Comply with rules and laws

As part of its effort to provide quality and reliable technology services, the University of Washington is required to comply with a broad range of federal and state laws and regulations, related to management of public records, use of public resources, privacy protection, copyright protection, ethics rules, and criminal behavior.

Beyond mandatory compliance requirements, the UW maintains its own high standards and commitment to the preservation and protection of privacy, intellectual property, and quality technology-related services for all students, faculty, staff, and citizens who become involved with the institution.

Everyone who enjoys the privileges and use of the UW's computer and network services is expected to help uphold UW's high security standards and to comply with all necessary state and federal statutes. The following are UW guidelines and policies as well as state and federal statutes and regulations that directly or indirectly affect the University of Washington's information systems security program.

Knowing the Rules

Washington Administrative Code (WAC) sections relating to:

• WAC 478-120 - Student code of conduct for the University of Washington
• WAC 478-124 - General code of conduct for the University of Washington
• WAC 478-140 - Rules and regulations for the University of Washington governing student education records
• WAC 478-268 - Regulations for the University of Washington libraries
• WAC 478-250 - Governance for indexing of public records
• WAC 478-276 - Governance for access to public records
• WAC 292-130 - Protection and management of public records

Revised Code of Washington (RCW) sections relating to:

• RCW 40.14 - Records management, retention, and destruction
• RCW 42.17.020 - Public records "writing" inclusive of graphics and computer records
• RCW 42.17.310 - Private and vital public records that are exempt from disclosure
• RCW 5.60.060 - Communications made to a public officer in official confidence, when the public interest would suffer by disclosure
• RCW 42.52.050 - Confidential information records improperly concealed
• RCW 42.52.260 - Documents and indexes to be made public
• RCW 70.02 - Uniform Health Care Information Act
• RCW 71.05.390-420 - Mental health records
• RCW 71.34.200 - Mental health care record of juveniles
• RCW 70.24.105 - HIV/STD information
• RCW 9.73 - Privacy Act
• RCW 19.190.020 - Unsolicited Electronic Mail Act
• RCW 9A.48.100 - Malicious Mischief
• RCW 9A.52.110, 120, 130 - Computer Trespass

United States Code (U.S.C.) sections relating to:

• (5 U.S.C. 552a) Privacy Act - Collection, notification, disclosure, and handling requirements of personal data
• (18 U.S.C. 2701, et seq.) Electronic Communications Privacy Act - Prohibitions for persons tampering with computers or accessing certain computerized records without authorization. The Act also prohibits providers of electronic communications services from disclosing the contents of stored communications.
• (21 U.S.C. 1232g) Family Education Rights and Privacy Act [FERPA] - Protection, access, and disclosure of educational records and the ability to ensure their completeness and accuracy by a student or the parent of a minor student
• (Public Law No. 104-191 262,264: C.F.R. 160-164) Health Insurance Portability and Accountability Act [HIPPA] - Security and privacy of individually identifiable health information that is maintained or transmitted by a covered entity. HIPPA also requires these covered entities to apply many of its provisions to their business associates, researchers, employers, and others.
• (42 U.S.C. 242m) - Prohibitions of disclosure of data collected by the National Centers for Heath Services Research and for Health Statistics that would identify an individual in any way
• (21 U.S.C. 1175; 42 U.S.C. 290dd-3) Drug and Alcoholism Abuse Confidentiality Statutes - Prohibition of disclosure of information collected for federally funded research and treatment of drug abuse and alcoholism
• (5 U.S.C. 552) Freedom of Information Act [FOIA] - Provisions for access to many types of records that are exempt from access under the Privacy Act, including many categories of personal information
• (39 U.S.C. 3623) Mail Privacy Statute - Prohibitions of opening mail without a search warrant or the addressee's consent
• (29 U.S.C. 1025, et seq.) Employee Retirement Income Security Act - Employer requirements to provide employees access to information about their accrued retirement benefits
• (42 U.S.C. 2000e, et seq.) Equal Employment Opportunity Act - Restrictions on the collection and use of information that would result in employment discrimination on the basis of race, sex, religion, national origin, and a variety of other characteristics
• (18 U.S.C. 1029) Fraud and Related Activity in Connection With Access Devices - Prohibitions and penalties associated with unauthorized possession and fraudulent use of access tokens, passwords, etc.
• (18 U.S.C. 1030) Fraud and Related Activity in Connection With Computers - Prohibitions of unauthorized access and use of electronic systems
• (18 U.S.C. 1362) Communication Lines, Stations, or Systems - Prohibitions of malicious or willful destruction or intent to destroy or disrupt communications systems within the U.S.
• (18 U.S.C. 2510, et seq.; 47 U.S.C. 605) Wiretap Statutes - Prohibitions of the use of eavesdropping technology and the interception of electronic mail, radio communications, data transmission, and telephone calls without consent
• (18 U.S.C. 2703) Requirements for Government Access - Rules for government agencies for obtaining disclosure of an electronic communication from a provider of such services
• (47 U.S.C. 1001) Communications Assistance for Law Enforcement - Preserving law enforcements ability to engage in lawful electronic surveillance in the face of new technological developments
• (15 U.S.C. 6501 et seq. 16 C.F.R. ¤ 312) Children's Online Privacy Protection Act of 1998 - Requirements that a Web site directed at children under 13 years of age to obtain "verifiable parental consent" before collection personal information from children
• (H.R. 3162) "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" [USA PATRIOT ACT] - A variety of special laws specific to countering terrorist acts including expanded investigative options for law enforcement
• (28 CFR Part 20, Section 20.33 and elsewhere) - Restrictions on criminal history records remaining in control of criminal justice agencies

Other primary authorities

• Office of Management and Budget (OMB) Circular NO. A-130 This Circular provides uniform information resources management policies as required by many Federal Executive Orders and Acts including:
  • (44 U.S.C. 35) Paperwork Reduction Act of 1980
  • (5 U.S.C. 552a) The Privacy Act of 1974, as amended
  • (40 U.S.C. 759) The Computer Security Act of 1987
• National Committee for Quality Assurance (NCQA) Advisory Information System Standards [based on work presented in The Health Plan Employer Data and Information Set (HEDIS) Volume 4: A Roadmap for Information Systems, 1998]

Additional information sources regarding policy formulation

• National Institute of Standards and Technology (NIST) Engineering Principles for IT Security, NIST Special Publications 800-12 (1995), 800-14 (1996), 800-16 (1998)
• US DHHS OIG Audit Process (Department of Health & Human Services, Office of the Inspector General, Office of Audit Services, 1994)
• National Research Council Report "For the Record: Protecting Electronic Health Information" (1997)

UW Technology
Contact Us
Modified: January 5, 2007