Overview of EO 00-03 – Public Records Privacy Protections
Governor Gary Locke issued EO 00-03 in April 2000 to ensure that state agencies protect confidential personal information to the maximum extent possible while complying fully with the state’s public disclosure laws. The executive order is appended to this report.
The proliferation of large databases and other information sources that contain sensitive personal information about individuals has resulted in privacy risks to individuals and significant public concerns about how the information is used. The risks include the potential for privacy abuses and harassment of individuals, financial fraud, and identity theft if the information falls into the wrong hands. Growing public concerns about personal privacy could result in diminished credibility of public agencies in the eyes of the people they serve if personal information is used inappropriately. These risks and concerns create an urgent need for all data custodians, and especially government, to exercise care in safeguarding personal information.
Since state government is accountable to all citizens of Washington for carrying out vital public programs, its agencies should be leaders in responsible information management. This means strict adherence to the access requirements of the state’s open records law and maximizing personal privacy protections within the requirements of that law.
To meet those goals, EO 00-03 does the following:
- Agencies that operate Internet web sites must have privacy policies that are prominently displayed on their home pages. The policies must be consistent with model policies developed by the Department of Information Services.
- Agencies must establish procedures and practices for handling and disposing records that contain confidential personal information so that the information does not get into the wrong hands.
- Social Security numbers, which are key personal identifiers used in identity theft, should be removed from documents that could be subject to public scrutiny. Bank account and credit card numbers of citizens used in the electronic transfer of funds must also be kept strictly confidential, in accordance with law (Ch. 56, Laws of 2000).
- Personal information must not be sold and lists of individuals must not be released for commercial, profit-expecting purposes. The collection of personal data should be limited to that which is needed for legitimate public purposes and retained only as long as necessary.
- Agencies that enter into contracts or agreements for sharing personal information with other entities must have contractual requirements that protect the information from inappropriate uses.
- When personal information is collected, the public must be notified that the law may require the information to be disclosed as a public record. People should be informed about how they can review their personal information and recommend corrections if it is inaccurate or incomplete.
- Agencies must have contact persons to deal with privacy complaints and questions from the public.
Since Governor Locke believes that good management requires regular milestones and measures of results, he requested agency directors to track implementation of the EO and submit progress reports. This report reflects information contained in progress reports submitted by agencies at the end of September.
Summary Of Agency ResultsThe following summarizes major results of agencies as they implement the Governor’s executive order. These results were achieved during the first six months after the issuance of the order and reflect progress as of the end of September 2000:
- Strong response from agencies. Seventy-four state agencies responded to the executive order by reporting that they have either fully or partially complied with its requirements. These include all 28 Executive Cabinet agencies plus 46 other agencies, which include independent boards and commissions, agencies managed by statewide elected officers, and higher education institutions.
- Model Internet privacy policy developed and posted. The Department of Information Services developed a model Internet privacy policy that has been adapted for use by, and posted on the Internet web sites of, 57 state agencies.
- Sensitive personal information protected. Fifty-nine agencies have procedures and practices for the handling and disposal of sensitive personal information.
- Disclosure notices adopted. Fifty agencies have developed a public notice and statement that tells citizens that their personal information may be disclosed as a public record, the circumstances under which disclosure might occur, and procedures for individuals to review their records and recommend corrections.
- Progress made in eliminating Social Security numbers. Forty-eight agencies have either removed or are in the process of removing Social Security numbers from their forms and documents that might be subject to public scrutiny. The Department of Personnel has already removed the Social Security number and personal bank account number from state employees’ paychecks. Labor and Industries has modified 59 forms to meet this requirement in the executive order. General Administration has modified 27 forms. The Board of Accountancy, Retirement Systems, and the Tax Appeals Board have reviewed and modified all of their forms to remove Social Security numbers.
- Record retention schedules being reviewed and modified. State agencies continue to review and modify record retention schedules to ensure that records with personal information are retained only as long as necessary. Notable examples of progress include: the Department of Revenue has reviewed 450 of its schedules; Labor and Industries has reviewed 264 schedules and modified 12; Liquor Control Board has reviewed 118 and modified 6; Information Services has reviewed 89; Social and Health Services has reviewed 82 record retention schedules; Superintendent of Public Instruction has reviewed 77; Fish and Wildlife has reviewed 46; and General Administration has reviewed 34 and modified two.
- Contract language being developed to protect confidentiality. Sixteen agencies have reviewed and modified all of their contracts for sharing personal information to ensure that the contracts protect the confidentiality of that information. Other agencies are making substantial progress in this effort.
- Privacy contacts named. Seventy-three agencies have designated contact persons to deal with privacy complaints and questions from the public.
Selected Agency Privacy AccomplishmentsThe following summarizes selected agency accomplishments in implementing EO 00-03:
- Department of Personnel (DOP) took steps to protect state employees against identity theft and financial fraud by removing employee Social Security numbers and financial account numbers on their paycheck earnings statements. The department changed various recruitment forms so that providing Social Security numbers is voluntary. DOP also established a system to give a personal identification number to those who do not wish to reveal their Social Security number.
- Department of Information Services (DIS) developed a model Internet privacy policy that can be adapted for use by all state agencies. The model policy was completed and made available to agencies before the 30-day deadline in the executive order. It is appended to this report. The Internet privacy policy provisions of the EO were integrated into the state’s new applications template for electronic permits. DIS is starting an informational campaign to make sure all employees know their responsibilities for handling confidential personal information. All agency contracts have provisions restricting vendors’ use of confidential personal information. DIS has launched a web-based application to handle Personnel Action Requests (hiring, promoting, changing work hours) that does not require or use Social Security numbers. This was a deliberate design decision that reflects the agency’s commitment to safeguarding sensitive personal information.
- Information Services Board (ISB) adopted a comprehensive Internet-oriented security policy in July designed to maintain system security, data integrity, and privacy by preventing unauthorized access to data. The ISB model contracts for acquiring hardware, software, and purchased services will include provisions for monitoring and auditing by the agency, and monetary penalties and contract termination as sanctions for breach of privacy provisions.
- Central Washington University has modified its Student Information System so that Social Security numbers are masked. Registrar Services staff was trained to conduct name searches and retrieve student information without using the student’s Social Security number. The university is implementing PeopleSoft, a system that uses a randomly assigned employee/student ID number for identification purposes, thereby avoiding the use of the Social Security number. Social Security numbers were masked from all reports, such as grade reports and rosters, class lists, student statements of accounts, and others. Students who work with student files must sign student privacy statements that stress the importance of the confidentiality of student information. Confidentiality statements have been added to new employee training packets.
- Community Trade and Economic Development has ensured that nearly all of the agency’s boilerplate contracts for its service providers have confidentiality clauses. All future contracts will incorporate by reference the agency’s privacy policy.
- Labor and Industries reports that all new contracts that involve transfer of personal information meet the requirements of the executive order. The agency removed Social Security numbers from 49 of its forms. All operating divisions are reviewing a working paper documenting the use of Social Security numbers in software applications and databases to determine if changes need to be made.
- Fish and Wildlife incorporated new personal data security performance measures in a recently signed contract between the department and MCI Worldcom Communications for development and operation of a computerized recreational license sale system. The contract stipulates that the department may assess damages equal to $10,000 per occurrence for any breach of data security, which includes unauthorized release of or access to personal data.
- Department of Health instituted an agency-wide data confidentiality and security training for all of its employees. Thus far, approximately one-half of the agency’s employees have received training. The department also reviewed all of its contract templates and incorporated standard privacy language.
- Department of Licensing has been aggressive in developing contracts that are certified for privacy. Through salting of data, the department uncovered illegal use of personal information and sanctioned a company by terminating its contract.
- Department of Retirement Systems has reviewed and certified all of its contracts and data-sharing agreements for privacy in accordance with the executive order.
- Department of Revenue is reviewing all of its 298 data sharing agreements for the exchange of confidential tax information to ensure compliance with privacy requirements. Fifty of the agency’s personal service and purchase contracts have been reviewed for compliance with the executive order.
- Department of Social and Health Services adopted its final Internet privacy policy at the end of July. A major effort to review the agency’s retention schedules is underway. Although the vast majority of DSHS contracts already contain appropriate confidentiality provisions, the agency has set an aggressive schedule of completing the review and certification of over 75 contract forms, affecting 50,000+ contracts, by December 31, 2001.
- Office of Financial Management’s Statewide Accounting unit is developing policies and revising forms to ensure that personal information is protected. Payroll and credit card policies will be updated to reflect requirements in the executive order. All OFM mainframe menu pages and report banner pages now have statements reminding agencies of privacy requirements in EO 00-03.
- Office of the Attorney General has deleted Social Security numbers on its training and attendance forms, personnel questionnaires, employee separation forms, flexible work schedule forms, and others. The agency has also developed an educational brochure for the public that explains privacy protection within the agency. It lists information collected by the agency, explains how it is used, and under what circumstances it can be disclosed. The Attorney General’s consumer privacy tips at www.wa.gov/ago/privacy/tips.html is an excellent source of public information on privacy and includes steps to take if an individual’s identity is stolen.
- Board of Accountancy has reviewed and modified all of its forms to eliminate use of Social Security numbers. It has also reviewed and certified all of its contract forms for privacy. All agency staff has received training designed to protect people’s privacy when they deal with the agency.
- Gambling Commission has reviewed 14 of its forms and removed Social Security numbers. All license application forms include notification that information submitted may be subject to disclosure.
- Department of Ecology no longer uses employee Social Security numbers on employee or manager performance plans, and has discontinued using the numbers on employee leave requests and vendor payment forms.
- Employment Security Department installed the Secure Socket Layer on its web server to provide maximum protection of personal information submitted on web forms.
- Liquor Control Board is modifying its Mandatory Alcohol Server Training Database so that it does not rely on the Social Security number as an identifier.
- Health Care Authority has developed an alternative to Social Security numbers for identifying individuals in the employee benefits program, the Basic Health Plan, and for internal personnel matters.
- Department of Natural Resources has removed requirements for Social Security numbers for employee leave requests, travel reimbursements, training.
- School for the Deaf updated its student database to exclude Social Security numbers and is currently modifying 14 in-house personnel-related forms to eliminate those numbers.
- Workforce Training and Education Coordinating Board is in the process of encrypting Social Security numbers contained in its research data sets.
- Washington State University has a strong policy protecting the confidentiality of Social Security numbers and redacting them from documents that are subject to public scrutiny. Students are assigned a random identification number rather than a Social Security number for privacy purposes.