King County’s Office of Risk Management reports that it is very likely for the County to experience a significant electronic security breach within the next five years. Unauthorized access to personal information could lead to serious harm to the County’s reputation and finances and to the well-being of individuals and communities. County residents, including immigrants, law enforcement personnel, older people, youth, and people with disabilities, provide private information to county agencies to access essential services. King County Code establishes the County’s commitment to protecting privacy for all residents and further clarifies the County’s aim to protect citizenship information.

We found that U.S. Immigration and Customs Enforcement (ICE) agents had access to nonpublic information about people arrested and booked by county agencies, putting residents at increased risk of deportation. In violation of county code, the Department of Adult and Juvenile Detention (DAJD) and King County Sheriff’s Office (KCSO) did not appropriately restrict access to nonpublic information to ensure that it was not used for civil immigration enforcement. We also found that in a one-month period, DAJD did not notify a significant portion of the people ICE asked DAJD to hold for civil immigration enforcement, reducing people’s readiness to seek legal counsel. In some instances, DAJD also collected citizenship information, in violation of county code. In response to our findings, DAJD and KCSO have taken important first steps to implementing code-mandated protections.

King County made a commitment to protect residents’ privacy but has not developed a robust program to carry it out. This increases the number of people at risk of someone inappropriately accessing or releasing their data. County policy discusses the need to safeguard data, but IT managers said that there is no accountability mechanism to ensure policy implementation. The County lacks a clear definition of personal information and a reliable inventory showing what personal information the County holds. Agencies have records retention schedules but do not follow them in ways that prioritizes people’s privacy.

We recommend that the County develop a privacy program, clearly define personal information, catalog the personal information it collects, and dispose of sensitive personal information in line with records retention schedules. We also recommend appropriate training, regular monitoring, and other methods to ensure that agencies comply with county legislation requiring the protection of personal information of immigrant and nonimmigrant communities.

Currently, there are no related reports to this project.