10/06/01 to reflect the creation of the Privacy Officer role, the appointment by the President of a University Privacy Officer, and to withdraw the medical records delegation from the Executive Director for Health Sciences. This updated Policy and the appointment is effective 10-06-01.