Overview State Information Technology Organization.  The Consolidated Technology Services Agency, also known as Washington Technology Solutions (WaTech), supports state agencies as a centralized provider and procurer of information technology (IT) services.  Within WaTech, the Office of the Chief Information Officer (OCIO) has primary duties related to IT services, which include developing statewide standards and policies, and establishing policies for periodic review.
 
State Privacy Office.  Within the OCIO, the Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.  The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.  Statutory primary duties of the OPDP with respect to state agencies include articulating privacy principles and best practices and coordinating data protection in cooperation with WaTech.

 
Privacy Principles.  The current privacy principles articulated by the OPDP include:

• lawful, fair, and responsible use;
• data minimization;
• purpose limitation;
• transparency and accountability;
• due diligence;
• individual participation; and
• security.

Additional Specified Statutory Duties.  The OCIO, in coordination with the OPDP, must establish privacy policies for periodic review.  The OPDP must establish privacy principles and best practices.
 
Privacy Principles and Best Practices.  By July 31, 2022, the OPDP must establish privacy principles and best practices.

Beginning July 1, 2023, except as provided, each state agency must adopt the privacy principles and best practice established by the OPDP through its policies and procedures.  Each state agency must annually review such policies and procedures to ensure they are current.
 
A state agency with a requirement that prevents it from complying with this act must receive a waiver from the OPDP.  Waivers must cite specific requirements for needing a waiver, including an estimate of how much additional time is needed and what specific resources would assist the state agency in complying.  The OPDP must assist state agencies in complying with this act.
 
Exemption.  This act does not apply to institutions of higher education.

PRO:  This bill is an attempt to elevate the issue that the public sector has the fiduciary obligation to manage, track, and protect the public's data.  Recent data breaches have demonstrated that Washington State needs to do a better job of securing the public's data.

OTHER:  This bill supports the privacy initiatives of the state's privacy office and would help further the maturity of privacy programs across the states' enterprise.  However, we would need additional resources to implement the provisions in the bill.