logo

Privacy Modeling Tool

I. Privacy by Design:

Now that you have used the Privacy Modeling Application (the “PM App”), we would like to help you design your product or service with privacy in mind. The App is designed for optimal impact when privacy is integrated into the treatment of “Personally Identifiable Information” (“PII”) throughout the data life cycle. This life cycle includes each step from the time PII is received until it is destroyed, archived or returned. Here’s a simple diagram:

User guide diagram

The PM App produces a “Results Matrix” to indicate: (i) “No specific privacy law found,” (ii) the intended use has “Limitations” or (iii) the intended use is “Forbidden.” Please keep in mind that Privacy Modeling’s database only covers privacy laws, not other laws that might apply to a specific scenario.

We understand that the “Limitations” flag may be difficult to interpret and you might need to consult an attorney or privacy expert to comply with applicable law. Further, just because the PM App has identified a desired use as “No specific privacy law found” does not mean that your organization obtained permission or consent to use an individual’s data in a specific way. “No specific privacy law found” means that our database has not found a privacy statute that in its plain language governs the query you made. Further, the PM App applies to American citizens and is focused on the State of Washington. It doesn’t apply to rights which European citizens or citizens of other nations might retain.

Privacy experts refer to seven principles of Privacy By Design (“PbD”), which you might wish to consult in building your product.i You should consider applying the results across the entire data life cycle by assessing how your organization collects, stores, maintains, and shares or otherwise uses PII when fulfilling its objectives.

It’s a good practice to review your organization’s privacy policy and ask how it is administered. Your organization may have rules regarding the security level it applies to different types of citizen data and you may need to incorporate these rules into your product design.

Finally, think about implementing a “Data Minimization” approach to your product or service. Is it really essential to collect each item of personal information to accomplish your goal? Try to pare down the data collected and used to minimize the risk that any data is misused or accessed in an unauthorized manner.

II. Permission and Method of Data Collection:

The PM App assumes that you collected your data in a legal manner. Also, your group may have collected data for a specific purpose and is not authorized to use that data for another purpose. If you don’t know, please ask how your organization obtained the data it plans to utilize in your product or service. Be wary of data supplied by third parties or contractors. Specific laws govern data collection processes in order to protect privacy rights.ii

III. The Public Records Act

The State of Washington has a strong Public Records Act (the “PRA”). Most types of data stored by a government agency—state, county or city—are subject to the PRA. This includes electronic data, photos, video and other media. Government agencies must adhere to the requirements of the PRA and its retention schedules when storing data.iii If you know that the data you decide to store will be subject to the PRA, you should budget for the resources and time required for your organization to comply with public records requests.

IV. General Usage

We created the PM App to help you evaluate privacy concerns to meet the needs of your organization. The PM App restricts its analysis of your query to existing laws in the U.S. and Washington State and does not identify policy restrictions that might govern an organization’s proposed use of PII. The PM App is designed to help users:

  • Identify the combinations of desired uses of PII which trigger legal rules and regulations;
  • Point to the Federal and Washington State laws that apply to your use case;
  • Serve as a starting point to research applicable privacy laws.

A “Forbidden” or “Restricted” result indicates that your agency should conduct more review or consult an attorney to verify compliance with the applicable state or federal law.

Federal Mode: The PM App displays both Federal and State of Washington results. If you are only concerned about Federal law, ignore the “RCW” links in the yellow pop-up boxes in the Results Matrix.

The Database was last updated on November 1, 2016. It does not cover laws after this date!

V. Legal Disclaimer

Here’s the legal stuff: The Washington State Office of the Chief Information Officer, Consolidated Technology Services, Washington Technology Solutions and Office of Privacy and Data Protection and the State of Washington (collectively, “State of Washington”) have provided free access to the PM App. Use of the PM App is not a substitute for legal advice, especially with respect to complex privacy laws.

The PM App contains only general information about existing laws based on the scenarios selected by the user. As laws change or are interpreted by courts, the PM database may not be up to date. None of the information provided in the Results Matrix, this Guide or elsewhere by the State of Washington constitutes legal advice. You ultimately are responsible for the content and consequences of the products or services that you develop based on your use of the PM App.

Please consult the Public Records Act for guidance on disclosure of any personal information.

The State of Washington extends the PM App to you with the following limitations:

  • The legal information on this website is provided “as is” without any representations or warranties, express or implied. The State of Washington makes no representations or warranties of any kind in relation to references to information on this website, this User Guide or in the PM App or its results.
  • This application may not apply to your particular facts or circumstances.  Further, Privacy Modeling may not reflect the most recent developments in privacy and related law and may not be applicable to your particular jurisdiction. You must not rely on the information you obtain through your use of the PM App and User Guide as an alternative to legal advice from your attorney or other professional legal services provider. Before taking any action based on use of this site, the Result Matrix or any other product of Privacy Modeling you should consult an attorney or other professional legal services provider.

This Privacy Modeling tool was funded, in part, with a grant from the William and Flora Hewlett Foundation as part of their Cyber Initiative.

Database of Federal and Washington State Privacy Laws in Privacy Modeling

FEDERAL PRIVACY LAWS

FREEDOM OF INFORMATION ACT (FOIA) (5 U.S.C. §§ 552 ET SEQ.)

FAIR CREDIT REPORTING ACT (FCRA) (15 U.S.C. §§ 1681-81T)

THE FACT ACT OF 2003 (FACT ACT) (PUB. L. NO. 108-159, 117 STAT. 1952 (2003))

FAMILY EDUCATION RIGHTS AND PRIVACY ACT OF 1974 (FERPA) (20 U.S.C. § 1232G)

PRIVACY ACT OF 1974 (5 U.S.C. § 552A)

RIGHT TO FINANCIAL PRIVACY ACT OF 1978 (12 U.S.C. §§ 3401-22)

ELECTRONIC FUNDS TRANSFER ACT OF 1978 (15 U.S.C. §§ 1693-93R)

ELECTRONIC COMMUNICATIONS ACT OF 1986

CHILDREN’S ONLINE PRIVACY PROTECTION ACT (15 U.S.C. §§ 6501-06)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) (PUB. L. NO. 104-191, 110 STAT. 1936 (1996))

GRAMM-LEACH- BLILEY ACT (GLBA) (15 U.S.C. § 6801(A))

VIDEO PRIVACY PROTECTION ACT (VPPA) (18 U.S.C. § 2710)

CABLE TELEVISION PRIVACY ACT OF 1984 (47 U.S.C. § 551)

DRIVER’S PRIVACY PROTECTION ACT OF 1994 (DPPA) (18 U.S.C. §§ 2721-25)

COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030)

FAIR DEBT COLLECTION PRACTICES ACT (FDCPA)

WASHINGTON STATE PRIVACY LAWS

WASHINGTON STATE’S CONSTITUTIONAL RIGHT TO PRIVACY (WASH. CONST. ART. 1, § 7.)

DATA BREACH NOTIFICATION (RCW 19.255.010)

PUBLIC RECORDS ACT (RCW 42.56 )

ADDRESS CONFIDENTIALITY PROGRAM (RCW 40.24.070)

RECORDING CONVERSATIONS (RCW 9.73.030(1)(B))

RIGHT OF PUBLICITY (RCW 63.60.050)

VOYEURISM (RCW 9A.44.115(2))

DISTRIBUTION ON INTIMATE IMAGES (RCW 4.24.795)

COLLECTION, SHARING, AND USE OF STUDENT PERSONAL INFORMATION (RCW 28A.604.030)

DISPOSAL OF PERSONAL INFORMATION – BUSINESS REGULATIONS (RCW 19.215.005)

UNLAWFUL RELEASE OF COURT AND LAW ENFORCEMENT EMPLOYEE INFORMATION (RCW 4.24.680)

UNIFORM INTERSTATE FAMILY SUPPORT ACT – LIMIT ON USE OF PERSONAL INFORMATION (RCW 26.21A627)

IMMUNITY OF FRANCHISEES AND ASSIGNS (RCW 46.96.250)

PROHIBITED ACTS IN VETERAN’S BENEFIT RELATED SERVICES (RCW 19.335.020(2))

LIFE SETTLEMENTS ACT – PRIVACY (RCW 48.102.051)

WASHINGTON HOMELESS CENSUS OR COUNT – CONFIDENTIALITY (RCW 43.185C.030)

AGREEMENT WITH TRIBE FOR FUEL TAXES (RCW 82.38.310)

FOR GENERAL GUIDANCE ON FEDERAL PRIVACY PRACTICES, PLEASE CONSULT:

THE FEDERAL TRADE COMMISSION’S WEB SITE: FTC.GOV/TIPS-ADVICE

THE FEDERAL COMMUNICATION COMMISSION’S WEB SITE: FCC.GOV/SEARCH/#Q=PRIVACY

End Notes:

  1. i The seven guiding principles of “PbD” are:
    1. Proactive, not reactive; preventative, not remedial;
    2. Privacy as the default;
    3. Privacy embedded into design;
    4. Full functionality – positive-sum, not zero-sum;
    5. End-to-end lifecycle protection;
    6. Visibility and transparency; and
    7. Respect to user privacy.
  2. ii Laws Restricting Data Collection:
    1. Washington State’s Constitutional Right to Privacy (WASH. CONST. art. I, § 7.): “No person shall be disturbed in his private affairs, or his home invaded, without authority of law.” Generally, if an individual has a reasonable expectation that its PII is private, it should remain private unless you obtain consent to collect it. Did your organization or a group collecting data on your behalf obtain proper consent from individuals to use their data in the manner you intend?
    2. Electronic Communications Privacy Act of 1986 (ECPA): This federal law restricts government agencies from accessing private communications transmitted electronically absent a compelling government interest approved by a court or tribunal.
    3. Fair Debt Collection Practices Act (FDCPA): This federal law prohibits debt collectors and collection attorneys from using undue harassment and other unethical practices when collecting debt.
    4. Children’s Online Privacy Protection Act (COPPA): COPPA requires website operators and app administrators to obtain verifiable consent from a parent or guardian when collecting PII from children under the age of 13.
    5. Fair Credit Reporting Act (FCRA): The FCRA sets rules governing who can obtain consumer reports and background checks; how information in the reports can be used; when individuals can review and correct their data; and whether the PII is accurate, complete and up-to-date.
  3. iii There are also 8 exemptions to the Public Records Act: See RCW 42.56.230-.480.