UW Data and Your Responsibilities
Information Systems Security Policy:
Minimum Data Security Standards:
UW Institutional Data Management Standards:
The University of Washington is committed to protecting the privacy and confidentiality of personal information related to students, faculty, staff, and other individuals associated with the University. The University recognizes the risk and impact that the improper disclosure of SSNs can have on individuals who have entrusted this information to the organization.
The University of Washington routinely collects Social Security Numbers (SSNs) in support of several federal requirements such as W-2 tax forms and student educational tax credit reporting. SSNs are considered confidential data according to the UW Administrative Policy Statement (APS) 2.10, UW Minimum Data Security Standard. Unauthorized release of SSN (and other personally-identifiable information) by the UW exposes individuals to identity theft and fraud, and brings financial and reputational harm to the UW.
Everyone who is accountable for the management or use of SSN data must also become familiar with other university-wide and departmental policies and procedures related to records management and security, which are published separately.
For more information about policies, training, and Frequently Asked Questions (FAQs) in relation to the protection of SSN data, please click here.
Here’s an excerpt from the policy:
To avoid or reduce Internet fraud, University units, including, but not limited to education, research, patient care, and service areas (internal and external to the University), and University workforce members shall not:
- Send unsolicited email (where the recipient has not granted permission for the message to be sent) to individuals that asks them to reply with confidential information; and
- Send unsolicited emails to individuals that ask them to click embedded links to University web self-service transactions that require entry of confidential information.
Unsolicited email does not include email sent from a University unit, including, but not limited to education, research, patient care, and service areas (internal and external to the University), to individuals who receive services from, or have an ongoing relationship with, the unit.
The Office of the CISO has information about phishing risks and best practices: http://ciso.washington.edu/resources/risk-advisories/phishing/