SENATE BILL REPORT

SB 5377

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by Senate Committee On:

Environment, Energy & Technology, February 20, 2019

Title: An act relating to data sales and governance.

Brief Description: Concerning data sales and governance.

Sponsors: Senators Carlyle, Palumbo, Mullet, Hasegawa, Keiser, Pedersen and Saldaña.

Brief History:

Committee Activity: Environment, Energy & Technology: 1/22/19, 2/20/19 [DPS-WM].

Brief Summary of First Substitute Bill

  • Provides that this act be known as the Data Management and Protection Act.

  • Prohibits the sale of personal data to third parties by state agencies except as authorized under law.

  • Requires the Office of Privacy and Data Protection to publish principles that promote stewardship of the state's structured data sets and to develop compliance criteria for the requirements set forth in this act.

  • Requires the Chief Privacy Officer to collaborate with state agencies and report to the Legislature proposing how state agencies should treat personal data and respond to verified requests for personal data from consumers.

  • Provides that state agencies must be transparent and accountable for their processing of personal data by making a privacy notice available.

SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY

Majority Report: That Substitute Senate Bill No. 5377 be substituted therefor, and the substitute bill do pass and be referred to Committee on Ways & Means.

Signed by Senators Carlyle, Chair; Palumbo, Vice Chair; Ericksen, Ranking Member; Fortunato, Assistant Ranking Member, Environment; Sheldon, Assistant Ranking Member, Energy & Technology; Billig, Brown, Das, Hobbs, Liias, McCoy, Nguyen, Rivers, Short and Wellman.

Staff: Angela Kleis (786-7469)

Background: Personal information and privacy interests are protected under various provisions of state law. The Washington State Constitution provides that no person shall be disturbed in his private affairs without authority of law. The Public Records Act (PRA) protects a person's right to privacy under certain circumstances if disclosure of personal information: (1) would be highly offensive to the reasonable person, and (2) is not of legitimate concern to the public.

The Consolidated Technology Services (CTS) agency supports state agencies as a centralized provider and procurer of certain information technology services. Within CTS, the Office of the Chief Information Officer (OCIO) has certain primary duties related to information technology for state government, which include establishing statewide enterprise architecture and standards for consistent and efficient operation. Within OCIO, the Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.

Summary of Bill (First Substitute): Short Title. This act shall be known as the Data Management and Protection Act.

Sale of Personal Data. The sale of personal data to third parties by a state agency is prohibited except as authorized under law. A state agency authorized to sell information containing personal data must take affirmative steps to protect such data from impermissible subsequent use, transfer, or sale by a third party.

Before completing the sale of data, a state agency must document the conditions under which the data is to be used in a contract involving one or more state agencies. Contracts must meet certain minimum requirements. If data is used in an unauthorized manner, the contractor responsible for the unauthorized disclosure must be denied further access to such data by the state agency.

The requirements on the sale of personal data to third parties by a state agency do not apply under certain conditions such as public records disclosed pursuant to the PRA.

Stewardship of State's Structured Assets. OPDP must publish principles to promote stewardship of the state's structured assets. The principles relate to data minimization, due diligence, sensitive data, data quality, transparency, and data security.

Consumer Rights. By June 30, 2020, the Chief Privacy Officer must report to the Legislature proposing how state agencies should treat personal data and respond to verified requests for personal data from consumers. In creating the report, the Chief Privacy Officer must:

Transparency. State agencies must be transparent and accountable for their processing of personal data by making a privacy notice available that includes certain criteria, such as categories of personal data collected and purposes for which the categories of personal data is used and disclosed to third parties. State agencies that engage in profiling must disclose such profiling to the consumer at or before the time personal data is obtained.

Compliance. By June 30, 2021, the OPDP will provide a template for consumer access to data and develop compliance criteria. State agencies must certify compliance with the requirements of this act. State agencies may request a waiver from OPDP for inability to comply because of special circumstances.

EFFECT OF CHANGES MADE BY ENVIRONMENT, ENERGY & TECHNOLOGY COMMITTEE (First Substitute):

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony on Original Bill: The committee recommended a different version of the bill than what was heard. PRO: The public sector needs to hold itself to the same standards as it holds the private sector. The intent of the bill is to get a handle on the state's use of data. Under this bill, there are five years to work out the mechanisms.

CON: The language of the bill is unclear and may shut down an agency's ability to meet federal reporting requirements.

Persons Testifying: PRO: Senator Reuven Carlyle, Prime Sponsor; Alex Alben, Office of Privacy. CON: Cliff Webster, Consumer Data Industry Association.

Persons Signed In To Testify But Not Testifying: No one.