Government Agency Resources

Washington State Privacy Principles

Contact

privacy@watech.wa.gov

Privacy principles

Washington State Agency Privacy Principles: The government performs a variety of functions that require personal information.

Public agencies have an obligation to handle personal information about Washington residents responsibly and in a fair and transparent way. The purpose of this document is to articulate fundamental privacy principles to guide agency practices and establish public trust.

Privacy basics training for state employees

Washington State's Office of Privacy and Data Protection (OPDP) is excited to announce its launch of the Privacy Basics for Washington State Employees training course.

The training is intended to be a privacy primer for all employees to understand what privacy is, why it's important and how it is distinct from cybersecurity.

The course has three parts:

  • Intro to Privacy: An overview on personal Information, data categorization, and privacy harms and violations.
  • Privacy in the State of Washington: This covers privacy laws and policies, and state agency Privacy Principles.
  • Privacy in Practice: A deeper dive into agency and employee responsibilities, and privacy best practices.

OPDP 2024 Presentations

OPDP 2023 Presentations

  • Privacy and Data Protection Policy Webinar (February 29, 2024) This webinar provides an overview of the Washington State Privacy and Data Protection policy. Slide Deck
  • Webinar on Privacy and GIS (October 26, 2023) Location data is central to just about everything we do and is vital to state and local governments to provide essential services to our people. Howver, location data can also reveal sensitive information about Washington residents. This webinar covers Washington's Geographic Information System (GIS) Program, what it does, what its initiatives are, and the intersection of GIS and privacy. Slide Deck.
  • Webinar on Artificial Intelligence (August 29, 2023) This webinar provides an overview on Artificial Intelligence (AI), including WaTech's role in AI, the AI community of Practice, Generative AI Guidelines, and what they see coming in the future for AI. Slide Deck
  • Webinar on Facial recognition-The good, the bad, and the regulated (June 28, 2023) This webinar examines facial-recognition, and the legal requirements and regulations of this ever evolving technology. Slide Deck
  • Webinar on the Family Educational Rights and Privacy Act (FERPA), (April 27, 2023): In addition to providing an overview of FERPA, which protects student privacy in the U.S., the webinar discusses preventing non-consensual disclosures, requirements of data share agreements, and rights and exceptions. Slide Deck
  • Webinar on Privacy Threshold Analysis (March 29, 2023): This webinar provides an overview of the Privacy Threshold Analysis and Privacy Impact Assessment - as well as explains the Privacy Threshold Analysis process and how to complete the form. Slide Deck
  • Webinar on Health Data Privacy (Jan. 26, 2023): This webinar provides important tips on how to safeguard your personal health information from invasive data invasive practices, and steps you can take to keep your data safe. They also discussed proposed legislation seeking to protect health data. Slide Deck
  • Webinar on AGO Data Breach Report (Jan. 24, 2023): This webinar reviewed the latest data breach statistics - the AGO received 150 data breach notifications in 2022, the second-highest recorded amount since 2016 - as well as recommendations for protecting personal information.

OPDP Presentations Archive (2020-2022)

Additional Resources

  • Example Privacy Policy This is an example policy for agencies to review and consider when developing their own internal agency privacy policy regarding handling personally identifiable information.Each agency will have their own internal organization to consider regarding who will be responsible for performing specific duties.  This policy is modeled on WaTech’s privacy policy and is meant to address and incorporate requirements in the enterprise Data and Protection policy, which is applicable to state agencies.
  • Privacy Notice Implementation Guidance Privacy notices are external facing documents that explain how an agency collects, uses, shares, manages and protects personal information. This implementation guidance is intended to be a resource for agencies to use when drafting an external facing privacy notice
  • Privacy and Data Protection Policy Crosswalk with Washington State Agency Privacy Principles and Washington State Privacy Framework The Privacy Policy Crosswalk is a tool to help agencies understand how the sections of the enterprise Privacy and Data Protection Policy align with the Washington State Agency Privacy Principles and Washington Privacy Framework. By using this crosswalk, agencies can explain and demonstrate how their privacy policies incorporate the privacy principles which enhance state agency privacy programs.
  • Privacy Framework for State Agencies: The Privacy Framework for State Agencies was developed based on the NIST Privacy Framework and other privacy program best practices. It is intended to be a flexible and scalable starting place for agencies of varying sizes handling personal information of varying sensitivity. Agencies should use this framework to build out more agency-specific resources that form a privacy program skeleton to be expanded and adapted over time. Not all agencies will have all components in place but using this framework can help identify and prioritize risks and opportunities.
  • Data Sharing Agreement Implementation Guidance: This guidance was created as one piece of a privacy and cybersecurity best practices report required by ESSB 5432 (2021). It is intended to help agencies successfully implement appropriate data sharing agreements to protect confidential information.
    1. Sample DSA for defined extract or system access: This sample DSA is one example of a data sharing agreement tailored for use when the sharing involves system access or a pre-defined extract that can be described in detail.
    2. Sample DSA for multiparty relationship with broad sharing: This sample is one example of a DSA tailored for use when there are several parties involved, and the nature of the sharing makes it infeasible to document each data transmission with specificity in the contract.
  • Sample data share template: The Office of Cybersecurity, in collaboration with our office and the state Office of the Attorney General will create a report on model data share terms and best practices later this year. Until then, agencies can use the Sample Data Share Template our office put together. The template can be modified for agency use. For additional information on the bill, please watch our webinar that we hosted with the Office of Cybersecurity on June 24, 2021. (Please also see the webinar slide deck)
  • Data Request Template: This form can be used to gather information about external requests for confidential information. The form helps vet requests and ensure alignment with the Washington State Agency Privacy Principles and an agency's mission. It is a valuable tool that can also be used to support broader data governance priorities.
  • 2021 Local Government Privacy Assessment Survey: The state Office of Privacy and Data Protection is asking local governments to fill out our voluntary privacy assessment survey to help us measure privacy maturity and needs across different levels of local jurisdictions. The responses will be used to help develop resources and training where they are most needed. The goal is to establish a common understanding of current practices, not to measure compliance with specific laws or standards. We appreciate your taking the time to respond to the survey, and helping to protect the privacy of Washingtonians. Please feel free to send any questions to privacy@ocio.wa.gov.
  • State and Local Government Breach Assessment Form: Use this form to determine whether an incident is a breach that requires notification. Any unauthorized use or disclosure of Personal Information may be a breach that requires notification under the Washington state data breach notification law (RCW 42.56.590). The factors in the assessment help with the breach determination.
  • Categorizing data for a state agency: Under the Office of the Chief Information Officer policy 141.10 (Securing Information Technology Assets), state agencies must classify data into categories based on the sensitivity of the data. This checklist helps Agencies determine what type of data they are collecting and the proper handling of that data.
  • Minimizing data collection: Today, many organizations believe that the more data you have the more valuable it is. However, the over collection of personal information can dramatically increase the potential harm to individuals in case of a data breach. In addition, collecting unnecessary or indirect information that is loosely tied to a purpose is increasingly viewed as exceeding the scope of consent.
  • Privacy by design: Privacy by Design is a concept that privacy measures and considerations are made throughout the entire process/ product development lifecycle. This approach helps to design more secure systems because privacy mechanisms are baked into the process as opposed to layered on top of a finished product built without privacy in mind.
  • Agency GDPR checklist: While it is most likely state agencies will not come under GDPR scrutiny, it is still important to know the risks and how to avoid them. This checklist provides some quick points for state agencies to consider related to the European General Data Protection Regulation (GDPR).

NGA Cybersecurity Policy Academy (Washington State Report)