WSR 23-13-119
PROPOSED RULES
DEPARTMENT OF LICENSING
[Filed June 21, 2023, 10:03 a.m.]
Original Notice.
Preproposal statement of inquiry was filed as WSR 21-10-098.
Title of Rule and Other Identifying Information: Chapter 308-10A WAC, Data privacy.
Hearing Location(s): On July 31, 2023, at 10:00 a.m., Zoom meeting https://dol-wa.zoom.us/j/89710106612?pwd=bDV4NldUT3U5ZnNtWm9MVEkrVUs5QT09, Meeting ID 897 1010 6612, Passcode 119511; or One-tap mobile +12532050468,,89710106612#,,,,*119511# US, +12532158782,,89710106612#,,,,*119511# US (Tacoma); dial by your location +1 253 205 0468 US, +1 253 215 8782 US (Tacoma), +1 669 900 6833 US (San Jose), +1 719 359 4580 US, +1 346 248 7799 US (Houston), +1 408 638 0968 US (San Jose), +1 669 444 9171 US, +1 507 473 4847 US, +1 564 217 2000 US, +1 646 876 9923 US (New York), +1 646 931 3860 US, +1 689 278 1000 US, +1 301 715 8592 US (Washington DC), +1 305 224 1968 US, +1 309 205 3325 US, +1 312 626 6799 US (Chicago), +1 360 209 5623 US, +1 386 347 5053 US, Meeting ID 897 1010 6612, Passcode 119511. Find your local number https://dol-wa.zoom.us/u/kd4xsjB7V3. If you are having issues accessing the public hearing at the time of the scheduled hearing, please call 360-902-0131. There is an in-person option located at 1125 Washington Street S.E., Olympia, WA 98504. For parking information, please email rulescoordinator@dol.wa.gov.
Date of Intended Adoption: August 1, 2023.
Submit Written Comments to: Kelsey Stone, 1125 Washington Street S.E., Olympia, WA 98504, email rulescoordinator@dol.wa.gov, by July 30, 2023.
Assistance for Persons with Disabilities: Contact Kelsey Stone, phone 360-902-0131, email rulescoordinator@dol.wa.gov, by July 21, 2023.
Purpose of the Proposal and Its Anticipated Effects, Including Any Changes in Existing Rules: Create rules to clarify the new law SSB 5152 from the 2021 legislative session, specifically its data sharing practices.
Reasons Supporting Proposal: On April 16, 2021, Governor Inslee signed SSB 5152, Enhancing data stewardship and privacy protections for vehicle and driver data.
Statutory Authority for Adoption: RCW
46.01.110.
Rule is not necessitated by federal law, federal or state court decision.
Agency Comments or Recommendations, if any, as to Statutory Language, Implementation, Enforcement, and Fiscal Matters: Not applicable.
Name of Agency Personnel Responsible for Drafting: Kelsey Stone, 1125 Washington Street S.E., Olympia, WA 98504, 360-902-0131; Implementation and Enforcement: James Messer, 1125 Washington Street S.E., Olympia, WA 98504, jmesser@dol.wa.gov.
A school district fiscal impact statement is not required under RCW
28A.305.135.
A cost-benefit analysis is required under RCW
34.05.328. A preliminary cost-benefit analysis may be obtained by contacting Kelsey Stone, 1125 Washington Street S.E., Olympia, WA 98504, phone 360-902-0131, email
rulescoordinator@dol.wa.gov.
Scope of exemption for rule proposal from Regulatory Fairness Act requirements:
Is not exempt.
The proposed rule does impose more-than-minor costs on businesses.
Small Business Economic Impact Statement
See attachment [no further information provided by agency].
A copy of the statement may be obtained by contacting Kelsey Stone, 1125 Washington Street S.E., Olympia, WA 98504, phone 360-902-0131, email rulescoordinator@dol.wa.gov.
June 21, 2023
Ellis Starrett
Rules and Policy Manager
OTS-3980.4
Chapter 308-10A WAC
DATA SHARING
NEW SECTION
WAC 308-10A-100Definitions.
For the purposes of RCW
46.22.010, the following definitions apply:
(1) "Access period" is a duration of time under the term of this agreement when recipient is granted access and use of protected personal information.
(2) "Agent" means a representative, or representatives, of a requestor that is under contract with the recipient or subrecipient to request driving or vehicle records on the requestor's behalf. "Agent" includes insurance pools established under RCW
48.62.031 of which the authorized recipient is a member.
(3) "Attorney," for the purposes of RCW
46.12.630 and
46.12.635, means an attorney functioning in a legal capacity when obtaining or using vehicle or vessel owner information from a recipient or subrecipient.
(4) "Authorized legal representative" means someone legally authorized under federal or state law to make decisions for the individual. An authorized legal representative is someone who:
(a) Can provide documentation that they have power of attorney; legal guardianship or conservatorship for the individual; executor, etc.; or
(b) Is a custodial parent of an individual who is under the age of 18.
(5) "Authorized use" means a permissible use granted to a recipient in a fully executed data sharing agreement with the department.
(6) "Bona fide research organization" means an entity, such as a university, that conducts noncommercial research using established scientific methods. There must be an intention to publish the research findings for wider scientific and public benefit, without restrictions or delay. Bona fide research organizations do not use protected personal information for commercial purposes.
(7) "Course of business" or other similar term means activities that are performed within the ordinary and necessary operations of the business and that pertain to the use of protected personal information as authorized by the recipient's data sharing agreement with the department.
(8) "Customers" means those entities that the recipient is providing services to using protected personal information but is not receiving protected personal information from the recipient. "Customers" does not include those entities receiving statistical reports that do not include protected personal information.
(9) "Data" means digital information contained in the department's electronic systems that may be disclosed to a recipient under state or federal law.
(10) "Data sharing agreement" means the written agreement between the department and recipient, or the recipient and subrecipient, that defines the terms and conditions which must be followed in order for the recipient or subrecipient to receive data originating from the department.
(11) "Governmental entity" means a federal agency, a state agency, board, commission, unit of local government, or quasi-governmental entity.
(12) "Independent third party" means any entity other than a member of the recipient or any of its stockholders, or any entity controlled by or under common control with any of the stockholders or the company group.
(13) "Individual registered or legal vehicle or vessel owner" or "individual vehicle or vessel owner" means a single vehicle or vessel owner, for the purposes of RCW
46.12.630.
(14) "List" means multiple records containing protected personal information, regardless of the method recipient uses to request or obtain records.
(15) "Misuse" means the access, disclosure, or use of protected personal information without the express, written authorization from the department in a data sharing agreement. "Misuse" also includes a violation of any privacy and security requirement outlined in a data sharing agreement.
(16) "Offshoring" means the electronic or hard copy transmission, accessing, viewing, capturing images, storage, or processing of protected personal information outside the United States.
(17) "Permissible use" means authorized or required uses as outlined in federal or state law.
(18) "Private investigator," for the purposes of RCW
46.12.630 and
46.12.635, has the same meaning as RCW
18.165.010(11), or as licensed by other authority.
(19) "Protected personal information" means collectively personal information and identity information originating from the department, as defined by RCW
46.04.209,
19.255.005,
42.56.590, and 18 U.S.C. Sec. 2725 (3)–(4).
(20) "Recipient" means an entity with a permissible use who is directly receiving data from the department through a data sharing agreement.
(21) "Requestor" means an entity with an authorized permissible use to receive protected personal information from the department. A requestor may be an agent, subrecipient, or a recipient.
(22) "Regulatory bodies," for the purposes of RCW
46.52.130, means a body established by federal or state law and is responsible for regulating compliance with adopted rules or laws.
(23) "Statement of compliance" means an annual statement signed by an executive of an organization.
(24) "Subrecipient" means any entity outside a recipient's immediate organization that receives or has access to protected personal information including, but not limited to, subsidiaries, subcontractors, requestors, or agents.
NEW SECTION
WAC 308-10A-201Recipient compliance requirements.
(1) Audits - For a recipient receiving protected personal information:
(a) A recipient receiving recurring lists of protected personal information must undergo data security and permissible use audits as outlined in the data sharing agreement.
(b) A recipient receiving a one-time list containing protected personal information must demonstrate security controls are in place to protect the information and may be required to undergo audits as outlined in the data sharing agreement.
(c) A recipient receiving individual records of protected personal information is subject to audits.
(d) The department may conduct random audits of any recipient it deems necessary.
(e) The department will determine the frequency of all audits.
(f) The cost of all audits, including actual costs incurred by the department to coordinate, schedule, conduct, draft, receive, review, and report the audit up to the point when the department issues the final audit review or report, is the responsibility of the recipient.
(g) The department may suspend or terminate a recipient's access to data if the recipient fails to provide or allow an acceptable audit by the due date established by the department.
(h) The department will only accept third-party audits that meet department audit standards and are performed by auditors that meet independent third-party auditor qualifications.
(2) Subrecipient lists - A recipient must provide the department with a list of:
(a) All subrecipients and secondary subrecipients that received protected personal information originating from the recipient in the time frame requested; and
(b) All customers.
NEW SECTION
WAC 308-10A-202Vetting of subrecipients.
Before giving a subrecipient access to protected personal information, the recipient must validate that the subrecipient demonstrates the following minimum requirements:
(1) The subrecipient has a permissible use under federal or Washington state laws, whichever is more restrictive.
(2) The subrecipient is a qualified recipient under federal or Washington state laws.
(3) The subrecipient has sufficient protections in place to secure the privacy of the protected personal information in accordance with the data sharing agreement.
NEW SECTION
WAC 308-10A-203Subrecipient disqualification.
When the department notifies a recipient that its subrecipient is ineligible to receive protected personal information, the recipient must immediately:
(1) Terminate the subrecipient's access to protected personal information; and
(2) Require the subrecipient destroy all protected personal information it obtained through the recipient.
NEW SECTION
WAC 308-10A-204Subrecipient audit requirements.
(1) A recipient must have procedures to audit subrecipients for compliance with the terms and conditions of its contract with the subrecipient.
(2) The audit methodologies must be sufficient for a reasonable person to conclude a subrecipient is compliant with requirements in the data sharing agreement.
NEW SECTION
WAC 308-10A-205Required written consent audits.
(1) Recipients who provide protected personal information to subrecipients when a person must sign a release form under RCW
46.52.130, must establish processes to hold all subrecipients accountable for:
(a) Obtaining and maintaining the release form prior to requesting protected personal information;
(b) Verifying the release form is properly executed before requesting the protected personal information; and
(c) The consent is rightfully executed by the named individual or their authorized legal representative.
(2) The process for requesting driving records must include verifying the consent forms contain the required information in WAC 308-10A-901.
(3) The recipient must make records available to the department demonstrating the process for obtaining consent is in use and is effective. The department will establish minimum requirements for such processes in its data sharing agreement with the recipient.
NEW SECTION
WAC 308-10A-301Recipient-subrecipient data sharing agreement.
(1) A recipient must have a data sharing agreement with a subrecipient before giving the subrecipient access to protected personal information. The data sharing agreement terms need not be in a stand-alone document, but may be included in a general contract.
(2) The subrecipient data sharing agreement must include those requirements that the department has identified in the recipient's data sharing agreement as those to be passed on to subrecipient. A subrecipient data sharing agreement that does not contain all necessary requirements will not be considered adequate.
NEW SECTION
WAC 308-10A-401Standards for audits of recipients.
When the department requires an audit under this section, it may accept an audit performed in the previous 12 months when it meets standards in the data sharing agreement and is performed by an auditor that meets independent third-party auditor qualifications.
For recipients receiving lists:
(1) Audit procedures must test for the presence of required policies and administrative, technical, or physical controls to reasonably conclude the controls are effective and in use by the recipient.
(2) Audit reports must provide documentation on the procedures, and the results of such procedures, used to determine whether controls align with requirements in the data sharing agreement.
For recipients receiving individual records of protected personal information, audit reports must demonstrate reasonable procedures were used to conclude each recipient is compliant with requirements in the data sharing agreement.
NEW SECTION
WAC 308-10A-402Selection of an auditor.
If the department chooses not to perform an audit, the recipient must select a qualified independent third-party auditor to conduct the audit.
NEW SECTION
WAC 308-10A-403Independent third-party auditor qualifications.
Independent third-party auditors conducting data security audits must, at a minimum, hold one of the following qualifications:
(1) American Institute of Certified Public Accountants (AICPA);
(2) Certified Information Security Auditor (CISA/ISACA);
(3) ANSI-ASQ National Accreditation Board (ANAB); or
(4) Other nationally recognized information technology auditing certification.
(5) An internal audit organization that can attest it conforms with the international standards for the professional practice of internal auditing.
NEW SECTION
WAC 308-10A-404Statement of compliance.
The recipient will:
(1) Perform an annual self-assessment to determine compliance with the requirements of the data sharing agreement.
(2) Confirm in writing to the department annually that it complies with requirements in the data sharing agreement.
(3) Document instances of noncompliance with the data sharing agreement and include a corrective action plan to correct all deficiencies.
(4) Include a declaration with their statement of compliance that affirms protected personal information is only used as authorized.
NEW SECTION
WAC 308-10A-405Corrective action plans.
(1) When notifying the department of any noncompliance with the data sharing agreement, the notification must include a corrective action plan for each deficiency.
(2) The corrective action plan must identify the anticipated date the recipient will complete each action to either bring the recipient into compliance or eliminate the deficiency.
(3) The department may accept the recipient's action, and close the action item, or may require additional action.
(4) The department may take any other action described in the recipient's data sharing agreement, this chapter, or state or federal law, without accepting corrective action plans as it deems necessary for the safety and welfare of the public.
NEW SECTION
WAC 308-10A-500
Permissible uses pertaining to RCW 46.12.630.(1) For the purposes of RCW
46.12.630(1): The sharing of protected personal information will be in accordance with the following vehicle and vessel regulations as they existed on January 1, 2023:
(a) For vehicles:
(i) Titles I and IV of the Anti-Car Theft Act of 1992;
(ii) The Automobile Information Disclosure Act (15 U.S.C. Sec. 1231 et seq.);
(iii) The Clean Air Act (42 U.S.C. Sec. 7401 et seq.); and
(iv) 49 U.S.C. Secs. 30101-30183, 30501-30505, and 32101-33118;
(b) For vessels:
(i) 46 U.S.C. Sec. 4310; and
(ii) Any relevant section of the Code of Federal Regulations adopted by the United States Coast Guard.
(a) "Federal, state, or local agency," "local governmental entity," "governmental agency," and "government agency" have the same meaning as "governmental entity." (See WAC 308-10A-805.)
(b) For the purposes of section RCW
46.12.630 (2)(e), the permissible use is restricted only to a governmental agency or its agent, as authorized by the Driver Privacy Protection Act 18 U.S.C. Chapter 123.
(c) For purposes of section RCW
46.12.630 (2)(h), "other applicable authority" includes out-of-state or Canadian entities legally authorized to operate a toll facility.
NEW SECTION
WAC 308-10A-700Research.
(1) The department may disclose protected personal information for research purposes to governmental entities and bona fide research organizations only when:
(a) The research cannot reasonably be conducted without the protected personal information, the recipient provides adequate information for the department to reasonably determine that the disclosure of protected personal information will not harm individuals, the benefits to be derived from the disclosure are clearly in the public interest, and the results are not of a commercial interest; or
(b) The research purpose has been approved in writing by an authorized official in the department, legislature, or governor's office.
(2) The department may disclose pseudonymized data for research purposes on the condition the recipient will make no attempt to re-identify individuals.
NEW SECTION
WAC 308-10A-801Agents.
Where agents are permitted, a requestor may access protected personal information through a chain of agents. For example, an employer (requestor) may use an employment agency (agent #1) to request records on its behalf. In turn, the employment agency may request the record through a recipient (agent #2).
NEW SECTION
WAC 308-10A-802Offshoring.
Unless otherwise explicitly authorized in statute, or with prior written authorization from the department, recipients must:
(1) Only allow protected personal information to be transmitted, accessed, viewed, stored, or processed within the United States.
(2) Maintain the primary, backup, disaster recovery, and other sites for storage of protected personal information within the United States.
NEW SECTION
WAC 308-10A-804Notification of misuse or unauthorized disclosure.
In the event of misuse or unauthorized disclosure of personal or identity information by either the recipient or its subrecipient the recipient must:
(1) Notify the department as outlined in its data sharing agreement with the department;
(2) Cooperate with all department requirements in responding to the event;
(3) Notify the department before notifying individuals or the public.
The subrecipient must notify the recipient of a misuse or unauthorized disclosure of personal or identity information.
NEW SECTION
WAC 308-10A-805Applications for data.
(1) An application must be submitted to the department when requesting data.
(a) The department may reject incomplete applications.
(b) The department may close the application if the applicant does not provide sufficient information to complete the application process within 90 days of request.
(c) The department may close an approved application to receive data if the applicant does not execute the data sharing agreement within 30 days of department sending the agreement to the applicant for signature.
(2) In the event of a declared emergency, the department may allow a governmental entity to execute a data sharing agreement prior to submitting a formal application. The government entity must submit the application by a date designated by the department. The department may waive the requirement for an application or a complete application.
NEW SECTION
WAC 308-10A-806Consent.
For the purposes of disclosing protected personal information, an individual's authorized legal representative may authorize the disclosure.
NEW SECTION
WAC 308-10A-901Authorization to request a driving abstract.
(1) When the subject of a driver's abstract must authorize the release of the abstract under RCW
46.52.130, the party requesting the driver's abstract under the terms of a data sharing agreement may use the department's release form, or its own version of the release form provided it contains the information required by federal and state law, and the department. The party requesting the driver's abstract under the terms of a data sharing agreement must verify that its release form is consistent with federal and state law, and department requirements.
(2) If a recipient or subrecipient uses its own version of the release form, the form must not bear the department logo or otherwise indicate it is an official Washington state document.
(3) The release form may be signed in ink or electronically.
(4) A release form must:
(a) Include the name and signature of the person whose record is being requested, or the name and signature of their authorized legal representative.
(b) Include the date the signature was made.
(c) Be signed by the employer or volunteer organization, attesting to:
(i) For employment/prospective employment, driving is a condition of employment or otherwise at the direction of the employer, or the employee or prospective employee handles or will be handling heavy equipment or machinery.
(ii) For volunteering, the information is necessary for purposes related to driving by the individual at the direction of the volunteer organization.
(iii) For employee/prospective employee releases.
(A) Include a statement that any information contained in the abstract related to an adjudication that is subject to a court order sealing the juvenile record of an employee or prospective employee may not be used by the employer or prospective employer, or an agent authorized to obtain this information on their behalf, unless required by federal regulation or law; and
(B) Provide instructions for how someone can demonstrate that an adjudication contained in the abstract is subject to a court order sealing the juvenile record.
(I) The name(s) of the agent(s) authorized to obtain the information on the requestor's behalf.
(II) Include information on where to send the form after it is properly executed.
(5) When the subject of a driver's abstract must authorize the release of the abstract under RCW
46.52.130, the party requesting the driver's abstract under the terms of a data sharing agreement must retain the signed release form for at least six years.
(6) The signed release form may be used for employment or volunteering purposes during the period the subject of the driver's abstract is under continuous employment or volunteering. The employer or volunteering organization must process a new release form for the subject of the driver's abstract when there is a break in continuous employment or volunteering.
(7) For the purposes of prospective employment or volunteering, the release form and the driving record must be disposed of after six months from the date the record was obtained, or as otherwise required by law, if the subject of the driver's abstract is not placed into a position with the employer or volunteer organization that involves driving as a function of the position.
NEW SECTION
WAC 308-10A-902Data retention and destruction.
(1) The recipient and its subrecipients must adopt data retention and destruction policies that are in keeping with state and federal law including, but not limited to, chapter
19.215 RCW.
(2) Except as otherwise required by law or as provided in a data sharing agreement, protected personal information may be retained only until the permissible use has been fulfilled or 10 years. After the required permissible use or retention period has been met, the protected personal information must be destroyed.