Privacy principles
Washington State Agency Privacy Principles: The government performs a variety of functions that require personal information. Public agencies have an obligation to handle personal information about Washington residents responsibly and in a fair and transparent way. The purpose of this document is to articulate fundamental privacy principles to guide agency practices and establish public trust.
Privacy basics training for state employees
Washington State’s Office of Privacy and Data Protection (OPDP) is excited to announce its launch of the Privacy Basics for Washington State Employees training course.
The training is intended to be a privacy primer for all employees to understand what privacy is, why it’s important and how it is distinct from cybersecurity.
The course has three parts:
- Intro to Privacy: An overview on personal Information, data categorization, and privacy harms and violations.
- Privacy in the State of Washington: This covers privacy laws and policies, and state agency Privacy Principles.
- Privacy in Practice: A deeper dive into agency and employee responsibilities, and privacy best practices.
OPDP Presentations
The state Office of Privacy and Data Protection holds regular presentations and training sessions. Please check back regularly for new webinars.
2022 Presentations (Archived video)
- Frameworks for Privacy Success (October 20, 2022) (See slide deck here) (Also see Washington Privacy Framework)
- What are Automated Decision Systems and why you should care? (September 29, 2022) (See slide deck here)
- 2022 Privacy Survey Assessment Walkthrough (August 18, 2022) (See slide deck here)
- Privacy Metrics: Measuring Privacy Programs (July 21, 2022) (See slide deck here)
- Incorporating Privacy into the System Development Process (June 15, 2022) (See slide deck here)
- Privacy Notices webinar (April 28, 2022) (See slide deck here)
- Privacy Principles webinar (March 24, 2022) (See slide deck here)
- Privacy Week webinar (Jan. 27, 2022) (See slide deck here)
2021 Presentations (Archived video)
- Privacy and Data Sharing Agreement Best Practices Report (Dec. 16, 2021) (See slide deck here)
- Privacy Impact Assessments (Oct. 21, 2021) (See slide deck here)
- Security as one of Washington State's Privacy Principles (Sept. 30, 2021) (See slide deck here)
- Walkthrough of 2021 Privacy Assessment Survey for state agencies (Aug. 19, 2021)
- Webinar on Senate Bill 5432 hosted by OPDP and OCS (June 24, 2021)
- Managing personal information & reducing risk with data classification (April 29, 2021)
- Privacy Day presentation (Jan. 28, 2021)
2020 Presentations (Archived video)
- Washington’s Data Breach Notification Law for State and Local Government (April 30, 2020)
- Washington’s Approach to Regulating Facial Recognition (May 28, 2020)
- Contact Tracing in Washington State (June 30, 2020)
- Decoding Deidentification for Public Agencies (August 27, 2020) (See slide deck here)
- Privacy Assessment Survey Walkthrough (September 1, 2020)
- Keep Washington Working Act (Nov. 19, 2020)
- 2020 OPDP Reports (Dec. 17, 2020)
Additional Resources
- Data Sharing Agreement Implementation Guidance: This guidance was created as one piece of a privacy and cybersecurity best practices report required by ESSB 5432 (2021). It is intended to help agencies successfully implement appropriate data sharing agreements to protect confidential information.
- Sample DSA for defined extract or system access: This sample DSA is one example of a data sharing agreement tailored for use when the sharing involves system access or a pre-defined extract that can be described in detail.
- Sample DSA for multiparty relationship with broad sharing: This sample is one example of a DSA tailored for use when there are several parties involved, and the nature of the sharing makes it infeasible to document each data transmission with specificity in the contract.
- Sample data share template: The Office of Cybersecurity, in collaboration with our office and the state Office of the Attorney General will create a report on model data share terms and best practices later this year. Until then, agencies can use the Sample Data Share Template our office put together. The template can be modified for agency use. For additional information on the bill, please watch our webinar that we hosted with the Office of Cybersecurity on June 24, 2021. (Please also see the webinar slide deck)
- Data Request Template: This form can be used to gather information about external requests for confidential information. The form helps vet requests and ensure alignment with the Washington State Agency Privacy Principles and an agency’s mission. It is a valuable tool that can also be used to support broader data governance priorities.
- 2021 Local Government Privacy Assessment Survey: The state Office of Privacy and Data Protection is asking local governments to fill out our voluntary privacy assessment survey to help us measure privacy maturity and needs across different levels of local jurisdictions. The responses will be used to help develop resources and training where they are most needed. The goal is to establish a common understanding of current practices, not to measure compliance with specific laws or standards. We appreciate your taking the time to respond to the survey, and helping to protect the privacy of Washingtonians. Please feel free to send any questions to privacy@ocio.wa.gov.
- State and Local Government Breach Assessment Form: Use this form to determine whether an incident is a breach that requires notification. Any unauthorized use or disclosure of Personal Information may be a breach that requires notification under the Washington state data breach notification law (RCW 42.56.590). The factors in the assessment help with the breach determination.
- Categorizing data for a state agency: Under the Office of the Chief Information Officer policy 141.10 (Securing Information Technology Assets), state agencies must classify data into categories based on the sensitivity of the data. This checklist helps Agencies determine what type of data they are collecting and the proper handling of that data.
- Minimizing data collection: Today, many organizations believe that the more data you have the more valuable it is. However, the over collection of personal information can dramatically increase the potential harm to individuals in case of a data breach. In addition, collecting unnecessary or indirect information that is loosely tied to a purpose is increasingly viewed as exceeding the scope of consent.
- Privacy by design: Privacy by Design is a concept that privacy measures and considerations are made throughout the entire process/ product development lifecycle. This approach helps to design more secure systems because privacy mechanisms are baked into the process as opposed to layered on top of a finished product built without privacy in mind.
- Agency GDPR checklist: While it is most likely state agencies will not come under GDPR scrutiny, it is still important to know the risks and how to avoid them. This checklist provides some quick points for state agencies to consider related to the European General Data Protection Regulation (GDPR).
NGA Cybersecurity Policy Academy (Washington State Report)
- The National Governor’s Association (NGA) Whole of State Cybersecurity Policy Academy convened state and local government stakeholders during 2020-21 to address common challenges. This report summarizes the discussions and highlights recommendations.