Office of Privacy and Data Protection
Preliminary report | September 2025
Stephanie Seto, Francisco Santamarina, research analysts
Ryan McCord, audit director; Eric Thomas, legislative auditor
Legislative Auditor's conclusion
The Office of Privacy and Data Protection (OPDP) meets statutory responsibilities and receives high user satisfaction. However, the Legislature should update OPDP's mandate to align with its capacity and focus.
Key points
- OPDP advises state agencies on managing personal information. 82% of state agency staff who use OPDP resources said it met all or most of their needs.
- OPDP connects local governments to federal and state resources to increase privacy awareness.
- Since 2020, OPDP has focused more on supporting state and local governments and less on public outreach.
- OPDP stopped publishing a broadband equity report because the Legislature created another agency that is responsible for broadband development, access, and reporting.
- OPDP measures its performance, but its metrics do not fully align with its new focus or assess whether its efforts improve privacy and data protection in the state.
Legislative Auditor’s recommendations
The Legislative Auditor makes one recommendation to the Legislature and one recommendation to OPDP.
Recommendation #1
In consultation with OPDP, the Legislature should review and update OPDP statute to align with its current capacity and focus.
The Legislature could review requirements for OPDP's:
- Broadband equity reporting: Another agency now has responsibility for broadband development and is better positioned to publish information on broadband access and equity. In addition, the Office of Equity has since been established to focus on statewide equity issues. If the Legislature wishes to maintain a recurring broadband equity report, it should consider assigning that responsibility to a more appropriate agency.
- Public outreach: The Legislature could consider whether these requirements align with the office's current capacity and focus. The office does not have the resources to provide additional public outreach, and other Washington organizations provide similar public resources.
- Four-year performance measures: Current required measures may no longer align with the office's focus in recent years.
Legislation required: Yes
Fiscal impact: Yes
Implementation date: At the Legislature's discretion.
Agency response: To be included in proposed final report.
Recommendation #2
OPDP should develop and use performance measures to evaluate its long-term effect on privacy and data protection for Washington residents.
Best practice states that agencies connect activities to outcomes. OPDP's current measures do not evaluate the long-term effects of its activities. The office should adopt performance measures that help it assess whether its activities have improved privacy and data protection. For example, OPDP could track:
- The number of agencies that have adopted privacy policies and whether those agencies are less likely to experience a privacy-related data incident than agencies without privacy policies.
- Whether agencies that complete OPDP's privacy impact assessment have fewer data incidents than agencies that are assigned an assessment but do not complete it.
Legislation required: None
Fiscal impact: None
Implementation date: December 2026
Agency response: To be included in proposed final report.
Video summary
Read the full report
Office of Privacy and Data Protection (HTML)
Read an overview
Read the agency response
To be included in proposed final report