HOUSE BILL REPORT
HB 1717
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
As Reported by House Committee On:
Technology & Economic Development
Title: An act relating to state agency collection, use, and retention of biometric identifiers.
Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.
Sponsors: Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford.
Brief History:
Committee Activity:
Technology & Economic Development: 2/7/17, 2/14/17 [DPS].
Brief Summary of Substitute Bill |
|
HOUSE COMMITTEE ON TECHNOLOGY & ECONOMIC DEVELOPMENT |
Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 15 members: Representatives Kloba, Vice Chair; Tarleton, Vice Chair; Smith, Ranking Minority Member; Doglio, Fey, Harmsworth, Hudgins, Manweller, McDonald, Nealey, Santos, Slatter, Steele, Wylie and Young.
Staff: Lily Smith (786-7175).
Background:
Biometrics.
The terms "biometric data," "biometric information," or "biometric identifier" variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment. They may also be used to gather personal characteristics for customizing services or information, such as in advertising.
Regulation.
There is no federal or Washington law that specifically regulates the collection or use of biometric data.
In 2012 the Federal Trade Commission released recommended best practices for companies that use facial recognition technologies. The three major principles of the best practices are:
privacy by design;
simplified choice; and
greater transparency.
State Security Breach Laws.
Agencies are required to notify possibly affected persons when security is breached and personal information is (or is reasonably believed to have been) acquired by an unauthorized person. Disclosure is not required if a breach is not reasonably likely to subject customers to a risk of harm. An individual injured by a violation of these laws may bring a civil action to recover damages and seek an injunction.
Under the security breach law, personal information is defined as an individual's first name or first initial and last name, in combination with any one or more of the following data elements:
Social Security number;
driver license number or Washington identification card number; or
account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account.
It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
State Records Laws.
Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific exemption, which may be within the PRA itself or as provided in another statute. The PRA is technology-neutral, in that it applies to records "regardless of physical form or characteristics."
Agency record retention requirements are independent from record disclosure requirements. State and local agencies must keep and then dispose of records according to specific "schedules." The Office of the Secretary of State sets a general schedule for categories of records common to many agencies. Some agencies set additional schedules to apply to records more specific to that agency's functions.
–––––––––––––––––––––––––––––––––
Summary of Substitute Bill:
An agency is prohibited from obtaining a biometric identifier without first:
providing notice that clearly specifies the purpose and use of the identifier; and
obtaining consent specific to the terms of the notice.
An agency is prohibited from selling a biometric identifier.
An agency may only use a biometric identifier consistent with the terms of the notice and consent, and may only share the identifier under the following circumstances:
to execute the purposes collection, consistent with the notice and consent; or
if sharing is specified in the original consent.
An agency that obtains biometric identifiers must:
establish security policies that ensure the integrity and confidentiality of the identifiers;
address the identifiers in privacy policies;
tailor retention schedules to the purpose of collecting the identifiers;
only retain the identifiers necessary to fulfill the original purpose and use;
otherwise minimize the review and retention of the identifiers; and
design a biometric policy to minimize the collection of biometric identifiers.
Biometric identifiers may not be disclosed under the PRA.
"Agency" is defined as every state office, department, division, bureau, board, commission, or other state agency, but does not include a general-authority Washington law enforcement agency.
"Biometric identifier" is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. There are a number of specific types of information excluded from this definition, including but not limited to, information derived from the following:
written samples, photographs, or physical descriptions such as height or eye color;
donated organ parts, blood, or serum;
information captured in a health care setting; or
image or film used to diagnose or treat a medical condition or validate a scientific screening.
Substitute Bill Compared to Original Bill:
The prohibition on disclosing biometric identifiers under the PRA is extended to general-authority Washington law enforcement agencies. Agencies are required to create a policy that ensures the agency is minimizing the collection of biometric identifiers to the fewest possible to accomplish the agency mission.
–––––––––––––––––––––––––––––––––
Appropriation: None.
Fiscal Note: Available.
Effective Date of Substitute Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.
Staff Summary of Public Testimony:
(In support) This bill is specific to public agencies and provides a construct for them to know the rules regarding Washingtonians' data. It is critically important to the people served by the Legislature.
(Opposed) None.
(Other) Though the bill is directed at public agencies, it would also apply to companies doing business with the state. The definition of "biometric identifier" differs from House Bill 1493 and consistency is a concern.
Persons Testifying: (In support) Representative Smith, prime sponsor.
(Other) Joanie Deutsch, TechNet; and Bob Battles, Association of Washington Business.
Persons Signed In To Testify But Not Testifying: None.