Revised Code of Washington
Chapter 43.105 - Consolidated Technology Services Agency.
43.105.369 - Office of privacy and data protection.

RCW 43.105.369
Office of privacy and data protection.

(1) The office of privacy and data protection is created within the office of the state chief information officer. The purpose of the office of privacy and data protection is to serve as a central point of contact for state agencies on policy matters involving data privacy and data protection.
(2) The director shall appoint the chief privacy officer, who is the director of the office of privacy and data protection.
(3) The primary duties of the office of privacy and data protection with respect to state agencies are:
(a) To conduct an annual privacy review;
(b) To conduct an annual privacy training for state agencies and employees;
(c) To articulate privacy principles and best practices;
(d) To coordinate data protection in cooperation with the agency; and
(e) To participate with the office of the state chief information officer in the review of major state agency projects involving personally identifiable information.
(4) The office of privacy and data protection must serve as a resource to local governments and the public on data privacy and protection concerns by:
(a) Developing and promoting the dissemination of best practices for the collection and storage of personally identifiable information, including establishing and conducting a training program or programs for local governments; and
(b) Educating consumers about the use of personally identifiable information on mobile and digital networks and measures that can help protect this information.
(5) By December 1, 2016, and every four years thereafter, the office of privacy and data protection must prepare and submit to the legislature a report evaluating its performance. The office of privacy and data protection must establish performance measures in its 2016 report to the legislature and, in each report thereafter, demonstrate the extent to which performance results have been achieved. These performance measures must include, but are not limited to, the following:
(a) The number of state agencies and employees who have participated in the annual privacy training;
(b) A report on the extent of the office of privacy and data protection's coordination with international and national experts in the fields of data privacy, data protection, and access equity;
(c) A report on the implementation of data protection measures by state agencies attributable in whole or in part to the office of privacy and data protection's coordination of efforts; and
(d) A report on consumer education efforts, including but not limited to the number of consumers educated through public outreach efforts, as indicated by how frequently educational documents were accessed, the office of privacy and data protection's participation in outreach events, and inquiries received back from consumers via telephone or other media.
(6) Within one year of June 9, 2016, the office of privacy and data protection must submit to the joint legislative audit and review committee for review and comment the performance measures developed under subsection (5) of this section and a data collection plan.
(7) The office of privacy and data protection shall submit a report to the legislature on the: (a) Extent to which telecommunications providers in the state are deploying advanced telecommunications capability; and (b) existence of any inequality in access to advanced telecommunications infrastructure experienced by residents of tribal lands, rural areas, and economically distressed communities. The report may be submitted at a time within the discretion of the office of privacy and data protection, at least once every four years, and only to the extent the office of privacy and data protection is able to gather and present the information within existing resources.

[ 2016 c 195 § 2.]
NOTES:

Findings—2016 c 195: "The legislature finds that the rapid expansion of digital technology and mobile networks is changing how citizens access and share personal data and communications. Data privacy, data protection, and access equity are of increasing concern for all residents of the state. State agencies and programs entrusted by citizens with sensitive personal information must serve as responsible custodians of this data. The state can also play an important role in educating local governments and consumers about measures that may help them protect this information and as an advocate for access equity. In an interconnected world, citizens who lack meaningful access to digital technology, including mobile networks and high-speed internet connections, lack the necessary tools for sharing in the state's technology, innovation, and economic development successes. For the forgoing reasons, the legislature finds that it is necessary and efficient to have a central point of contact for policy matters involving data privacy, data protection, and access equity." [ 2016 c 195 § 1.]

Structure Revised Code of Washington

Revised Code of Washington

Title 43 - State Government—Executive

Chapter 43.105 - Consolidated Technology Services Agency.

43.105.006 - Consolidated technology services agency—Purpose.

43.105.007 - Purpose.

43.105.020 - Definitions.

43.105.025 - Agency created—Appointment of director—Director's duties.

43.105.052 - Powers and duties of agency.

43.105.054 - Governing information technology—Standards and policies—Powers and duties of office.

43.105.057 - Rule-making authority.

43.105.060 - Contracts by state and local agencies with agency.

43.105.111 - Performance targets—Plans for achieving goals—Quarterly reports to governor.

43.105.205 - Office of the state chief information officer—Created—Powers, duties, and functions.

43.105.220 - Strategic information technology plan—Biennial performance reports.

43.105.225 - Managing information technology as a statewide portfolio.

43.105.230 - State agency information technology portfolio—Basis for decisions and plans.

43.105.235 - State agency information technology portfolio—Exemptions.

43.105.240 - Evaluation of agency information technology spending and budget requests.

43.105.245 - Planning, implementation, and evaluation of major projects—Standards and policies.

43.105.255 - Major technology projects and services—Approval.

43.105.265 - Enterprise-based strategy for information technology—Use of ongoing enterprise architecture program.

43.105.285 - Technology services board—Created—Composition.

43.105.287 - Technology services board—Powers and duties.

43.105.331 - State interoperability executive committee—Composition—Responsibilities.

43.105.341 - Information technology portfolios.

43.105.342 - Consolidated technology services revolving account—Independent technical and financial analysis of proposed projects by the board.

43.105.351 - Electronic access to public records—Findings—Intent.

43.105.355 - Electronic access to public records—Costs and fees.

43.105.359 - Electronic access to public records—Government information locator service pilot project.

43.105.365 - Accuracy, integrity, and privacy of records and information.

43.105.369 - Office of privacy and data protection.

43.105.375 - Use of state data center or commercial cloud computing services—Exceptions.

43.105.385 - Agency as central service provider for state agencies.

43.105.450 - Office of cybersecurity—State chief information security officer—State agency information technology security.

43.105.460 - Office of cybersecurity—Catalog of services and functions—Report.

43.105.470 - Office of cybersecurity—Major cybersecurity incidents—Reporting duties.

43.105.825 - K-20 network—Oversight—Coordination of telecommunications planning.

43.105.904 - Actions of telecommunications oversight and policy committee—Savings—1999 c 285.

43.105.905 - Construction—2008 c 262.

43.105.906 - Conflict with federal requirements—2009 c 509.

43.105.907 - Transfer of certain powers, duties, and functions of the department of information services.