Purpose
This policy provides a foundation for addressing the European Union General Data Protection Regulation (EU GDPR) at the UW. Additionally, this policy supplements and further interprets the privacy requirements in UW Administrative Policy Statements:
Scope and Applicability to UW
All activities at the UW that process personal data about individuals that are physically in the EU at the time data are initially collected in connection with the offering of goods or services (even if free) to individuals in the EU.
This policy does not apply to processing activities at the UW that:
- Are targeted at general audiences that may incidentally include individuals in the EU unless efforts are specifically made to include EU residents; or
- Include protected health information that is governed by UW Medicine policies and the Health Insurance Portability Accountability Act (HIPAA).
See EU GDPR Frequently Asked Questions for examples of processing activities at UW that may be in scope for EU GDPR.
Identifiable, Pseudonymized, and Anonymized Datai
UW departments and units must address EU GDPR requirements for all processing activities involving identifiable and/or pseudonymized (see definition below) data that are within the scope of EU GDPR and therefore this policy.
To determine if a person is identifiable, UW departments and units must evaluate the means that are reasonably likely to be used, by the controller or any other entity or person, to identify the person directly or indirectly. This includes an evaluation of the:
- Costs of and the amount of time required for identification; and
- Technology at the time of processing and technological advancements.
Data are considered anonymized if:
- the data and/or information does not relate to an identified or identifiable natural person; or
- the data subject is not or no longer identifiable.
The EU GDPR does not apply to the processing on anonymous information, including anonymous information that is processed for statistical or research purposes
Definitions
Controller: A person or entity that determines the means and purpose for processing of personal data.ii The “means” refers to how the processing will be carried out (including the discrete operations to be performed with or upon personal data) while the “purpose” refers to the reason or objective for processing.iii A controller may make determinations or decisions about the means and purpose for processing either alone or with othersiv as described below:
- Sole Controller applies when a single person or entity makes determinations about the means and purpose for processing.
- Joint Controllers applies when multiple parties share in determinations about the means and purpose for processing the same personal data, even if each party is involved in processing at different stages and to different degrees.v
Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is a natural person (not a corporation or other legal entity) who can be identified, directly or indirectly, by reference to:
- Any identifiers, such as name, ID, location data, online identifier; or
- Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor: A person or entity that (a) is a separate legal entity with respect to a controller and (b) processes personal data on behalf of a controller.vi Acting on behalf of a controller means that a person or entity is serving the interests and objectives of that controller (i.e., pursuant to a controller’s delegation).vii Unlike a controller, a processor does not determine or decide the means and purpose for the processing of personal data. Note that it is not the nature of a processing activity itself that renders a person or entity a processor, but rather that the processor is processing on behalf of or at the direction of the contractor.viii When a processor exceeds or acts outside of a controller’s delegation with respect to processing, that processor may be characterized as a controller and subject to additional EU GDPR obligations that would ordinarily only be applicable to a controller. Processors may also delegate the processing to another third-party known as a sub-processor (e.g., sub-contract). Generally, the same EU GDPR obligations that apply to a processor will apply to a sub-processor.ix
Pseudonymization: processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymized data is still considered identifiable for purposes of GDPR.
Special Categories of Personal Data: Any data that:
- Reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
- Are genetic data or biometric data sufficient to uniquely identify a natural person.
- Are concerning a natural person’s sex life or sexual orientation.
Roles and Responsibilities
Data Protection Officer (DPO)
Appointed by the UW President and Provost to a develop a cohesive strategy for protecting personal data and developing policies, training and resources that assist UW departments and units in operationalizing the strategy and policies . The DPO reviews and reports on the UW’s overall approach to EU GDPR. The DPO also performs reviews and advises on data protection impact assessments and leads the response to and management of incidents involving personal data or allegations of privacy violations. As needed, the DPO reports incidents to external regulators. The DPO for all personal data at the UW other than protected health information is:
Jane Yung
Vice President and Chief Compliance and Risk Officer
University Privacy Officer
Compliance and Risk Services
uwprivacy@uw.edu
Executive Heads of Major UW Organizations
The executive heads of major UW organizations are vice presidents, vice provosts, deans, chancellors, and other individuals with delegated executive authority from the President or Provost. These individuals are responsible for risks, compliance obligations, budgets, and financial costs associated with privacy in their organizational area(s). This includes responsibility for:
- Protecting the privacy of individuals as described in this policy and the related University Administrative Policy Statements; and
- Supporting and collaborating with the Data Protection Officer in performing the tasks required in EU GDPR.
Records of Processing
UW departments and units, regardless of whether they are controllers or processors, must create and maintain written records for all processing activities by using the UW Privacy Office’s Record of Processing Activities.x
Controller’s Record of Processing
When the UW is acting as a controller by way of a UW department or unit’s processing activities, records of processing must include:
- Name and contact information of the specific department or unit that is the controller, and if applicable name and contact information of the joint controller;
- Name and contact information for the joint controller’s DPO, if applicable;
- Purpose for processing personal data;
- Categories of individuals to whom the processing relates and the categories of personal data to be processed;
- Categories of recipients to whom personal data will be disclosed (such as contractors);
- Details of any cross-border transfers of personal data (i.e., from the EEA to a non-EEA country) and the applicable basis for the transfer, if applicable;
- Retention period for the personal data per applicable UW records retention schedules; and
- Technical and organizational security measures (i.e., the systems and/or solutions used for storage).xi
Processor’s Record of Processing
When the UW is acting as a processor by way of a UW department or unit’s processing activities, records of processing must include:
- Name and contact information of the processor;
- Name and contact information of the controller and if applicable joint controller;
- Name and contact information for the controller’s DPO;
- Categories of processing to be carried out on behalf of each controller;
- Details of any cross-border transfers of personal data (i.e., from the EEA to a non-EEA country) and the applicable basis for the transfer, if applicable; and
- Technical and organizational security measures (i.e., the systems and/or solutions used for storage).xii
The UW may be required to furnish its records of processing to relevant EU regulators upon request.xiii
Purpose of Processing
When describing the purposes of data processing under EU GDPR, the University must also identify the lawful basis under which the data is being processed.
Lawful Bases for Processing Personal Dataxiv
When UW departments and units are controllers, they must determine whether one of the lawful bases for processing listed below applies to the purpose of their processing activity.
- Necessary for the performance of a contract to which the individual is part of or to take steps at the data subject’s request prior to entering into a contract;
- Necessary for compliance with a legal obligation as determined by EU or EU Member State law;
- Necessary to protect the vital interests of the individual or another natural person;
- Necessary for the performance of a task carried out in the public interest or as required by an official authority as determined by EU or EU Member State law;
- Necessary for the purposes of the legitimate interests pursued by the controller or by a third party as long as the purpose does not negate the interests or fundamental rights and freedoms related to the protection of personal data; or
- The individual has given consent for the specific purpose. If consent is being used as the lawful basis to process data, UW must be able to demonstrate, through documentation, that the consent was informed, clear and specific, freely given, as well as unambiguous and actively given. Individuals must be allowed to withdraw their consent at any time.
Legitimate Uses for Processing Special Categories of Personal Dataxv
In addition to the lawful bases of processing, if a UW department or unit is the controller and is processing special categories of personal data (defined above), the UW department or unit must determine which of the below legitimate uses for processing applies to the purpose of their processing activity.
- To carry out specific obligations or rights of UW or data subject in employment;
- To protect the vital interests of the individual or another person when the individual is physically or legally incapable of providing consent;
- For legal defense;
- For various healthcare-related reasons, including assessing working capacity of employee, when the individuals involved in processing have duties of confidentiality;
- For various specified public health related reasons;
- For archiving, scientific or historical research or statistical purposes; or
- If processing relates to personal data which the individual manifestly makes public.
If none of the above legitimate uses apply to the processing, then the controller must obtain consent from an individual prior to special categories of personal data being obtained from the individual. Note that other laws that relate to protection of personal data at the UW may still require consent even if EU GDPR does not require consent.
Processing Personal Data related to Criminal Convictionsxvi
UW departments and units must not process personal data related to criminal convictions and offences or related security measures unless processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
Before a UW department or unit engages in this type of processing it must contact the DPO.
Processing Personal Data for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes, or Statistical Purposesxvii
When UW departments and units are considering processing personal data for archiving purposes in the public interest, scientific research purposes, or statistical purpose, the controller must ascertain the following:
- If technical and organizational measures are in place to safeguard data;
- If processing involves the minimum data necessary to achieve the purpose; and
- If processing can utilize pseudonymized or anonymized data to achieve the purpose.
Processing Personal Data for Supplemental Purposesxviii
When UW departments and units are considering processing personal data for purposes other than the initial purpose for which the data was collected (i.e. supplemental purposes), and the data subjects have not given consent to the processing or the processing is not for the purpose of Union or Member State law, the controller must evaluate if the supplemental purpose is compatible with the initial purpose. This evaluation must consider if:
- There is any link between the initial purpose and the supplemental purpose;
- The context for the initial purpose including the relationship between the controller and the data subject;
- The nature of the personal data including if it contains special categories or criminal convictions or offences;
- The potential consequences the supplemental processing may have on the data subjects; and
- The existence of appropriate safeguards (such as encryption or pseudonymization).
If the processing is not compatible with the initial purpose and is not for archiving purpose in the public interest, scientific research purposes, or statistical purpose, then the processing is not permitted.
Data Protection Impact Assessments
Under GDPR, controllers must conduct a data protection impact assessment (“DPIA”) for certain types of processing that more heavily impact the rights and freedoms of individuals as described in section 8.A below. At UW, before a UW department or unit engages in processing that renders the UW a controller and requires a DPIA, the UW department or unit must complete a DPIA using the UW Privacy Office’s Privacy Impact Assessment (PIA) for Processing Activities.
Processing Activities Requiring a DPIA
Under GDPR, a DPIA is required when a controller’s processing is “likely to result in a high risk to the rights and freedoms” of individuals including when there is:
- “a systematic and extensive evaluation of personal aspects relating to [individuals] which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning [an individual] or similarly significantly affect [an individual];
- processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.”xix
UW departments and units must err on the side of carrying out a DPIA when it is unclear whether a DPIA is required.xx If a UW department or unit evaluates an activity for high-risk processing and determines that the activity is not in fact high-risk and a DPIA is not required, the rationale for that determination must be documented.xxi
See EU GDPR Frequently Asked Questions for examples of and factors relating to high-risk processing.
Privacy Notice Requirement
Generally, controllers must inform individuals of certain details relating to the processing of personal data at the point of initial collection.xxii When UW departments and units act as controllers, they must provide individuals with privacy notices relating to the processing of personal data by (a) using published UW privacy notices when they accurately and completely describe intended processing activities or (b) developing a more specific privacy notice for dissemination to individuals as described on the UW Privacy Office’s Provide Privacy Notice webpage.
Consent Requirementxxiii
Controllers must obtain consent from individuals when consent is the lawful basis for processing or the processing includes special categories of personal data and none of the above legitimate uses described in section 7.B. apply to the processing.xxiv Before engaging in processing, UW departments and units acting as controllers must obtain consent by (a) leveraging published UW consent forms and/or templates when they accurately and completely describe intended processing activities or (b) developing a more specific consent form for solicitation as described on the UW Privacy Office’s Obtain Consent webpage.
Valid Consent
Consent is only valid if it is:
- Informed by including the required elements of consent.
- Freely given and not a condition of receiving a product or service unless the information being provided is required for the delivery of the product or service. Additionally, the controller is required to allow the individual to withdrawal consent without detriment.
- Specific to the purpose and use and not bundled with other terms and conditions.
- Clear and prominently presented information about the purpose and use and that consent is being sought.
- Active and Unambiguous with an opt-in approach. Passive, default and auto-box tick approaches are invalid.
Invalid Consent
Conversely, consent may not be valid if:
- There are doubts over whether the Data Subject has consented.
- The Data Subject doesn’t realize they have consented.
- No clear record demonstrating the Data Subject consented can be produced.
- There was no genuine free choice over whether to opt in.
- The Data Subject would be penalized for refusing consent.
- There is a clear imbalance of power between the Controller and the Data Subject.
- It was a precondition of a service, but the processing is not necessary for that service.
- It was bundled with other terms and conditions in an unclear way.
- The consent request was vague or unclear.
- Auto-ticked opt-in boxes or other methods of default consent were used.
- The Controller was not specifically identified.
- Data Subjects were not informed of their right to withdraw consent.
- Data Subjects cannot easily withdraw consent.
- The purposes or uses have evolved.
Sharing Personal Data
Personal data sharing with third-parties can take a variety of forms at the UW. Before establishing any personal data sharing relationships with third-parties, it is important to have clarity about all parties’ data processing roles as defined in Section 4 above. Depending on relative data processing roles, different data sharing requirements may apply.
Controller-to-Processor Relationships
A controller may only engage suitable processors that can guarantee the implementation of appropriate measures for the protection of personal data.xxv Further, a controller must enter into an agreement with its processor that governs the processing of personal data.xxvi
UW as a Controller and a Third-party as a Processor
When the UW acts as a controller and engages a contractor, as discussed above, the UW department or unit (a) makes determinations about the means and purpose for processing and (b) has proximity to and knowledge of the processing activities to be delegated to a contractor, and (c) must use the UW’s Data Processing Agreement (the “DPA”). Visit the UW Privacy Office’s Agreements and DPA webpage to learn more about appropriate DPA use.
UW as a Processor and Third-party as a Controller
When the UW acts as a processor on behalf of a controller, its processing activities must be governed by an agreement.xxvii This agreement creates a contractual relationship between UW and the controller and sets forth the requirements and instructions for processing on the controller’s behalf.xxviii An agreement between a controller and UW as a processor will resemble the PDPA and must include at minimum the below details of the processing and terms and conditions related to UW’s role as a processor. It is important to have these details as part of the contract, since processing without an agreement could inadvertently turn UW into a controller for GDPR purposes, and result in increased legal obligations for the UW.
Details about the processing:
- Subject matter of the processing;
- Duration of the processing;
- Nature and purpose of the processing;
- Types of personal data to be processed; and
- Categories of data subjects.
Terms and conditions establishing that UW as a processor will:
- Only act on the controller’s documented instructions (unless otherwise required by law);
- Only transfer personal data to a third country or international organization upon written instructions from the controller;
- Ensure that the individuals who will engage in processing are committed to confidentiality;
- Take appropriate measures to ensure the technical, physical, and administrative security of personal data to be processed;
- Only engage a sub-processor with the controller’s prior approval and with the same data protection obligations that appear in the agreement between UW and the controller, including to the extent allowed by law, the processor’s liability to the controller for the performance of the sub-processor’s obligations;
- As appropriate given the nature of the processing and the information available to the UW, assist the controller in meeting its EU GDPR obligations relating to security, data breaches, data protection impact assessments, and prior consultations with supervisory authorities;
- At the controller’s choice, delete or return all personal data to the controller at the end of the processing and also delete any existing copies of personal data in UW’s possession unless otherwise required by law (i.e., records retention obligations);
- Provide the controller with whatever information it reasonably needs to ensure both parties are meeting their EU GDPR obligations or to contribute to an audit or inspection conducted by the controller or another regulator mandated by the controller; and
- Immediately notify the controller if it believes an instruction violates EU GDPR.xxix
These elements appear in a checklist [download] developed to help UW departments and units inventory terms and conditions in a third-party controller-supplied agreement. This checklist is not designed for evaluating the sufficiency of such terms and conditions nor does it constitute legal advice.
UW and a Third-party as Joint Controllers
When UW and one or more third-parties are joint controllers, as described above, the parties must process personal data pursuant to a transparent arrangement that establishes respective responsibilities for compliance with EU GDPR.xxx
As a best practice, this arrangement should take the form of an agreement. However, regardless of the form of the arrangement, the parties must establish how they will manage all applicable EU GDPR requirements, with particular attention given to (a) privacy rights exercised by individuals, and (b) privacy notices.xxxi Beyond EU GDPR’s ordinary requirements for privacy notices, joint controllers must also inform individuals of the nature of the joint control arrangement.xxxii Regardless of the arrangement established by the parties, individuals may exercise rights available to them under EU GDPR against the UW and/or other joint controllers.xxxiii
Cross-border Transfers
EU GDPR contains specific provisions for moving data across borders outside of European Economic Area (EEA). UW departments and units with processing activities that involve the transfer or movement of personal data from the EEA to other international organizations or non-EEA countries must rely upon one the following bases described below:xxxiv
- European Commission-approved Standard Contractual Clauses;xxxv or
- An applicable EU GDPR derogation (such as an individual’s informed consent to the transfer, necessity of the transfer for the performance of a contract between an individual and a controller, and the establishment, exercise, or defense of legal claims).xxxvi
Note that additional bases for cross border transfers are described in EU GDPR and are less likely to be available to and relevant for the UW. This includes:
- Codes of conduct or certifications approved by a relevant EU regulator;
- Binding corporate rules approved by a relevant EU regulator;xxxvii
- Court judgements or administrative authority decisions from a non-EEA country in conjunction with an appropriate international agreement;xxxviii or
- European Commission determinations that the intended international organization or non-EEA country provides an adequate level of protection for personal data (ex. the laws of a non-EEA country are comparable to EU GDPR; note that the European Commission has not determined that US laws alone are sufficient as of the publication of this policy).xxxix
For assistance navigating cross-border transfer considerations, contact the UW Privacy Office.
Technical and Organizational Measuresxl
The technical and organizational measures established to ensure security must be informed by the state of the art of relevant security practices and solutions; the costs of implementation; the nature, scope, context, and purposes of processing; and the risk of varying likelihood and severity for the rights and freedoms of individuals whose personal data is processed.
UW departments and units processing activities must include, as appropriate, the following technical and organizational measures:
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, and availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the situation of an incident or unanticipated event;
- A process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures.
These controls are further described and required by UW Administrative Policy Statement 2.6 Information Security Controls and Operational Practices.
Incident Management Requirement
Controllers and processors must promptly notify the DPO if a potential or actual personal data breach has occurred. The DPO will work closely with other University personnel to investigate and manage internal reporting procedures. Additionally, the DPO will determine if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, and if the UW must:
- Inform the relevant supervisory authority or external regulator; or
- Inform the individuals whose personal data was involved in the personal data breach.
Note that EU GDPR requires organizations to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.
Retention of Personal Data Requirement
State law requires that the UW retain all records that reflect the transaction of public business, construed broadly. At the UW, the University General Records Retention Schedule is the primary source of retention requirements for the records created and received by the UW. The schedule describes retention periods for records that are common to most UW units. A UW unit may also use a supplementary Departmental Schedule developed in conjunction with Records Management Services or UW Medicine Records Management Services.
Under the EU GDPR, the controller must specify the period that the personal data will be retained or how the retention period will be determined. Such determinations must be included in notification, consent, agreements and documents that describe the purpose and use of personal data about individuals the reside in the EU. UW departments and units must review the relevant records retention schedule(s) or consult with the appropriate Records Management Services department to determine what period of retention to specify when collecting personal data.
Policy Maintenance
This policy will be updated periodically as EU GDPR goes into effect and additional official information about the regulations becomes available. The University Privacy Official shall review and approve this policy at least every three years or more frequently as needed to respond to changes in the regulatory environment. For more information see the update history at the end of the policy.
Additional Information
For further information on this policy contact:
UW Privacy Office
uwprivacy@uw.edu
Relevant Policies
This standard is intended to assist UW units in complying with EU GDPR and the following UW Policies:
- APS 2.2 Privacy Policy
- APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
- APS 2.5 Information Security and Privacy Incident Management Policy
- APS 2.6 Information Security Controls and Operational Practices
Citations
[i] EU GDPR Recital 26
[ii] Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 9546 (General Data Protection Regulation) (OJ 2016 L 119, p. 1) [hereinafter “EU GDPR”] Article 4(7)
[iii] Eduardo Ustaran et al., European Data Protection Law and Practice 79 (2018)
[iv] EU GDPR Article 4(7)
[v] Judgment of 10 July 2018, Jehovan todistajat, C-25/17, EU:C:2018:551, paragraph 66.
[vi] Piotr Foitzik, How to comply with provisions on joint controllers under the GDPR, Sept. 26, 2017, International Association of Privacy Professionals, https://iapp.org/news/a/how-to-comply-with-provisions-on-joint-controllers-under-the-gdpr/
[vii] Id. at 25
[viii] Id. at 29
[ix] EU GDPR Article 28(4)
[x] EU GDPR Article 30
[xi] EU GDPR Article 30(1)
[xii] EU GDPR Article 30(2)
[xiii] EU GDPR Article 30(4)
[xiv] EU GDPR Article 6
[xv] EU GDPR Article 9
[xvi] EU GDPR Article 10
[xvii] EU GDPR Article 89
[xviii] EU GDPR Article 6 (4)
[xix] EU GDPR Article 35 (3)
[xx] Article 29 Working Party, ‘Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679’ (WP 248, 4 April 2017), at 5 [hereinafter “Article 29 WP on DPIAs”]
[xxi] Id. at 10
[xxii] EU GDPR Article 13(1)
[xxiii] EU GDPR Article 7
[xxiv] EU GDPR Article 5, 9
[xxv] EU GDPR Article 28(1)
[xxvi] EU GDPR Article 28(3)
[xxvii] Id.
[xxviii] Ustaran, supra at 347
[xxix] Contracts, May 22, 2019, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/; GDPR Article 28 Data Processing Agreement Checklist, 2018, Warner Norcross & Judd, http://www.wnj.com/WarnerNorcrossJudd/media/files/uploads/Documents/GDPR-Article-28-DPA-Checklist.pdf
[xxx] EU GDPR Article 26(1)
[xxxi] Id.
[xxxii] EU GDPR Article 26(2)
[xxxiii] EU GDPR Article 26(3)
[xxxiv] EU GDPR Article 44
[xxxv] EU GDPR Article 46
[xxxvi] EU GDPR Article 49
[xxxvii] EU GDPR Article 47
[xxxviii] EU GDPR Article 48
[xxxix] EU GDPR Article 45
[xl] EU GDPR Article 32