Data Sharing - Privacy Requirements

Every day, data at the University are used and may be shared, for operational purposes, with our contracted third-party service providers and partner higher education institutions, in legal proceedings, as required by law, or internally, with various university offices, as necessary or appropriate in the conduct of legitimate university business and consistent with applicable laws.

The following guidance is provided to University Schools, Departments and individuals involved in sharing of university data.

Sharing university data externally (with 3rd Party service providers, other institutions of higher education, etc)

Personal information of individuals may be shared externally for university purposes (e.g. to receive services, to facilitate student exchange programs, respond to external audits and accreditation assessments, etc.). To help reduce the risk associated with sharing information, before university data can be shared externally with third parties (service providers, peer institutions, etc.),  University Schools and Divisions must establish adequate and approved contractual agreements with the respective third parties. Through  approved contractual agreements, GW’s contracted third-parties are required to comply with privacy laws and regulations and to maintain the security of personal information processed on behalf of the university. GW’s contracted third-parties are not authorized to disclose information except as necessary to perform the services on GW’s behalf or to comply with legal requirements. 

The following reviews are required before regulated or restricted university data can be shared externally

  1. Privacy review of contractual agreement,  by the GW Privacy Office, for compliance with privacy federal, state, or international requirements. When submitting a contractual agreement to the GW Privacy Office for review, you will be asked to provide ample details related to the university data shared externally. 
    • Use this questionnaire to provide the information we need to review the contractual agreement.
  2. Security Assessment of software, platforms and applications, by GW Information Security, to identify vulnerabilities that might lead to a potential compromise of the university data shared.
    • Click here for guidance on submitting a request for security assessment

Sharing university data with third parties with whom GW does not have an approved contractual agreement is a violation of the university's privacy and data protection policies.

Note: To ensure compliance with university purchasing policies and procedures, purchases of  goods and services should be routed for review via the Procure-to-Pay Department. Visit the GW Procurement website for more information.

Sharing university data internally (between university Departments at GW)

Personal information of individuals may be shared internally for university purposes. To facilitate internal sharing of university data, the Data Governance Office implemented a process, which manages the expectations of data providers (Data Stewards and Data Custodians) and data requestors, and ensure that data sharing between university departments complies with university policies related to privacy and use of university data. 

Data requestors (university departments requesting data from university systems) are required to follow the internal Data Sharing Process and submit a Data Sharing Agreement request, to the Data Governance Office, for review and approval of the data sharing and usage by Data Stewards. 

Click here to learn how to create and submit a Data Sharing Agreement for approval.