Skip to main content
Department of Medicine IT

Data Stewardship Guidance

Data stewardship refers to our responsibility as a UW Medicine workforce member to safeguard data (electronic or paper) that is entrusted to us, or that we use or access. This includes both confidential and restricted information, for example:

  • Individual financial information (e.g., credit card and bank account numbers)
  • Other personal information (e.g., social security #, home address, personal contact information, performance reviews)
  • Individual Student Records – protected by FERPA
  • Proprietary information, such as intellectual property or trade secrets
  • Protected Health Information (PHI) – protected by HIPAA

As representatives of UW Medicine, we are personally, professionally, ethically and legally responsible for our actions. When confidential and restricted information is lost, stolen, or otherwise compromised there are significant consequences for UW Medicine and all individuals involved. Data stewardship is necessary to maintain UW Medicine's reputation, uphold the trust placed in us, and prevent harm. For more details about the priority and need to protect our data please see the Data Stewardship Letter from Dean Ramsey and the Data Stewardship Roles and Responsibilities Matrix.

For your convenience the Department of Medicine has prepared a handout to highlight some of the most important things to know. This is intended as a brief guide. Additional information is available below and on the UW Medicine IT Security website.
Data Stewardship Most Important Points (PDF)

Data Stewardship Resources

A good rule of thumb is that devices used for work purposes and that can move need to be encrypted and password protected. This includes laptops, phones, tablets, thumb drives, and other portable storage devices. Devices that are personally owned must also be secured, if it is used to perform work functions it should be secured according to UW Medicine policy. UW Medicine IT Security has drafted a flowchart to show when it is required to have a device encrypted vs when it is recommended.

To assist with these encryption and security requirements users may also encouraged to participate in the security of their devices. The Department of Medicine IT Services has self guidance instructions for encryption on the Device Security page. Any questions regarding these instructions or Data Stewardship in general can be directed to the Department of Medicine IT Help Desk. Please also feel free to stop by any of the kiosk events listed on the calendar or contact us with any questions. We are also happy to schedule one-on-one meetings with Department of Medicine employees that cannot attend one of the kiosk events.

Key Principles

  1. Data Thrift
    • Don’t be responsible for data you don’t need – delete anything sensitive; better yet don’t copy it in the first place
    • Use internal systems (e.g. ORCA or Epic patient lists) to track information
    • Use institutionally owned servers to store data
    • Use de-identified information if possible
  2. Physical Security
    • Keep paper and physical documents in a safe place
    • Keep computers behind locked doors (stolen laptops are the #1 reason for breaches)
    • Keep mobile devices close at hand
    • Keep flash drives and other external drives close at hand
  3. Encrypted Storage
    • All desktops, laptops, cell phones, tablets and flash drives used must be encrypted (including personal cellphones and tablets that are used for work)
    • Encryption is only as strong as its password – UW security policy requires strong password
    • “Cloud” storage is generally unsafe
  4. Phishing and Viruses
    • Easiest way to breach a secure system is to ask someone to give you the password; second easiest is to try a password you got from somewhere else
    • Don’t respond to emails or websites asking for your passwords
    • If suspicious, check security certificate in browser
    • Keep OS and anti-virus software up to date

Data Classifications

Data classification determines what controls need to be applied to appropriately protect institutional information according to information security and privacy policies. To help clarify the minimum requirements for UW data security, three categories of data have been defined: Public, Restricted, and Confidential.

  • Public: Information that is published for public use or has been approved for general access by the appropriate University authority.
  • Restricted: Information that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure.
  • Confidential: Information that is very sensitive in nature and typically subject to federal or state regulations. Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University.

These classifications are included in APS 2.2, University Privacy Policy, and APS 2.6, Information Security Controls and Operational Practices. The UW Pass Council also has produced a convenient table for determining the classification of various data types.

Questions about data classification can be forwarded to the UW CISO for review by the relevant Data Custodian(s) and the PASS Council.

Guidance Tips

  • Education - brown bag sessions, presentations at faculty meetings, kiosk events, only purchase encrypted USB drives
  • Inventory of all devices including laptops, desktops, tablets and phones that are used by you and your direct reports
  • Compute in place when possible instead of transporting the data on USB drives
  • Use Department of Medicine IT, we will address and support all Data Stewardship needs as part of our services
  • Review the Privacy, Confidentiality, and Information Security Agreement (PCISA) at New Employee Orientation and during annual review

Guidance Tools

Breach Reporting

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI. In the event of a loss or theft the event must be reported, and at that time an internal audit will take place by UW Medicine . If they find that the device was secured with encryption and password protection then there is no breach and the investigation usually stops there. If there is a breach then the event escalates to the full HIPAA reporting cascade, which includes:

  • Notification to UW Medicine Compliance
  • Notification to department leadership
  • Notification to the Office for Civil Rights
  • All individuals affected must be notified; if more than 10 lack addresses, public notice on web
  • If more than 500 affected, media must be informed

To report a possible breach contact UW Medicine IT at 206-221-7012 or
For members in the Department of Medicine incidents should also be reported Walt Morrison at 206-616-4726 or
For members of other departments incidents should be reported to department management for coordination with UW Medicine Compliance.

Here is the Lost or Stolen Devices procedure for the Department of Medicine. This procedure should be applied to any work devices or personal devices that are used for work purposes. Other departments are welcome to use this as a template however the contacts would change to reflect your respective department personnel. Available here:

Data Stewardship Kiosk Schedule

The Department of Medicine IT Services will be hosting Data Stewardship Kiosk events at UW Medical Center, South Lake Union, and Harborview Medical Center. During these events, Department of Medicine IT Services staff members will be on-site to answer questions and assist users with securing and encrypting mobile devices, including laptops, smartphones, portable storage devices, and tablets. All Department of Medicine Members, including those not actively supported by the Department of Medicine IT Services ("Outpost users"), are invited to attend. There will be no charge for the services provided at this kiosk event.

For the full details and schedule please visit the Kiosk Schedule page