BILL REQ. #:  S-1873.1 

READ FIRST TIME 02/22/07.   

     AN ACT Relating to the collection of personally identifiable information by state agencies; and amending RCW 43.105.020 and 43.105.052.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

Sec. 1   RCW 43.105.020 and 2003 c 18 s 2 are each amended to read as follows:
     As used in this chapter, unless the context indicates otherwise, the following definitions shall apply:
     (1) "Department" means the department of information services;
     (2) "Board" means the information services board;
     (3) "Committee" means the state interoperability executive committee;
     (4) "Local governments" includes all municipal and quasi municipal corporations and political subdivisions, and all agencies of such corporations and subdivisions authorized to contract separately;
     (5) "Director" means the director of the department;
     (6) "Purchased services" means services provided by a vendor to accomplish routine, continuing, and necessary functions. This term includes, but is not limited to, services acquired for equipment maintenance and repair, operation of a physical plant, security, computer hardware and software installation and maintenance, telecommunications installation and maintenance, data entry, keypunch services, programming services, and computer time-sharing;
     (7) "Backbone network" means the shared high-density portions of the state's telecommunications transmission facilities. It includes specially conditioned high-speed communications carrier lines, multiplexors, switches associated with such communications lines, and any equipment and software components necessary for management and control of the backbone network;
     (8) "Telecommunications" means the transmission of information by wire, radio, optical cable, electromagnetic, or other means;
     (9) "Information" includes, but is not limited to, data, text, voice, and video;
     (10) "Information processing" means the electronic capture, collection, storage, manipulation, transmission, retrieval, and presentation of information in the form of data, text, voice, or image and includes telecommunications and office automation functions;
     (11) "Information services" means data processing, telecommunications, office automation, and computerized information systems;
     (12) "Equipment" means the machines, devices, and transmission facilities used in information processing, such as computers, word processors, terminals, telephones, wireless communications system facilities, cables, and any physical facility necessary for the operation of such equipment;
     (13) "Information technology portfolio" or "portfolio" means a strategic management process documenting relationships between agency missions and information technology and telecommunications investments;
     (14) "Oversight" means a process of comprehensive risk analysis and management designed to ensure optimum use of information technology resources and telecommunications;
     (15) "Personally identifiable information" means information that can be associated with a particular natural person through one or more identifiers or other information;
     (16) "Official public business" means any legally authorized transaction or communication between a state agency and federal government, another state agency, tribes, or local governments, or between a state agency, tribe, or local government and a private person or entity;
     (17) "Proprietary software" means that software offered for sale or license;
     (((16))) (18) "Video telecommunications" means the electronic interconnection of two or more sites for the purpose of transmitting and/or receiving visual and associated audio information. Video telecommunications shall not include existing public television broadcast stations as currently designated by the department of community, trade, and economic development under chapter 43.330 RCW;
     (((17))) (19) "K-20 educational network board" or "K-20 board" means the K-20 educational network board created in RCW 43.105.800;
     (((18))) (20) "K-20 network technical steering committee" or "committee" means the K-20 network technical steering committee created in RCW 43.105.810;
     (((19))) (21) "K-20 network" means the network established in RCW 43.105.820;
     (((20))) (22) "Educational sectors" means those institutions of higher education, school districts, and educational service districts that use the network for distance education, data transmission, and other uses permitted by the K-20 board.

Sec. 2   RCW 43.105.052 and 2000 c 180 s 1 are each amended to read as follows:
     The department shall:
     (1) Perform all duties and responsibilities the board delegates to the department, including but not limited to:
     (a) The review of agency information technology portfolios and related requests; and
     (b) Implementation of statewide and interagency policies, standards, and guidelines;
     (2) Make available information services to state agencies and local governments and public benefit nonprofit corporations on a full cost-recovery basis. For the purposes of this section "public benefit nonprofit corporation" means a public benefit nonprofit corporation as defined in RCW 24.03.005 that is receiving local, state, or federal funds either directly or through a public agency other than an Indian tribe or political subdivision of another state. These services may include, but are not limited to:
     (a) Telecommunications services for voice, data, and video;
     (b) Mainframe computing services;
     (c) Support for departmental and microcomputer evaluation, installation, and use;
     (d) Equipment acquisition assistance, including leasing, brokering, and establishing master contracts;
     (e) Facilities management services for information technology equipment, equipment repair, and maintenance service;
     (f) Negotiation with local cable companies and local governments to provide for connection to local cable services to allow for access to these public and educational channels in the state;
     (g) Office automation services;
     (h) System development services; and
     (i) Training.
     These services are for discretionary use by customers and customers may elect other alternatives for service if those alternatives are more cost-effective or provide better service. Agencies may be required to use the backbone network portions of the telecommunications services during an initial start-up period not to exceed three years;
     (3) Establish rates and fees for services provided by the department to assure that the services component of the department is self-supporting. A billing rate plan shall be developed for a two-year period to coincide with the budgeting process. The rate plan shall be subject to review at least annually by the customer advisory board. The rate plan shall show the proposed rates by each cost center and will show the components of the rate structure as mutually determined by the department and the customer advisory board. The same rate structure will apply to all user agencies of each cost center. The rate plan and any adjustments to rates shall be approved by the office of financial management. The services component shall not subsidize the operations of the strategic planning and policy component;
     (4) With the advice of the information services board and agencies, develop a state strategic information technology plan and performance reports as required under RCW 43.105.160;
     (5) Develop plans for the department's achievement of statewide goals and objectives set forth in the state strategic information technology plan required under RCW 43.105.160. These plans shall address such services as telecommunications, central and distributed computing, local area networks, office automation, and end user computing. The department shall seek the advice of the customer advisory board and the board in the development of these plans;
     (6) Under direction of the information services board and in collaboration with the department of personnel, and other agencies as may be appropriate, develop training plans and coordinate training programs that are responsive to the needs of agencies;
     (7) Identify opportunities for the effective use of information services and coordinate appropriate responses to those opportunities;
     (8) Assess agencies' projects, acquisitions, plans, information technology portfolios, or overall information processing performance as requested by the board, agencies, the director of financial management, or the legislature. Agencies may be required to reimburse the department for agency-requested reviews;
     (9) Develop planning, budgeting, and expenditure reporting requirements, in conjunction with the office of financial management, for agencies to follow;
     (10) Assist the office of financial management with budgetary and policy review of agency plans for information services;
     (11) Provide staff support from the strategic planning and policy component to the board for:
     (a) Meeting preparation, notices, and minutes;
     (b) Promulgation of policies, standards, and guidelines adopted by the board;
     (c) Supervision of studies and reports requested by the board;
     (d) Conducting reviews and assessments as directed by the board;
     (12) Be the lead agency in coordinating video telecommunications services for all state agencies and develop, pursuant to board policies, standards and common specifications for leased and purchased telecommunications equipment. The department shall not evaluate the merits of school curriculum, higher education course offerings, or other education and training programs proposed for transmission and/or reception using video telecommunications resources. Nothing in this section shall abrogate or abridge the legal responsibilities of licensees of telecommunications facilities as licensed by the federal communication commission on March 27, 1990; ((and))
     (13) Create and maintain a registry of information systems maintained by state agencies that contain personally identifiable information. The registry need not include systems that contain personally identifiable information pertaining solely to public officials acting in their official capacity. The department may require state agencies to provide information necessary to create and maintain the registry. The registry shall contain at least the following information about each information technology system used to conduct official public business:
     (a) The name of the agency responsible for the system;
     (b) The name of the system;
     (c) The number of records stored in the system;
     (d) The United States Code, federal policy, Revised Code of Washington, Washington Administrative Code, Washington state policy, or other requirement, including citations, to collect the information stored in the information technology system;
     (e) The personally identifiable information stored in the system:
     (i) Social security number;
     (ii) Driver's license number;
     (iii) Financial instrument information which includes account or other trackable numbers;
     (iv) Home address;
     (v) Home phone number;
     (vi) E-mail address;
     (vii) Personal identification number;
     (viii) Date of birth;
     (ix) Unique biometric data;
     (x) Bank account number;
     (xi) Credit or debit card numbers; or
     (xii) Any other information that can be used to access an individual's financial accounts;
     (f) The methods by which information is collected or updated;
     (g) The retention schedule; and
     (h) The number of system interfaces; and
     (14) Perform all other matters and things necessary to carry out the purposes and provisions of this chapter.