HOUSE BILL REPORT

HB 2278

As Reported by House Committee On:

State Government, Elections & Information Technology

Transportation

Title: An act relating to enhancing personal information privacy protections in government entities.

Brief Description: Concerning personal information privacy protections in government entities.

Sponsors: Representatives Morris, Hudgins, Smith, Slatter, Tharinger, Macri, Young, Kloba and Appleton.

Brief History:

Committee Activity:

State Government, Elections & Information Technology: 1/16/18, 1/23/18 [DP];

Transportation: 2/5/18, 2/6/18 [DPS].

Majority Report: Do pass. Signed by 7 members: Representatives Hudgins, Chair; Dolan, Vice Chair; McDonald, Ranking Minority Member; Kraft, Assistant Ranking Minority Member; Appleton, Gregerson and Pellicciotti.

Minority Report: Do not pass. Signed by 1 member: Representative Irwin.

Minority Report: Without recommendation. Signed by 1 member: Representative Johnson.

Staff: Sean Flynn (786-7124).

Background:

Privacy and Personal Information. Personal information and privacy interests are protected under various provisions of state law. Personal privacy is protected from unreasonable state intrusion under Article I, section 7 of the state Constitution. The Public Records Act (PRA), also protects a person's right to privacy under certain circumstances if disclosure would be highly offensive to the reasonable person, and is not of legitimate public concern. The PRA exempts personal information of public employees and officials maintained in public agency files from disclosure to the extent necessary to protect such person's right to privacy. Certain personal information related to investigative law enforcement records also is exempt from disclosure in order to protect a person's privacy.

The PRA also exempts certain personal information in public employee personnel records, including childcare enrollment, public employees and officials, tax assessments, personal financial information, driver's license records, vehicle license information associated with certain agencies conducting investigations, and 911 emergency systems contact information. Various other areas of state law protect privacy interests through confidentiality and other non-disclosure requirements.

Office of Privacy and Data Protection.  In 2011 the Consolidated Technology Services (CTS) agency was created as part of a reorganization of state government information technology (IT) infrastructure functions and services. The CTS provides information services to public agencies, operates the State Data Center, and offers IT services, including data security and storage.

In 2016 the Office of Privacy and Data Protection (OPDP) was created within the CTS. The Chief Privacy Officer is appointed by the Chief Information Officer and serves as the Director of the OPDP. The OPDP is the central point of contact for state agencies on policy matters involving data privacy and protection, and provides annual privacy training for state agencies, coordinates agency data protection, conducts an annual review, and reviews major state agency projects involving personally identifiable information.

–––––––––––––––––––––––––––––––––

Summary of Bill:

Each state agency must designate a privacy officer to work with the OPDP to develop agency policy that reduces the use and retention of personal information. Each privacy officer must complete a training course through the OPDP at least every four years.

By December 15, 2018, each privacy officer must create a work plan to report to the OPDP. The work plan must take inventory of all personal information prepared and retained by the agency, including the type of information, the purpose for its collection, and the extent to which such information is protected from unauthorized disclosure.

The plan also must include a map of the physical and digital location of the personal information collected by the agency. Personal information includes a person's name, Social Security number, state driver's license or identification card, financial account numbers, credit or debit card numbers, and security codes. The inventory and map created for the work plan is exempt from public disclosure under the PRA to the extent it reveals the location of personal information.

A government entity is prohibited from selling personal identification numbers issued by a government entity. A government entity also is prohibited from selling personal financial and health information, including information that is identifiable to an individual and commonly used for financial or health care purposes, including account information and access codes or passwords, as well as information gathered for account security purposes or for account access, or information that relates to medical history or status.

–––––––––––––––––––––––––––––––––

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) Personal information can be collected and retained through various government operations, which creates a nexus between government function and privacy issues. The OPDP is the only resource for all state agencies regarding the management of private information. Agencies need in-house resources to advise policy on issues relating to privacy interests. Agencies need to evaluate their data collection methods and streamline their organizational process to only collect the type of information that is needed. Agencies already have public records officers, so in most cases this will not require new hires. The prohibition on selling personal information is good for protecting the privacy interests of private persons who interact with government services.

(Opposed) Certain driver's licensing information is shared by the Department of Licensing with insurance companies to verify driver records that is used to underwrite policies. This prohibition creates confusion with other statutes that allow for the sale of specific information, and should be clarified.

(Other) This would create confusion with other requirements that allow for the sale of certain specific information. This should not interfere with the public's ability to know the extent to which agencies are storing personal information. Some personal information is important to verify eligibility, such as birthdates, which are necessary to verify voter eligibility. This could prevent the practice of agencies selling information for important and legitimate reasons that benefit the public. The state has a substantial revenue stream from the sale of such information that would be lost if prohibited.

Persons Testifying: (In support) Representative Morris, prime sponsor; and Alex Alben, Office of Privacy and Data Protection.

(Opposed) Diana Carlen, RELX Inc.; and Cliff Webster, Consumer Data Industry and Thomson Reuters.

(Other) Rowland Thompson, Allied Daily Newspapers of Washington; and Mel Sorensen, Property Casualty Insurers Association of America and Allstate Insurance.

Persons Signed In To Testify But Not Testifying: None.

Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 18 members: Representatives Clibborn, Chair; Fey, Vice Chair; Wylie, Vice Chair; Orcutt, Ranking Minority Member; Harmsworth, Assistant Ranking Minority Member; Chapman, Gregerson, Kloba, Lovick, McBride, Morris, Ortiz-Self, Pellicciotti, Riccelli, Stambaugh, Tarleton, Valdez and Young.

Minority Report: Without recommendation. Signed by 4 members: Representatives Hargrove, Assistant Ranking Minority Member; Hayes, Irwin and Rodne.

Minority Report: Do not pass. Signed by 3 members: Representatives Pike, Shea and Van Werven.

Staff: Patricia Hasan (786-7292).

Summary of Recommendation of Committee On Transportation Compared to Recommendation of Committee On State Government, Elections & Information Technology:

The substitute bill permits the Department of Licensing (DOL) to charge a fee for medical history information in abstract driving records. The DOL is required to report to the Legislature every two years on implementation and operation of its inventory and map of personal information. The DOL is required to charge an additional amount to the $13 fee for an abstract driving record as necessary to fund the DOL's privacy officer functions and the biennial reporting requirement. The DOL is prohibited from releasing abstract driving records to be used for commercial purposes. Any government entity is prohibited from furnishing, free of charge, any personal financial and health information and any personal identification numbers issued by a government entity.

Appropriation: None.

Fiscal Note: Preliminary fiscal note available.

Effective Date of Substitute Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) Two big issues facing the government and tax payers are cybersecurity and privacy. Public disclosure laws are passed as statute, but privacy is a constitutional right. This should make privacy preeminent as the first default for everything that is done even when juxtaposed with public disclosure laws. A lot of agencies are collecting personal identifying information (PII), and the Legislature and the people have no idea where that information is stored or the protection on the storage. This bill would require an assessment of who is collecting PII, who is selling PII, and to find out where the PII is stored. The requirements do not include mapping the data, but rather to create a data management plan to find out how much it would cost to map the data and then protect the data.

(Opposed) There is opposition to the blanket prohibition on the release of various types of records. This is backed up by the fiscal note prepared by the DOL, which also concludes that those records could no longer be obtained. These records are very important for a variety of law enforcement and public safety reasons. A fix for this bill would be to prohibit the release of these records unless otherwise permitted by federal or state law.

(Other) There are concerns with the prohibition on selling personal financial and health information and personal identification numbers issued by a government entity. Insurers purchase motor vehicle records from the state. It is important that insurers have access to accurate records in order to classify the risks associated with a driver when that driver applies for car insurance, and to charge that driver an adequate rate or place that driver in the correct insurance program pursuant to the risks that they present. Not long ago, the state increased the fees associated with abstract driving records, and the fiscal note associated with the bill reflects the substantial amount of revenue that would be lost to the state if these records cannot be sold. Abstract driving records are primarily sold to car insurance companies.

Persons Testifying: (In support) Representative Morris, prime sponsor.

(Opposed) Cliff Webster, Consumer Data Industry Association and Thomson Reuters.

(Other) Mel Sorensen, Property Casualty Insurers Association of America, Allstate, and American Family Insurance; and Beau Perschbacher, Department of Licensing.

Persons Signed In To Testify But Not Testifying: None.