Privacy for Risk Managers
Here are the privacy and data bills we are tracking in the current WA state legislature
2SB 5376 -- Sec. 8. RISK ASSESSMENTS.
(1) Controllers must conduct, to the extent not previously conducted, a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. Such risk assessments must take into account the type of personal data to be processed by the controller, including the extent to which the personal data is sensitive data or otherwise sensitive in nature, and the context in which the personal data is to be processed.
"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information. For these purposes, "publicly available information" means information that is lawfully made available from federal, state, or local government records.
What is Personal Information?
The definition of "personal information" is modified to mean an individual's first name or first initial and last name in combination with one or more of the following data elements:
- Social Security number;
- driver's license number or Washington identification card number;
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
- full date of birth; a private key that is unique to an individual and that is used to authenticate or sign an electronic record;
- student, military, or passport identification number;
- health insurance policy number or health insurance identification number;
- any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer;
- or biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patters or characteristics that may identify a specific individual.
"Personal information" includes any of the above-listed data elements, alone or in combination, without the consumer's first name or first initial and last name, if encryption has not rendered the data elements unusable and if the data elements would enable a person to commit identity theft against a consumer.
A selection of news stories from around the net, curated by the Privacy Office
Recent and Specific Data Risks
Biometrics - use by agencies
Unless authorized by law, an agency may not collect, capture, purchase, or otherwise obtain a biometric identifier without first providing notice and obtaining the individual's consent ...
"Biometric identifier" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's
- retina or iris scan,
- DNA, or
- scan of hand or
- face geometry
- Law enforcement: general authority Washington law enforcement agencies, as defined under RCW 10.93.020
- Writing samples, written signatures,
- human biological samples used for valid scientific testing or screening,
- demographic data,
- tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
- Donated organ tissues or parts [...];
- Information captured from a patient in a health care setting [...];
- X-ray / MRI / PET scans
- ... upon [an] agency providing prompt written notice to the state's chief privacy officer and to the appropriate committees of the legislature...
An agency that collects, purchases, or otherwise obtains biometric identifiers must:
- Establish security policies [...];
- Address biometric identifiers in the agency's privacy policies;
- Provide notice and obtain the individual's consent;
- Never sell biometrics;
- Never disclose in public records;
- Retain consent as long as the identifier
- Only retain biometric identifiers necessary to fulfill the original purpose and use [...];
- Set record retention schedules tailored to the original purpose of the collection of biometric identifiers;
- Minimize retention and review;
- Have a biometrics policy and review it annually.
The following employment and licensing information is exempt from public inspection and copying:
... global positioning system data that would indicate the location of the residence of a public employee or volunteer using the global positioning system recording device.
Many modern devices contain GPS functionalities and allow applications to track your location, but it's more than just "where you are" - if you know both "where" and "when" you can map a person's habits, highway speed, kids' school, favorite bank branch, etc. Be sure to review the GPS location options in your device to ensure you minimize volunteering your location information.
Many mobile phones are configured by default to embed "geotags" in the EXIF information for every photo
- this can be disabled by IT staff
- BYOD devices remain at risk
Most passenger vehicles built since 2010 include GPS trackers that can assist in finding stolen vehicles. Most fleet operators add specific vehicle trackers for route planning and reporting.
- Transporatation officers should avoid install tracker devices
Most wifi routers include an optional field to record the location of the home.
Unlikely to be recorded by state equipment, but teleworkers should be cautious.