Title: An act relating to the collection of personally identifiable information by state agencies.

Brief Description: Monitoring personal information collected by state agencies.

Sponsors: Senate Committee on Government Operations & Elections (originally sponsored by Senators Kline, Fairley, Franklin and Keiser).

Brief History:

Committee Activity: Government Operations & Elections: 2/12/07, 2/19/07 [DPS].

Passed Senate: 3/14/07, 49-0; 2/15/08, 49-0.

SENATE COMMITTEE ON GOVERNMENT OPERATIONS & ELECTIONS

Majority Report: That Substitute Senate Bill No. 5869 be substituted therefor, and the substitute bill do pass.Signed by Senators Fairley, Chair; Oemig, Vice Chair; Roach, Ranking Minority Member; Benton, Kline, Pridemore and Swecker.

Staff: Sharon Swanson (786-7447)

Background: The Department of Information Services (Department) was created to provide coordinated planning and management of state information services. The Washington State Information Services Board (Board) was created to provide direction to state agencies on strategic planning and technical policies for information services, to develop acquisition standards, and to assist agencies in acquiring and implementing information services.

The Department's duties include reviewing agency information technology portfolios; implementing statewide and interagency policies, standards, and guidelines; making information services available to state agencies, local governments, and public benefit nonprofit corporations on a full cost-recovery basis; establishing rates and fees for services provided by the Department; and performing all duties delegated to it by the Board.

Summary of Substitute Bill: The Department of Information Services (Department) must create and maintain a registry of information systems maintained by state agencies that contain personally identifiable information.

The registry must contain at least the following information about each information technology system used to conduct official public business:

• the name of the agency responsible for the system;
• the name of the system;
• the number of records stored in the system;
• the statutory authorization to collect the information;
• the personally identifiable information stored in the system;
• the methods by which information is collected or updated;
• the retention schedule; and
• the number of system interfaces.

The registry is not required to include systems that contain personally identifiable information pertaining solely to public officials acting in their official capacity.

Personally identifiable information is defined as information that can be associated with a particular natural person through one or more identifiers or other information.

Official public business is defined as any legally authorized transaction or communication between a state agency and federal government, another state agency, tribes, or local governments, or between a state agency, tribe, or local government and a private person or entity.

Appropriation: None.

Fiscal Note: Available.

Committee/Commission/Task Force Created: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony on Proposed Substitute Bill: PRO: This bill will help protect the personal information that is collected by state agencies by collecting information on information that is gathered unnecessarily or is duplicative. The bill is an attempt to understand why government collects the information that it does about individuals. If government needs the information it collects, then that is fine. If not, then the government should not collect the information. The computer security personnel at the Department of Information Services have reviewed the bill and seem satisfied with the drafting.

OTHER: While this bill is a good idea, there is a concern that the listing of the agencies and the data that they collect is privileged and is not disclosable. The public should have access to this information. What if a citizen wanted to know if a public agency was releasing or selling his or her private information? The information is now disclosable if you go to each individual agency; why would it not be disclosable just because it is kept on one databank? There is an additional concern that placing all of this information in one location creates a target for hackers. Exactly what information is it that we are getting that we don't need? The vast majority of information that is collected is voluntary.

Persons Testifying: PRO: Senator Kline, prime sponsor; Tamara Jones, Department of Information Systems.

OTHER: Rowland Thompson, Allied Daily Newspapers; Randy Hodgins, University of Washington.