(1) The employment security department shall designate an agency privacy officer to oversee the administration of this chapter and chapter
50A.25 RCW. In coordination with the state office of privacy and data protection, the agency privacy officer must:
(a) Develop an agency personal information minimization policy to reduce the use and retention of personal information wherever possible;
(b) Create a work plan that includes the estimated costs of execution for the following:
(i) An inventory of all personal information prepared, owned, used, or retained by the employment security department, that would include the specific type of information, the purpose for its collection, and the extent to which the information is protected from unauthorized access; and
(ii) A map of the physical or digital location of all personal information collected by the employment security department, indexed to the inventory created in (b)(i) of this subsection; and
(c) Report the work plan created under (b) of this subsection to the state office of privacy and data protection annually.
(2) Any inventory or data map records created under subsection (1)(b) of this section that reveal the location of personal information or the extent to which it is protected may not be disclosed under the public records act, chapter
42.56 RCW.
(3) On December 1st of each odd-numbered year, the employment security department must report to the governor and the legislature on the implementation and maintenance of this section, including best practices and recommendations for developing and implementing the employment security department's policy and plan under this section.
(4) For purposes of this section, "personal information" means any information obtained by the employment security department deemed private and confidential under this chapter and chapter
50A.25 RCW.