SENATE BILL REPORT
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
As of February 17, 2019
Title: An act relating to data sales and governance.
Brief Description: Concerning data sales and governance.
Sponsors: Senators Carlyle, Palumbo, Mullet, Hasegawa, Keiser, Pedersen and Saldaña.
Committee Activity: Environment, Energy & Technology: 1/22/19.
SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY
Staff: Angela Kleis (786-7469)
Background: Personal information and privacy interests are protected under various provisions of state law. The Washington State Constitution provides that no person shall be disturbed in his private affairs without authority of law. The Public Records Act (PRA) protects a person's right to privacy under certain circumstances if disclosure of personal information: (1) would be highly offensive to the reasonable person, and (2) is not of legitimate concern to the public.
The Consolidated Technology Services (CTS) agency supports state agencies as a centralized provider and procurer of certain information technology services. Within CTS, the Office of the Chief Information Officer (OCIO) has certain primary duties related to information technology for state government, which include establishing statewide enterprise architecture and standards for consistent and efficient operation. Within OCIO, the Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.
Summary of Bill: Short Title. This act shall be known as the Data Management and Protection Act.
Sale of Personal Data. The sale of personal data to third parties by a state agency is prohibited except as authorized under law. A state agency authorized to sell information containing personal data must take affirmative steps to protect such data from impermissible subsequent use, transfer, or sale by a third party.
Before completing the sale of data, a state agency must document the conditions under which the data is to be used in a contract involving one or more state agencies. Contracts must meet certain minimum requirements. If data is used in an unauthorized manner, the contractor responsible for the unauthorized disclosure must be denied further access to such data by the state agency.
The requirements on the sale of personal data to third parties by a state agency do not apply under certain conditions such as public records disclosed pursuant to the PRA.
Stewardship of State's Structured Assets. OPDP must publish principles to promote stewardship of the state's structured assets. The principles relate to data minimization, due diligence, sensitive data, data quality, transparency, and data security.
Consumer Rights. Beginning January 1, 2025, state agencies must facilitate requests to exercise certain consumer rights. The requirement to facilitate a request does not apply under certain conditions.
On request from a consumer, a state agency must:
confirm if a consumer's personal data is being processed and provide access to such personal data;
correct inaccurate consumer personal data;
delete the consumer's personal data if the personal data is no longer necessary in relation to the purposes for which the personal data was collected;
restrict processing if certain grounds apply such as the accuracy of the personal data is contested by the consumer; or
provide the consumer any of the their personal data that they provided to the controller.
A state agency must respond to a request within 30 days of receipt of the request. Under certain circumstances, this time period may be extended by 60 additional days. A state agency must notify a consumer within 30 days of receipt of the request (1) if an extension was approved and the reason for the delay, or (2) if no action was taken on a request and the reason for not taking action.
A state agency may request additional information to confirm the identity of a consumer if the state agency has doubts concerning the identity of the consumer making a request to exercise a consumer right.
Transparency. State agencies must be transparent and accountable for their processing of personal data by making a privacy notice available that includes certain criteria, such as categories of personal data collected and purposes for which the categories of personal data is used and disclosed to third parties. State agencies that engage in profiling must disclose such profiling to the consumer at or before the time personal data is obtained.
Compliance. By June 30, 2024, the OPDP will provide a template for consumer access to data and develop compliance criteria. State agencies must certify compliance with the requirements of this act. State agencies may request a waiver from OPDP for inability to comply because of special circumstances.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: No.
Effective Date: The bill contains several effective dates. Please refer to the bill.
Staff Summary of Public Testimony: PRO: The public sector needs to hold itself to the same standards as it holds the private sector. The intent of the bill is to get a handle on the state's use of data. Under this bill, there are five years to work out the mechanisms.
CON: The language of the bill is unclear and may shut down an agency's ability to meet federal reporting requirements.
Persons Testifying: PRO: Senator Reuven Carlyle, Prime Sponsor; Alex Alben, Office of Privacy. CON: Cliff Webster, Consumer Data Industry Association.
Persons Signed In To Testify But Not Testifying: No one.