Privacy Governance Committee & COVID-19 Data Governance Committee Introductions
The Privacy Governance Committee is a standing committee with the purpose of assessing the privacy implications of proposed solutions, processes, initiatives, and other activities – or "use-cases" – undertaken by the University of Arizona and University Personnel that involve the collection, processing, or reporting of sensitive personal information and data that can be traced to individuals. For COVID-19 related data, an off-shoot of this committee has been formed (see https://privacy.arizona.edu/privacy-governance for more information).
Why was the Committee created?
The University and the Committee recognize that the individuals whose data may be collected, processed, or reported by the University have reasonable expectations of privacy and for the ethical use of their personal data. Since the inception of the Committee in June of 2020, five use-cases related to COVID-19 campus safety monitoring efforts have undergone review. This has resulted in privacy safeguards being implemented to protect personal data. It is the Committee's goal to have this process be an accepted best practice so that all University initiatives meeting use-case criteria undergo a documented review and an endorsement process before implementation.
Who are the Committee members?
The committee has a master roster of 23 members representing stakeholders from across the University. When a particular use-case needs to be reviewed, members are selected based on the areas in which they have subject matter expertise. Privacy impact assessments of use-cases involving a particular process or dataset within the purview of a Data Custodian (a role related to the aggregation, storage, and use of data sets), must include that Data Custodian in the use-case review.
When are referrals to the Committee appropriate?
Referrals to the Committee for a privacy impact assessment are appropriate when use-cases foreseeably impact individuals' privacy interests and call for an evaluation of the ethical use of personal data. The Committee may receive use-cases for review, for example, upon a referral by a University senior vice president, the Office of General Counsel, or the Compliance Advisory Committee.
How does the Committee make an assessment?
The Committee will apply the University Privacy Statement, Privacy Principles, and other appropriate University compliance guidance and policies, along with all applicable laws and regulations, to the use-case when performing its assessments. In performing its work, the Committee will gather information to ascertain if the proposed use-case falls within a legitimate institutional need and/or is aligned with the University's stated mission.
How do I submit a referral to the Privacy Governance Committee?
You can submit a proposal for review to privacy@arizona.edu.
Where can I find the Committee's website and master roster?
You can find it here: https://privacy.arizona.edu/privacy-governance.
Is there any other committee that reviews COVID-19 data?
In October 2020, the COVID-19 Data Governance Committee was formed to provide an expedient approval process that applies privacy and data governance principles to determine appropriate future uses of COVID-19 institutional data. A need for the committee was identified to limit the use of sensitive and regulated data collected as part of COVID-19 mitigation and public health surveillance efforts to approved use and users. This is needed to meet regulatory requirements and also to comply with notices, consents, and authorizations that have made the collection and use of the data possible. To submit a referral to this committee, email privacy@arizona.edu to request the COVID-19 Data Request Form.