JLARC preliminarily finds Office of Privacy and Data Protection meets responsibilities but recommends statute updates

The Joint Legislative Audit and Review Committee on Sept. 17 received a preliminary performance review of the Office of Privacy and Data Protection (OPDP) that concluded OPDP generally meets statutory responsibilities and receives high user satisfaction, but that statute and performance measures should be updated to match the office’s capacity and focus.

JLARC auditors Stephanie Seto and Francisco (Francisco San Santam / Francisco Santa Marina in the transcript) summarized OPDP’s work: the office provides privacy guidance and annual privacy reviews for state agencies, conducts trainings and privacy assessments for new IT projects, serves as a resource to some local governments, and maintains public-facing guidance. "The legislative auditor concluded that the Office of Privacy and Data Protection or OPDP meets statutory responsibilities and receives high user satisfaction," Seto said when presenting the findings.

OPDP sits within Washington Technology Solutions (WATEC), has about 4.5 staff and a chief privacy officer, and in recent biennia received dedicated appropriations (about $2.96 million in 2021–23, $2.74 million in 2023–25). Auditors told the committee the office spent contractor dollars on educational materials and provided a mix of trainings used across state agencies. JLARC’s survey of about 300 state employees who had interacted with OPDP returned 127 responses (44 percent); about 82 percent of respondents said OPDP met "all or most" privacy needs, and 67 percent said they changed practices after using OPDP resources.

Committee members pressed staff and OPDP about the limits of OPDP’s authority and scope. Senator Gaynor and Representative Orcutt asked whether OPDP verifies federal-law-specific requirements such as FERPA; JLARC staff said OPDP provides general privacy guidance and 1-on-1 consultations but does not have enforcement authority for federal statutes, which are generally enforced at the federal level. Zach Hudgins, privacy manager at WATEC/OPDP, said OPDP works with higher education and local governments and is willing to adapt training to specific legal regimes when requested.

JLARC’s two recommendations in the preliminary report were: (1) the legislature should review and update OPDP statute to align expectations, responsibilities (for example, the now-redundant broadband reporting requirement) and capacity; and (2) OPDP should develop and use performance measures that assess long-term outcomes—linking activities such as trainings and privacy policies to whether agencies are less likely to experience privacy incidents.

Auditors noted OPDP’s statutory responsibility to report on broadband equity remains in law, but OPDP staff and JLARC consider that requirement redundant since the Washington State Broadband Officer and the Washington State Broadband Office (WOSBO) now lead broadband work. JLARC said OPDP shifted away from in-person public outreach after 2020 and now focuses on government-facing work; about one-quarter of OPDP’s email list subscribers are not affiliated with government, indicating public interest in OPDP communications.

The committee received the preliminary report and JLARC staff said they will present a proposed final report in December. OPDP and JLARC staff said they will continue to provide materials and answer follow-up questions for committee members during the interim.

Less-critical details: OPDP tracks annual outputs (e.g., staff trained, agencies adopting privacy policies) but auditors found these measures do not show long-term outcomes; OPDP shortfall in 2021–23 funding limited public education capacity.