WHEREAS, Citizens of the state of Washington are gravely concerned about their privacy, and that concern is well founded. As the Internet comes of age, we are experiencing an explosion in the growth of commercial and government electronic databases that contain highly sensitive personal information about individuals. The businesses and governments that control those databases must be responsible. It is state government’s added responsibility to protect the personal privacy rights of Washington’s citizens and lead the private sector by example and by law.
I am a strong believer in open government and the people's right to know. The very existence of our democracy depends on the fundamental principles embodied in our laws ensuring that we never have secret government. People must be able to trust their government.
There is a critical distinction, however, between public information and private personal information that happens to be held by the government or a business. Simply because certain personal information is in the hands of a third party does not mean that it should be made public or available to anybody willing to pay for it. A taxpayer’s sensitive tax information has never been subject to public scrutiny. Nor do citizens expect that their health records, bank account, or credit card numbers will be open for inspection or available to others.
Unfortunately, as citizens, our expectations may exceed the privacy protections provided in law and the practices and policies established by the private sector and public agencies to protect personal information. The information age has created an urgent need for the custodians of data to exercise special care in safeguarding that information.
With this executive order, it is my intent to ensure that state agencies comply fully with state public disclosure and open government laws, while protecting personal information to the maximum extent possible by:
- Placing the government of Washington state at the forefront in protecting the personal information of its citizens;
- Minimizing as much as possible the collection, retention, and release of personal information by the state;
- Prohibiting the unauthorized sale of citizens’ personal information by state government;
- Providing citizens with broad opportunities to know what personal information about them the state holds, and to review and correct that information; and
- Making certain that businesses that contract with the state use personal information only for the contract purposes and cannot keep or sell the information for other purposes – and that those who violate this trust are held accountable.
NOW THEREFORE, I, Gary Locke, Governor of the State of Washington, declare my commitment to strengthen privacy protections for personal information held by state agencies, and to the principles of open government and the people's right to know.
WHEREAS, an increasing number of citizens are concerned that personal information held by the state might be used inappropriately, that unauthorized people may have access to it, and that some information may be inaccurate, incomplete, or unnecessary.
WHEREAS, citizens have a right to know how information about them is handled by state agencies and the extent to which that information may be disclosed or kept confidential under the law.
WHEREAS, many state agencies collect, maintain, and dispose of public records that contain highly confidential and sensitive personal information that must be carefully safeguarded. These records contain sensitive and private health, financial, business, or other personally identifiable information. Their inadvertent release, careless storage, or improper disposal could result in embarrassment or harm to individuals and potential liability for the state.
WHEREAS, state agencies have an obligation to protect personal information about citizens, as required by law. They must exercise particular care in protecting records containing sensitive and private health, financial, and other personally identifiable information about individuals, such as social security numbers.
WHEREAS, the purpose of this executive order is to direct state agencies, as responsible information custodians, to institute additional privacy protections for personal information and to ensure that people who supply personal information to state agencies know how it will be handled and protected under state law.
I HEREBY ORDER as follows:
For purposes of this executive order, "personal information" means information collected by a state agency about a natural person that is readily identifiable to that specific individual.
- Protecting the Confidentiality of Sensitive Personal Information. Each state agency shall immediately establish procedures and practices for the handling and disposal of public records and copies to provide reasonable assurances that those containing confidential personal information are properly safeguarded.
- Protecting Social Security Numbers and other Sensitive Personal Identifiers. To the extent practicable, each state agency shall eliminate the use of Social Security numbers and other sensitive personal and financial identifying numbers from documents that may be subject to public scrutiny. Each state agency shall also take steps designed reasonably to ensure that appropriate personnel are aware of the new confidentiality requirement under Ch. 56, Laws of 2000, for credit card and debit card numbers, electronic check numbers, card expiration dates, and other financial account numbers connected with the electronic transfer of funds.
- Prohibiting the Sale of Personal Information. Except as otherwise provided by law, state agencies may not sell personal information that they collect from the public or obtain from other public or private entities.
- Limitation on Collection and Retention of Personal Information. State agencies shall limit the collection of personal information to that reasonably necessary for purposes of program implementation, authentication of identity, security, and other legally appropriate agency operations. Agencies shall examine their record retention schedules and retain personal information only as long as needed to carry out the purpose for which it was originally collected, or the minimum period required by law.
- Protection of Personal Information used by Contractors. State agencies that enter into contracts or data sharing agreements with private entities and other governments that involve the use of personal information collected by the agencies shall provide in those contracts that the information may be used solely for the purposes of the contract and shall not be shared with, transferred, or sold to unauthorized third parties. A state agency that receives personal information from another state agency must protect it in the same manner as the original agency that collected the information. Each state agency shall establish reasonable procedures to review, monitor, audit, or investigate the use of personal information by contractors, including, when appropriate, the "salting" of databases to detect unauthorized use, sale, sharing, or transfer of data. Contractual provisions related to breach of the privacy protection of state contracts or agreements shall include, as appropriate, return of all personal information, termination, indemnification of the state, provisions to hold the state harmless, monetary or other sanctions, debarment, or other appropriate ways to maximize protection of citizens’ personal information.
- Prohibiting the Release of Lists of Individuals for Commercial Purposes. RCW 42.17.260 prohibits public agencies from giving, selling, or allowing the inspection of lists of individuals, unless specifically authorized or directed by law, if the requester intends to use the information for commercial purposes. The Attorney General in AGO 1998 No. 2 has interpreted "commercial purposes" broadly and has not limited those purposes only to situations in which individuals are contacted for commercial solicitation. For that reason, unless specifically authorized or directed by law, state agencies shall not release lists of individuals if it is known that the requester plans to use the lists for any commercial purpose, which includes any profit expecting business activity.
- Citizen Complaints and Oversight. Citizen complaints, questions, or recommendations regarding the implementation of this executive order or the collection and use of personal information by state agencies shall be submitted to the agency that is the custodian or collector of the information. Each agency shall designate a person to handle complaints, questions or recommendations from, and provide information to, the public regarding the collection and use of personal information and the agency’s privacy policies. I will designate a person within the Governor’s office to monitor and oversee the administration of this executive order and to serve as a point of contact for complaints from the public not addressed by an agency.
- Miscellaneous. Nothing in this executive order shall be construed to prohibit or otherwise impair a lawful investigative or protective activity undertaken by or on behalf of the state. This order does not create any right or benefit, substantive or procedural, at law or in equity, that may be asserted against the state, its officers or employees, or any other person. It prohibits the release of public records only to the extent allowable under law. State agencies shall, in all cases, comply with applicable law. This order is intended only to improve the internal management of the executive branch and enhance compliance with the law. The Governor may grant exceptions to the requirements of this executive order if an agency can demonstrate that strict compliance results in excessive and unreasonable administrative burdens or interferes with effective administration of the law.
This executive order shall take effect immediately.