Privacy for Risk Managers

Will Saunders
Open Data Guy, State of Washington Office of Privacy & Data Protection
Will Saunders leads the State of Washington's Open Data program in the Office of Privacy and Data Protection.  He has worked on communications and technology issues for the state since 2005, including telephone regulation, broadband, economic development, central services management, data governance and technology assessment.    Contact the Privacy Office
Alex Alben
Chief Privacy Officer, State of Washington Office of Privacy & Data Protection
Alex Alben is Washington State’s first Chief Privacy Officer, an office created by the state legislature in March of 2015.  He coordinates privacy and data policy for the state and consults with the Governor and Legislature on technology issues impacting citizen privacy.   Contact the Privacy Office

Recent and Specific Data Risks

Biometrics - use by agencies

Unless authorized by law, an agency may not collect, capture, purchase, or otherwise obtain a biometric identifier without first providing notice and obtaining the individual's consent ...

Biometrics defined:

"Biometric identifier" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's
  • retina or iris scan,
  • fingerprint,
  • voiceprint,
  • DNA, or
  • scan of hand or
  • face geometry

Exceptions:

  • Law enforcement: general authority Washington law enforcement agencies, as defined under RCW 10.93.020
  • Writing samples, written signatures,
  • photographs,
  • human biological samples used for valid scientific testing or screening,
  • demographic data,
  • tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
  • Donated organ tissues or parts [...];
  • Information captured from a patient in a health care setting [...];
  • X-ray / MRI / PET scans
  • ... upon [an] agency providing prompt written notice to the state's chief privacy officer and to the appropriate committees of the legislature...

Compliance:

An agency that collects, purchases, or otherwise obtains biometric identifiers must:
  • Establish security policies [...];
  • Address biometric identifiers in the agency's privacy policies;
  • Provide notice and obtain the individual's consent;
  • Never sell biometrics;
  • Never disclose in public records;
  • Retain consent as long as the identifier
  • Only retain biometric identifiers necessary to fulfill the original purpose and use [...];
  • Set record retention schedules tailored to the original purpose of the collection of biometric identifiers;
  • Minimize retention and review;
  • Have a biometrics policy and review it annually.
iphone gps

Location privacy

The following employment and licensing information is exempt from public inspection and copying:
... global positioning system data that would indicate the location of the residence of a public employee or volunteer using the global positioning system recording device.

Many modern devices contain GPS functionalities and allow applications to track your location, but it's more than just "where you are" - if you know both "where" and "when" you can map a person's habits, highway speed, kids' school, favorite bank branch, etc. Be sure to review the GPS location options in your device to ensure you minimize volunteering your location information.

Mobile Phones

Many mobile phones are configured by default to embed "geotags" in the EXIF information for every photo
  • this can be disabled by IT staff
  • BYOD devices remain at risk

Vehicle telematics

Most passenger vehicles built since 2010 include GPS trackers that can assist in finding stolen vehicles. Most fleet operators add specific vehicle trackers for route planning and reporting.
  • Transporatation officers should avoid install tracker devices

Home WIFI

Most wifi routers include an optional field to record the location of the home.
Unlikely to be recorded by state equipment, but teleworkers should be cautious.

Privacy News

A selection of news stories from around the net, curated by the Privacy Office

Privacy Legislation

Here are the privacy and data bills we are tracking in the current WA state legislature