ICE Access to County Data Shows Privacy Program Gaps
July 9, 2019
King County has made progress on its commitment to protect residents’ privacy but has not put a robust privacy program in place. County policies discuss the need to safeguard information, but training and accountability is lacking. In this context, federal immigration agents maintained access to nonpublic information collected by law enforcement agencies, in violation of county code. We recommend that the County develop a privacy program, catalog personal information, and appropriately dispose of sensitive personal information. We also recommend training, regular monitoring, and other ways to ensure agencies comply with code-mandated protections of personal information for immigrant and nonimmigrant communities. In response to our findings, law enforcement agencies have started implementing added protections.
King County’s Office of Risk Management reports that it is very likely for the County to experience a significant electronic security breach within the next five years. Unauthorized access to personal information could lead to serious harm to the County’s reputation and finances and to the well-being of individuals and communities. County residents, including immigrants, law enforcement personnel, older people, youth, and people with disabilities, provide private information to county agencies to access essential services. King County Code establishes the County’s commitment to protecting privacy for all residents and further clarifies the County’s aim to protect citizenship information.
We found that U.S. Immigration and Customs Enforcement (ICE) agents had access to nonpublic information about people arrested and booked by county agencies, putting residents at increased risk of deportation. In violation of county code, the Department of Adult and Juvenile Detention (DAJD) and King County Sheriff’s Office (KCSO) did not appropriately restrict access to nonpublic information to ensure that it was not used for civil immigration enforcement. We also found that in a one-month period, DAJD did not notify a significant portion of the people ICE asked DAJD to hold for civil immigration enforcement, reducing people’s readiness to seek legal counsel. In some instances, DAJD also collected citizenship information, in violation of county code. In response to our findings, DAJD and KCSO have taken important first steps to implementing code-mandated protections.
King County made a commitment to protect residents’ privacy but has not developed a robust program to carry it out. This increases the number of people at risk of someone inappropriately accessing or releasing their data. County policy discusses the need to safeguard data, but IT managers said that there is no accountability mechanism to ensure policy implementation. The County lacks a clear definition of personal information and a reliable inventory showing what personal information the County holds. Agencies have records retention schedules but do not follow them in ways that prioritizes people’s privacy.
We recommend that the County develop a privacy program, clearly define personal information, catalog the personal information it collects, and dispose of sensitive personal information in line with records retention schedules. We also recommend appropriate training, regular monitoring, and other methods to ensure that agencies comply with county legislation requiring the protection of personal information of immigrant and nonimmigrant communities.
Megan Ko, Laina Poon, and Ben Thompson conducted this audit. If you have any questions or would like more information, please call the King County Auditor's Office at 206-477-1033 or contact us by email at KCAO@kingcounty.gov.