EXECUTIVE ORDER
PREAMBLE
I am a strong believer in open government and the people's right
to know. The very existence of our democracy depends on the
fundamental principles embodied in our laws ensuring that we
never have secret government. People must be able to trust their
government.
There is a critical distinction, however, between public
information and private personal information that happens to be
held by the government or a business. Simply because certain
personal information is in the hands of a third party does not
mean that it should be made public or available to anybody
willing to pay for it. A taxpayer's sensitive tax information
has never been subject to public scrutiny. Nor do citizens
expect that their health records, bank account, or credit card
numbers will be open for inspection or available to others.
Unfortunately, as citizens, our expectations may exceed the
privacy protections provided in law and the practices and
policies established by the private sector and public agencies to
protect personal information. The information age has created an
urgent need for the custodians of data to exercise special care
in safeguarding that information.
With this executive order, it is my intent to ensure that state
agencies comply fully with state public disclosure and open
government laws, while protecting personal information to the
maximum extent possible by:
• | Placing the government of Washington state at the forefront in protecting the personal information of its citizens; |
• | Minimizing as much as possible the collection, retention, and release of personal information by the state; |
• | Prohibiting the unauthorized sale of citizens' personal information by state government; |
• | Providing citizens with broad opportunities to know what personal information about them the state holds, and to review and correct that information; and |
• | Making certain that businesses that contract with the state use personal information only for the contract purposes and cannot keep or sell the information for other purposes - and that those who violate this trust are held accountable. |
WHEREAS, an increasing number of citizens are concerned that
personal information held by the state might be used
inappropriately, that unauthorized people may have access to it,
and that some information may be inaccurate, incomplete, or
unnecessary.
WHEREAS, citizens have a right to know how information about them
is handled by state agencies and the extent to which that
information may be disclosed or kept confidential under the law.
WHEREAS, many state agencies collect, maintain, and dispose of
public records that contain highly confidential and sensitive
personal information that must be carefully safeguarded. These
records contain sensitive and private health, financial,
business, or other personally identifiable information. Their
inadvertent release, careless storage, or improper disposal could
result in embarrassment or harm to individuals and potential
liability for the state.
WHEREAS, state agencies have an obligation to protect personal
information about citizens, as required by law. They must
exercise particular care in protecting records containing
sensitive and private health, financial, and other personally
identifiable information about individuals, such as social
security numbers.
WHEREAS, the purpose of this executive order is to direct state
agencies, as responsible information custodians, to institute
additional privacy protections for personal information and to
ensure that people who supply personal information to state
agencies know how it will be handled and protected under state
law.
I HEREBY ORDER as follows:
For purposes of this executive order, "personal information"
means information collected by a state agency about a natural
person that is readily identifiable to that specific individual.
1. | Protecting the Confidentiality of Sensitive Personal
Information. Each state agency shall immediately establish
procedures and practices for the handling and disposal of
public records and copies to provide reasonable assurances
that those containing confidential personal information are
properly safeguarded. |
2. | Protecting Social Security Numbers and other Sensitive
Personal Identifiers. To the extent practicable, each state
agency shall eliminate the use of Social Security numbers
and other sensitive personal and financial identifying
numbers from documents that may be subject to public
scrutiny. Each state agency shall also take steps designed
reasonably to ensure that appropriate personnel are aware of
the new confidentiality requirement under Ch. 56, Laws of
2000, for credit card and debit card numbers, electronic
check numbers, card expiration dates, and other financial
account numbers connected with the electronic transfer of
funds. |
3. | Prohibiting the Sale of Personal Information. Except as
otherwise provided by law, state agencies may not sell
personal information that they collect from the public or
obtain from other public or private entities. |
4. | Limitation on Collection and Retention of Personal
Information. State agencies shall limit the collection of
personal information to that reasonably necessary for
purposes of program implementation, authentication of
identity, security, and other legally appropriate agency
operations. Agencies shall examine their record retention
schedules and retain personal information only as long as
needed to carry out the purpose for which it was originally
collected, or the minimum period required by law. |
5. | Protection of Personal Information used by Contractors.
State agencies that enter into contracts or data sharing
agreements with private entities and other governments that
involve the use of personal information collected by the
agencies shall provide in those contracts that the
information may be used solely for the purposes of the
contract and shall not be shared with, transferred, or sold
to unauthorized third parties. A state agency that receives
personal information from another state agency must protect
it in the same manner as the original agency that collected
the information. Each state agency shall establish
reasonable procedures to review, monitor, audit, or
investigate the use of personal information by contractors,
including, when appropriate, the "salting" of databases to
detect unauthorized use, sale, sharing, or transfer of data.
Contractual provisions related to breach of the privacy
protection of state contracts or agreements shall include,
as appropriate, return of all personal information,
termination, indemnification of the state, provisions to
hold the state harmless, monetary or other sanctions,
debarment, or other appropriate ways to maximize protection
of citizens' personal information. |
6. | Prohibiting the Release of Lists of Individuals for
Commercial Purposes. RCW 42.17.260 prohibits public
agencies from giving, selling, or allowing the inspection of
lists of individuals, unless specifically authorized or
directed by law, if the requester intends to use the
information for commercial purposes. The Attorney General
in AGO 1998 No. 2 has interpreted "commercial purposes"
broadly and has not limited those purposes only to
situations in which individuals are contacted for commercial
solicitation. For that reason, unless specifically
authorized or directed by law, state agencies shall not
release lists of individuals if it is known that the
requester plans to use the lists for any commercial purpose,
which includes any profit expecting business activity. |
7. | Internet Privacy Policies. Within 30 days of the effective
date of this executive order, the Department of Information
Services shall, in consultation with other state agencies
and affected constituency groups as appropriate, develop a
clear and concise model privacy policy for use by state
agencies that operate an Internet web site. The privacy
policy shall contain at least the following elements: a)
the manner in which the personal information is collected;
b) the intended uses of the information; c) a brief
description of the laws relating to the disclosure and
confidentiality of the information with a link to the state
public records act and other laws, as appropriate; d)
information on the purpose and anticipated effects of the
web site's data security practices; e) the consequences of
providing or withholding information; f) the agency's
procedures for accessing personal information, verifying its
accuracy, and making corrections; g) the method by which an
individual may make a request or provide notice to the
agency concerning the use or misuse of a person's personal
information; and h) how the agency may be contacted. Within
60 days of the completion of the model policy, each state
agency that operates an Internet web site shall, after
consultation with affected constituency groups, adopt the
model policy, modified to the minimum extent necessary to
address practical and legal considerations specific to that
agency. Links to agency privacy policies should be located
prominently on each agency's web site home page and on any
other page where personal information is collected. |
8. | Notification and Correction. Each state agency that
collects personal information shall, to the extent
practicable, provide notice to the public at the point of
collection that the law may require disclosure of the
information as a public record. Upon request, state
agencies shall provide a written statement generally
identifying a) the known circumstances under which personal
information in public records may be disclosed, and b) the
agency's procedures for individuals to review their personal
information and recommend corrections to information that
they believe to be inaccurate or incomplete. This notice
and statement may be included in an agency privacy policy,
as specified in item 7 above. |
9. | Citizen Complaints and Oversight. Citizen complaints,
questions, or recommendations regarding the implementation
of this executive order or the collection and use of
personal information by state agencies shall be submitted to
the agency that is the custodian or collector of the
information. Each agency shall designate a person to handle
complaints, questions or recommendations from, and provide
information to, the public regarding the collection and use
of personal information and the agency's privacy policies.
I will designate a person within the Governor's office to
monitor and oversee the administration of this executive
order and to serve as a point of contact for complaints from
the public not addressed by an agency. |
10. | Miscellaneous. Nothing in this executive order shall be construed to prohibit or otherwise impair a lawful investigative or protective activity undertaken by or on behalf of the state. This order does not create any right or benefit, substantive or procedural, at law or in equity, that may be asserted against the state, its officers or employees, or any other person. It prohibits the release of public records only to the extent allowable under law. State agencies shall, in all cases, comply with applicable law. This order is intended only to improve the internal management of the executive branch and enhance compliance with the law. The Governor may grant exceptions to the requirements of this executive order if an agency can demonstrate that strict compliance results in excessive and unreasonable administrative burdens or interferes with effective administration of the law. |
IN WITNESS THEREOF, I have hereunto set my hand and caused the Seal of the State of Washington to be affixed at Olympia on this 25th day of April, A.D., Two-Thousand. | ||
Gary Locke Governor of Washington |
||
BY THE GOVERNOR:
Deputy Secretary of State |