Privacy for Risk Managers
Recent and Specific Data Risks
Biometrics - use by agencies
Unless authorized by law, an agency may not collect, capture, purchase, or otherwise obtain a biometric identifier without first providing notice and obtaining the individual's consent ...
"Biometric identifier" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's
- retina or iris scan,
- DNA, or
- scan of hand or
- face geometry
- Law enforcement: general authority Washington law enforcement agencies, as defined under RCW 10.93.020
- Writing samples, written signatures,
- human biological samples used for valid scientific testing or screening,
- demographic data,
- tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
- Donated organ tissues or parts [...];
- Information captured from a patient in a health care setting [...];
- X-ray / MRI / PET scans
- ... upon [an] agency providing prompt written notice to the state's chief privacy officer and to the appropriate committees of the legislature...
An agency that collects, purchases, or otherwise obtains biometric identifiers must:
- Establish security policies [...];
- Address biometric identifiers in the agency's privacy policies;
- Provide notice and obtain the individual's consent;
- Never sell biometrics;
- Never disclose in public records;
- Retain consent as long as the identifier
- Only retain biometric identifiers necessary to fulfill the original purpose and use [...];
- Set record retention schedules tailored to the original purpose of the collection of biometric identifiers;
- Minimize retention and review;
- Have a biometrics policy and review it annually.
The following employment and licensing information is exempt from public inspection and copying:
... global positioning system data that would indicate the location of the residence of a public employee or volunteer using the global positioning system recording device.
Many modern devices contain GPS functionalities and allow applications to track your location, but it's more than just "where you are" - if you know both "where" and "when" you can map a person's habits, highway speed, kids' school, favorite bank branch, etc. Be sure to review the GPS location options in your device to ensure you minimize volunteering your location information.
Many mobile phones are configured by default to embed "geotags" in the EXIF information for every photo
- this can be disabled by IT staff
- BYOD devices remain at risk
Most passenger vehicles built since 2010 include GPS trackers that can assist in finding stolen vehicles. Most fleet operators add specific vehicle trackers for route planning and reporting.
- Transporatation officers should avoid install tracker devices
Most wifi routers include an optional field to record the location of the home.
Unlikely to be recorded by state equipment, but teleworkers should be cautious.
A selection of news stories from around the net, curated by the Privacy Office
Here are the privacy and data bills we are tracking in the current WA state legislature