Office of the Chief Information Security Officer

External Data Sharing

Data Security and Privacy Agreement

The Data Security and Privacy Agreement (DSPA) supports the primary mission of the University of Washington to preserve, advance, and disseminate knowledge by setting the University’s preferred information security and privacy terms in third-party vendor agreements.

The DSPA controls risk, enables innovation, and seeks a balance that is fair, clear, and practical by communicating the following data security and privacy goals when contracting with vendors:

  1. Retaining ownership of UW data
  2. Limiting use of UW data to the minimum data elements and data volume needed to perform
  3. Data security and privacy guarantees based on objective outcomes, a standard of due care, and responsibility for engineering effective, appropriate means for delivering on those guarantees
  4. Retaining to right to determine notification requirements in situations that threaten harm to the privacy of UW data
  5. Assurance of continued due care
  6. Adequate remedies for UW’s information security and privacy interests


Download DSPA (docx)

Description of Analytic Rubric

The analytic rubric was developed to promote consistency and rigor in evaluating information security and privacy risk in agreements. The analysis process is informed by the Data Security and Privacy Goals, University APS 2.6, compliance considerations, confidential data guidance, and recognized security, privacy, and risk management principles. Practical, actionable recommendations are emphasized.

Attribute <<< Less Favorable More Favorable >>>
The estimated effort needed to remove the strain on University security and privacy goals.
Intractable Rigid Pliant Dynamic
Measures the vendor’s fitness to perform.
Unqualified Questionable Capable Distinguished
Measures the degree to which the vendor’s approach is an additional burden.
Conflicting Discordant Congruent Supportive
Overall Position
Describes three ideas:

  1. General quality of the agreement
  2. How to work within the agreement
  3. Plan for communications with the vendor
Exit Negotiate Acceptable Partner

Using the DSPA

The following flow chart illustrates how to use the DSPA:



When should I use the Data Security and Privacy Agreement (DSPA)?

Use the DSPA as early as is practical in the process of engaging with third-party business partners, contractors, and vendors, whenever University data or critical systems are involved. The DSPA helps document data security and privacy expectations for handling University data with all due care. It furthers the effort both for the individual situation, and for the University overall, to reach a fair allocation of risk in a manner that is practical. The DSPA is not required for Protected Health Information when a BAA is used by a UW Healthcare Component (as defined in UW Medicine Privacy Policies).

How do I use the DSPA in contracting?

The DSPA is versatile enough to be used either as a standalone agreement or as an amendment to an existing or new contract. It should be included in formal solicitations (e.g. within the RFP or RFQ package) or, at least, included as a planned step in procurement or contracting process. While earlier is better, it is never too late in the process to introduce the DSPA and it is important to do so.

Who signs the DSPA?

Only University employees with explicit written authority to sign agreements on behalf of the University may sign a DSPA. The policy, procedures, and structure of your University organization may further determine the most appropriate person.

Am I responsible for negotiating DSPA mark-ups?

University organizations are responsible for managing the relationship with vendors and other external parties, from the earliest stages of the selection process, and all through the life of the agreement. Stakeholders within the organization are responsible for managing risk, thus they must communicate the need for vendors and external parties to honor the University’s information security and privacy requirements by way of the DSPA.

Vendors and other external parties, for their part, may respond with their own communication about the DSPA terms. This response may involve DSPA mark-ups, a vendor form to use instead of the DSPA, or some other combination of additional legal, commercial, and technical documentation.

Where the vendor responds with substantial changes to the DSPA or other significant amounts of feedback, please contact

If the DSPA is modified, who should review it?

  • If the DSPA is not substantially modified, it does not need to be reviewed.
  • If the contracting organization is a unit within UW Medicine, the DSPA should be reviewed by UW Medicine IT Services Security.
  • Otherwise, the DSPA should be reviewed by the Office of the CISO.
  • If you are not sure, contact so that the correct disciplines and supporting offices can be coordinated to help your efforts.

Can I use the DSPA for exploration/testing of software and services?

Yes, and you are encouraged to do so. The DSPA can be used any time business partners, contractors, vendors, or third parties product or service involves critical systems or University Confidential data.

What about special circumstances (either about the vendor or my organization)?

The DSPA process is intended to be suitable for the depth and breadth the endeavors of the University. The DSPA itself was designed for versatility both in its applicability and in its suitability for facilitating further practical discussion and analysis about how to appropriately safeguard systems and data under special circumstances.

What is the difference between the DSPA and a Business Associate Agreement (BAA)?

The DSPA is a versatile general agreement that can be used or adapted for use for nearly every engagement of vendors or other external parties, whenever University critical systems or Confidential data is involved. Where the University organization is part of the Healthcare Component Group (as defined by UW Medicine Privacy Policy (COMP.106) and the vendor is considered to be a Business Associate under HIPAA regulations, only the BAA will be required to  be signed for Protected Health Information. If the vendor is not a Business Associate, or if the agreement involves confidential information other than Protected Health Information, then the DSPA will need to be negotiated.

What is the difference between the Definitions, Declarations, and Operative Provisions used in the DSPA?

The DSPA has three parts: Definitions, Declarations, and Operative Provisions.
Definitions are specific terms used throughout the agreement whose meanings are more precise than the usage of the term in industry parlance or in common language. The DPSA terms are consistent with University policy pertaining to information security and privacy.

Declarations are formal statements acknowledging the understanding of both parties to the DSPA. A contract is sometimes called a “meeting of the minds” and as such, it can be helpful to state the understanding of the parties. The DSPA declarations are a precise but mostly plain-language statement expressing the idea of a clear, fair, and practical allocation of responsibility for protecting the security and privacy of information.

Operative provisions describe the duties of the parties that are in effect during and after the term of the agreement. The DSPA organizes operative provisions topically. The topics are:


What if I still have questions?

    • Questions regarding acquisition, materials management, or contracting should be directed to UW Purchasing Services.
    • Questions of a legal nature should be directed to the Office of the Attorney General.
    • Questions regarding information security and privacy from units within UW Medicine should be directed to UW Medicine IT Services Security.
    • Questions regarding information security and privacy should be directed to the Office of the CISO.
    • If you are not sure, contact so that the correct disciplines and supporting offices can be coordinated to help your efforts.