WHEREAS, Citizens of the state of Washington are gravely concerned about their privacy, and that concern is well founded. As the Internet comes of age, we are experiencing an explosion in the growth of commercial and government electronic databases that contain highly sensitive personal information about individuals. The businesses and governments that control those databases must be responsible. It is state government’s added responsibility to protect the personal privacy rights of Washington’s citizens and lead the private sector by example and by law.

I am a strong believer in open government and the people's right to know. The very existence of our democracy depends on the fundamental principles embodied in our laws ensuring that we never have secret government. People must be able to trust their government.

There is a critical distinction, however, between public information and private personal information that happens to be held by the government or a business. Simply because certain personal information is in the hands of a third party does not mean that it should be made public or available to anybody willing to pay for it. A taxpayer’s sensitive tax information has never been subject to public scrutiny. Nor do citizens expect that their health records, bank account, or credit card numbers will be open for inspection or available to others.

Unfortunately, as citizens, our expectations may exceed the privacy protections provided in law and the practices and policies established by the private sector and public agencies to protect personal information. The information age has created an urgent need for the custodians of data to exercise special care in safeguarding that information.

With this executive order, it is my intent to ensure that state agencies comply fully with state public disclosure and open government laws, while protecting personal information to the maximum extent possible by:

NOW THEREFORE, I, Gary Locke, Governor of the State of Washington, declare my commitment to strengthen privacy protections for personal information held by state agencies, and to the principles of open government and the people's right to know.

WHEREAS, an increasing number of citizens are concerned that personal information held by the state might be used inappropriately, that unauthorized people may have access to it, and that some information may be inaccurate, incomplete, or unnecessary.

WHEREAS, citizens have a right to know how information about them is handled by state agencies and the extent to which that information may be disclosed or kept confidential under the law.

WHEREAS, many state agencies collect, maintain, and dispose of public records that contain highly confidential and sensitive personal information that must be carefully safeguarded. These records contain sensitive and private health, financial, business, or other personally identifiable information. Their inadvertent release, careless storage, or improper disposal could result in embarrassment or harm to individuals and potential liability for the state.

WHEREAS, state agencies have an obligation to protect personal information about citizens, as required by law. They must exercise particular care in protecting records containing sensitive and private health, financial, and other personally identifiable information about individuals, such as social security numbers.

WHEREAS, the purpose of this executive order is to direct state agencies, as responsible information custodians, to institute additional privacy protections for personal information and to ensure that people who supply personal information to state agencies know how it will be handled and protected under state law.

I HEREBY ORDER as follows:

For purposes of this executive order, "personal information" means information collected by a state agency about a natural person that is readily identifiable to that specific individual.

  1. Protecting the Confidentiality of Sensitive Personal Information. Each state agency shall immediately establish procedures and practices for the handling and disposal of public records and copies to provide reasonable assurances that those containing confidential personal information are properly safeguarded.
  2. Protecting Social Security Numbers and other Sensitive Personal Identifiers. To the extent practicable, each state agency shall eliminate the use of Social Security numbers and other sensitive personal and financial identifying numbers from documents that may be subject to public scrutiny. Each state agency shall also take steps designed reasonably to ensure that appropriate personnel are aware of the new confidentiality requirement under Ch. 56, Laws of 2000, for credit card and debit card numbers, electronic check numbers, card expiration dates, and other financial account numbers connected with the electronic transfer of funds.
  3. Prohibiting the Sale of Personal Information. Except as otherwise provided by law, state agencies may not sell personal information that they collect from the public or obtain from other public or private entities.
  4. Limitation on Collection and Retention of Personal Information. State agencies shall limit the collection of personal information to that reasonably necessary for purposes of program implementation, authentication of identity, security, and other legally appropriate agency operations. Agencies shall examine their record retention schedules and retain personal information only as long as needed to carry out the purpose for which it was originally collected, or the minimum period required by law.
  5. Protection of Personal Information used by Contractors. State agencies that enter into contracts or data sharing agreements with private entities and other governments that involve the use of personal information collected by the agencies shall provide in those contracts that the information may be used solely for the purposes of the contract and shall not be shared with, transferred, or sold to unauthorized third parties. A state agency that receives personal information from another state agency must protect it in the same manner as the original agency that collected the information. Each state agency shall establish reasonable procedures to review, monitor, audit, or investigate the use of personal information by contractors, including, when appropriate, the "salting" of databases to detect unauthorized use, sale, sharing, or transfer of data. Contractual provisions related to breach of the privacy protection of state contracts or agreements shall include, as appropriate, return of all personal information, termination, indemnification of the state, provisions to hold the state harmless, monetary or other sanctions, debarment, or other appropriate ways to maximize protection of citizens’ personal information.
  6. Prohibiting the Release of Lists of Individuals for Commercial Purposes. RCW 42.17.260 prohibits public agencies from giving, selling, or allowing the inspection of lists of individuals, unless specifically authorized or directed by law, if the requester intends to use the information for commercial purposes. The Attorney General in AGO 1998 No. 2 has interpreted "commercial purposes" broadly and has not limited those purposes only to situations in which individuals are contacted for commercial solicitation. For that reason, unless specifically authorized or directed by law, state agencies shall not release lists of individuals if it is known that the requester plans to use the lists for any commercial purpose, which includes any profit expecting business activity.
  7. Internet Privacy Policies. Within 30 days of the effective date of this executive order, the Department of Information Services shall, in consultation with other state agencies and affected constituency groups as appropriate, develop a clear and concise model privacy policy for use by state agencies that operate an Internet web site. The privacy policy shall contain at least the following elements: a) the manner in which the personal information is collected; b) the intended uses of the information; c) a brief description of the laws relating to the disclosure and confidentiality of the information with a link to the state public records act and other laws, as appropriate; d) information on the purpose and anticipated effects of the web site’s data security practices; e) the consequences of providing or withholding information; f) the agency’s procedures for accessing personal information, verifying its accuracy, and making corrections; g) the method by which an individual may make a request or provide notice to the agency concerning the use or misuse of a person’s personal information; and h) how the agency may be contacted. Within 60 days of the completion of the model policy, each state agency that operates an Internet web site shall, after consultation with affected constituency groups, adopt the model policy, modified to the minimum extent necessary to address practical and legal considerations specific to that agency. Links to agency privacy policies should be located prominently on each agency’s web site home page and on any other page where personal information is collected.
  8. Notification and Correction. Each state agency that collects personal information shall, to the extent practicable, provide notice to the public at the point of collection that the law may require disclosure of the information as a public record. Upon request, state agencies shall provide a written statement generally identifying a) the known circumstances under which personal information in public records may be disclosed, and b) the agency’s procedures for individuals to review their personal information and recommend corrections to information that they believe to be inaccurate or incomplete. This notice and statement may be included in an agency privacy policy, as specified in item 7 above.
  9. Citizen Complaints and Oversight. Citizen complaints, questions, or recommendations regarding the implementation of this executive order or the collection and use of personal information by state agencies shall be submitted to the agency that is the custodian or collector of the information. Each agency shall designate a person to handle complaints, questions or recommendations from, and provide information to, the public regarding the collection and use of personal information and the agency’s privacy policies. I will designate a person within the Governor’s office to monitor and oversee the administration of this executive order and to serve as a point of contact for complaints from the public not addressed by an agency.
  10. Miscellaneous. Nothing in this executive order shall be construed to prohibit or otherwise impair a lawful investigative or protective activity undertaken by or on behalf of the state. This order does not create any right or benefit, substantive or procedural, at law or in equity, that may be asserted against the state, its officers or employees, or any other person. It prohibits the release of public records only to the extent allowable under law. State agencies shall, in all cases, comply with applicable law. This order is intended only to improve the internal management of the executive branch and enhance compliance with the law. The Governor may grant exceptions to the requirements of this executive order if an agency can demonstrate that strict compliance results in excessive and unreasonable administrative burdens or interferes with effective administration of the law.

This executive order shall take effect immediately.

  IN WITNESS WHEREOF, I have hereunto set my hand and caused the seal of the State of Washington to be Affixed at Olympia this 25th day of April A.D., Two thousand.


Governor of Washington

Secretary of State