SENATE BILL REPORT

SHB 1717

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of March 15, 2017

Title: An act relating to state agency collection, use, and retention of biometric identifiers.

Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.

Sponsors: House Committee on Technology & Economic Development (originally sponsored by Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford).

Brief History: Passed House: 3/02/17, 97-1.

Committee Activity: State Government: 3/15/17.

Brief Summary of Bill

Prohibits an agency from obtaining a biometric identifier without notice and consent.
Prohibits an agency from selling a biometric identifier.
Restricts and requires specific agency policies concerning the use, sharing, review, and retention of biometric identifiers.
Prohibits agency disclosure of biometric identifiers under the Public Records Act.

SENATE COMMITTEE ON STATE GOVERNMENT

Staff: Samuel Brown (786-7470)

Background: Biometrics. The terms biometric data, biometric information, or biometric identifier variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment, and to gather personal characteristics for customizing services or information, such as in advertising. There is no federal or Washington law that specifically regulates the collection or use of biometric data.

Data Breach Laws. Agencies are required to notify possibly affected persons when security is breached and personal information is, or is reasonably believed to have been, acquired by an unauthorized person. Disclosure is not required if a breach is not reasonably likely to subject customers to a risk of harm. An individual injured by a violation of these laws may bring a civil action to recover damages and seek an injunction.

Personal information is defined as an individual's first name or first initial and last name, in combination with any of the following data elements:

Social Security Number;
driver's license or Washington identification card number; or
account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account.

Publicly available information that is lawfully made available to the general public from federal, state, or local government records is not considered personal information for these purposes.

Public Records Laws. Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific statutory exemption. The PRA applies to all records, regardless of physical form or characteristics.

Agency record retention requirements are independent from record disclosure requirements. State and local agencies must retain records according to specific schedules. The Office of the Secretary of State sets a general schedule for categories of records common to many agencies, and some agencies set additional schedules for records specific to that agency's functions.

Summary of Bill: Biometric Identifiers. Biometric identifier is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Certain information is excluded from this definition, including information derived from the following:

written samples, photographs, or physical descriptions such as height or eye color;
donated organ parts, blood, or serum;
information captured in a health care setting; or
images or film used to diagnose or treat a medical condition or validate a scientific screening, such as X-rays.

Agency Responsibilities. State agency responsibilities with regard to biometric identifiers are modified, although the provisions of the act do not apply to law enforcement agencies.

Agencies are prohibited from obtaining a biometric identifier without first providing specific notice and obtaining specific consent. Agencies are prohibited from selling biometric identifiers. An agency may only use a biometric identifier consistent with the terms of the notice and consent. An agency may only share the identifier to execute its collection, consistent with the notice and consent, or if sharing is specified in the original consent. Biometric identifiers may not be disclosed by any agency, including a law enforcement agency, in response to a PRA request.

An agency that obtains biometric identifiers must:

establish security policies that ensure the integrity and confidentiality of the identifiers;

address the identifiers in privacy policies;
tailor retention schedules to the purpose of collecting the identifiers;
only retain the identifiers necessary to fulfill the original purpose and use;
otherwise minimize the review and retention of the identifiers;
design a policy to minimize the collection of biometric identifiers; and
comply with all other applicable state and federal laws and regulations.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: This legislation responds to constituent concerns about their biometric data and its collection by public entities. It codifies the best practices used by agencies in statute, and makes sure the public knows biometric data will not be used without consent.

Persons Testifying: PRO: Representative Norma Smith, Prime Sponsor.

Persons Signed In To Testify But Not Testifying: No one.