H-1150.2
HOUSE BILL 1717
| | |
State of Washington | 65th Legislature | 2017 Regular Session |
By Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos, and Stanford
Read first time 01/26/17. Referred to Committee on Technology & Economic Development.
AN ACT Relating to state agency collection, use, and retention of biometric identifiers; and adding a new chapter to Title
40 RCW.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1. The legislature finds that the collection and use of personal information has been a practice of virtually all state agencies and programs. Advances in technology have given rise to new forms of data, such as email and internet protocol (IP) addresses, which can be easily collected and stored along with traditional types of data such as names and dates of birth. One new form of personally identifiable information is biometric identifiers. The unique nature of this new type of personal data calls for additional guidance regarding its use by state agencies.
NEW SECTION. Sec. 2. (1) An agency may not collect, capture, purchase, or otherwise obtain a biometric identifier without first providing notice and obtaining the individual's consent, as follows:
(a) The notice provided must clearly specify the purpose and use of the biometric identifier; and
(b) The consent obtained must be specific to the terms of the notice, and must be recorded and maintained by the agency for the duration of the retention of the biometric identifier.
(2) Any biometric identifier obtained by an agency:
(a) May not be sold;
(b) May only be used consistent with the terms of the notice and consent obtained under subsection (1) of this section; and
(c) May be shared, including with other state agencies or local governments, only:
(i) As needed to execute the purposes of the collection, consistent with the notice and consent obtained under subsection (1) of this section; or
(ii) If such sharing is specified within the original consent.
(3) An agency that collects, purchases, or otherwise obtains biometric identifiers must:
(a) Establish security policies that ensure the integrity and appropriate confidentiality of the biometric identifiers;
(b) Address biometric identifiers in the agency's privacy policies;
(c) Only retain biometric identifiers necessary to fulfill the original purpose and use, as specified in the notice and consent obtained under subsection (1) of this section;
(d) Set record retention schedules tailored to the original purpose of the collection of biometric identifiers; and
(e) Otherwise minimize the review and retention of the biometric identifiers, consistent with state record retention requirements.
(4) The use and storage of biometric identifiers obtained by an agency must comply with all other applicable state and federal laws and regulations, including the health insurance portability and accountability act (HIPAA), the family educational rights and privacy act (FERPA), regulations regarding data breach notifications and individual privacy protections, and any policies or standards published by the office of the chief information officer.
(5) Biometric identifiers used or retained by an agency may not be disclosed under the public records act, chapter
42.56 RCW.
(6) Agency policies, regulations, guidance, and retention schedules regarding biometric identifiers must be reviewed annually to incorporate any new technology, as appropriate, and respond to citizen complaints.
(7) The following definitions apply for purposes of this section:
(a) "Agency" means every state office, department, division, bureau, board, commission, or other state agency, except that it does not include a general authority Washington law enforcement agency.
(b) "Biometric identifier" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, except when such information is derived from:
(i) Writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
(ii) Donated organ tissues or parts, or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency;
(iii) Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal health insurance portability and accountability act of 1996; or
(iv) X-ray, roentgen process, computed tomography, magnetic resonance imaging (MRI), positron emission tomography (PET) scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
(c) "General authority Washington law enforcement agency" has the definition given in RCW
10.93.020.
NEW SECTION. Sec. 3. Sections 1 and 2 of this act constitute a new chapter in Title 40 RCW. --- END ---