Incident Report Form Last updated: October 10, 2024 Incident Report Form Use this form to report an unforeseen event, incident, potential, or confirmed breach ("incident") to the UW Privacy Office. Your name(Required) First Last Your UW email(Required) Phone(Required) Title of incident(Required) Short descriptive title of the incident (e.g., Lost laptop in dept. X). Description(Required) Brief description of what happened. Date of discovery(Required) Date you became aware of the situation. MM slash DD slash YYYY Date of incident Date when the incident occurred, if known. MM slash DD slash YYYY UW organization(Required) UW organization where the incident occurred or was observed, if known. We are using the Institutional Organization Structure (IOS) to help manage information about incidents. If interested, you can learn more about the IOS by reviewing this paper by the Data Governance Committee. IOS Level 1 is the University of Washington. Data systems What system(s), if any/if known, are involved? Data encryption(Required) Were the data encrypted? Yes No Don't know Specific types of personal data involved(Required) Is it possible that the following data are involved in the incident? Click all that apply. An individual's first name or first initial and last name Social Security Number or last four digits of SSN Driver's license or state ID number Financial account number (credit, debit, etc.) and security code, access code, or password Full date of birth Private key that is unique to an individual and that is used to authenticate or sign an electronic record Student, military, or passport identification number Health insurance policy number or health insurance identification number Consumer's medical history, or mental or physical condition, or about a health care professional's medical diagnosis or treatment Biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual Username or email address in combination with a password or security questions or answers that would permit access to an online account Protected Health Information (PHI) - A subset of individually identifiable health information created or maintained in health records and/or other clinical documentation in either paper-based or electronic format by UW or UW Medicine (PHI) received from a non-UW entity Education record - Any record that directly identifies a student and is maintained by the University of Washington or by a party acting for the UW Special categories of data (not listed above) - Data relating to minors, older adults or seniors, criminal offenses, citizenship and/or immigration status, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, or sexual orientation Other personal data - Any record or information relating to an identified or identifiable natural person. (E.g., identification number, location data, online identifiers, or factor(s) specific to physical, physiological, genetic, mental, economic, cultural, or social identity or characteristics, or is identified as personally identifiable data (or a similar term) by any applicable law.) None of the above Other personal data description(Required) LIst the other personal data elements that were involved in the incident. Physical location of data subjects(Required) Where were people physically located when data were originally collected, if known (Washington State, other states, United States, and/or other countries)? Research(Required) Does the incident involve research? Research is defined as a systematic investigation designed to develop or contribute to generalizable knowledge, and may include research development, testing, and evaluation. Yes No Human Subjects Research(Required) Does the incident involve human subjects? Human subjects are defined as living individuals about whom an investigator (whether professional or student) is conducting research: (i) obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyses the information or biospecimens, or (ii) obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens? Yes No What Institutional Review Board (IRB) is overseeing this research? What IRB is overseeing the research? UW IRB Non-UW IRB Reportable New Information (RNI) # If the incident has been reported to the UW IRB include the RNI#. Reported to non-UW IRB Enter name of the IRB without acronyms. Type(s) of non-personal data involved(Required) Is it possible that the following types of non-personal data are involved in the incident? Click all that apply. UW Confidential (non-personal) - University information that is sensitive in nature and typically subject to federal or state regulations. Examples: information regarding the security of computer and telecommunications networks; access codes for physical access to secured locations. Restricted (non-personal) - University information that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure. For example, information security plans; infrastructure documentation; system administration procedures; investigation documentation. National Security Classified Information - Official information, owned by the U.S. government or entrusted to the U.S. government by another country, that has been determined, pursuant to U.S. Presidential Executive Order 13526 or any predecessor order, to require protection against unauthorized disclosure in the interest of national security and which has been so designated. Covered Defense Information – marked or otherwise identified in contract, task order, or delivery order and provided to the UW by or on behalf of the US Dept of Defense in support of the performance of the contract; or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Includes all unclassified information related to a classified contract that has not been approved for public release. Export Controlled Information - Unclassified technical data subject to the Export Administration Regulations (EAR) (15 CFR Parts 730-774) or the International Traffic in Arms Regulations (ITAR) (22 CFR Parts 120-130) which are listed on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR) or the United States Munitions List (22 CFR Part 121 of the ITAR.) None of the above Reported to others(Required) Have you reported the incident to other individuals? (Please limit further sharing.) Yes No Communication processes(Required) Please list the names and organizations for the other individuals who have been informed about this incident. Hidden Cause of Incident What is the root cause of the incident, if known? Add file Max. file size: 2 MB. Email This field is for validation purposes and should be left unchanged.