Key Findings
- Efforts to address digital privacy are in the nascent stages. Concerns are largely handled on a case-by-case basis, versus within an established privacy program/framework.
- State and local legislation is still the driving force, and data protection/data breach was the most significant digital privacy challenge identified, indicating a primary focus on the negative ramifications of data breaches.
- Privacy/data protection initiatives being considered or underway include data governance, analytics/data-driven government, open data, and establishing formal privacy policy/programs.
From personalized digital services and improved business operations to better decision-making, state and local governments rely on data. As a result, ensuring sensitive constituent information is secured and used responsibly must be a key priority for government leaders.
“As we collect more information on citizens and regulations evolve with concerns about cybercrime and private uses of personal data, organizations are starting to ask the right questions,” says Center for Digital Government (CDG) Senior Fellow Deb Snyder, who formerly served as New York state’s chief information security officer (CISO). “What do we need to do to protect sensitive data and critical assets? Are we integrating security and privacy into everything we're doing? Are we complying with applicable regulations?”
“A cohesive data privacy strategy has to be more than just a privacy policy on your website,” says Snyder.
Key Challenges
Today’s evolving data landscape presents several challenges, including:
Fragmented regulations.
Multiple laws and regulations cover different kinds of constituent data. This includes, but is not limited to, the Health Insurance Portability and Accountability Act (HIPAA) for health-related information, the Family Educational Rights and Privacy Act (FERPA) for student records, and the Children's Online Privacy Protection Rule (COPPA) for children under 13. In the absence of overarching federal legislation, many states have passed privacy laws with comparable — but not identical — provisions. “That fragmented approach has simply not kept pace with today’s digital world, and it fails to comprehensively or adequately address data protection and personal privacy rights,” Snyder says.
Legacy systems.
Siloed data stores can make it difficult to fully inventory data, particularly aging information collected for a single use that is no longer needed. These so-called “data graveyards” can put governments at greater risk of breach.
Lack of governance.
Without a formal governance structure, it is difficult to build consensus on how data should be used across the enterprise. As a result, privacy initiatives within government have typically been siloed by agency or use case. “Looking at privacy as a comprehensive concern — really understanding where data lives, who uses it, where it travels — without proper governance, that doesn’t occur,” Snyder says.
Developing a Data Privacy Plan
A data privacy plan is a “well-defined framework that leverages people, processes and technologies and helps establish standards for data collection, access, management, use and more,” says Snyder. “A comprehensive program integrates privacy across the entire lifecycle of all personal data that’s used within an organization.”
Steps to creating a data privacy plan include:
1. Establish the vision.
Executive buy-in is critical to ensure success, so senior management must be involved from the start. They must identify “the key data objectives that are tied to the organization’s overall mission and business outcomes — and articulate the need for the privacy program through their strong visible support,” Snyder says.
2. Understand your data and stakeholders.
The next step is to understand what kinds of data are collected to support business functions across the enterprise, who uses it for what purposes and what controls are in place to safeguard it. Then leaders should define the key roles within each department or agency — data owners, stewards, analysts, architects and consumers, along with the constituents impacted by data collection and use.
This information can help agencies conduct a baseline privacy impact assessment to identify potential areas of risk. This process must involve all stakeholders. “It has to be cross-functional and a shared responsibility,” Snyder says.
It’s also important to note that some stakeholders may need education on digital privacy and why it’s important to ensure procedures and policies are followed.
3. Create or streamline formal data policies and procedures.
It’s vital to develop goals that align with the organization’s mission and business objectives. These policies must address the full data life cycle, from collection and use to storage and eventual deletion, including mechanisms to respond to resident requests and third-party use of data and data sharing agreements.
Just as many government organizations have used the NIST Cybersecurity Framework as a starting point, the institute’s Privacy Framework is one of several guidelines that governments can adapt to meet their needs.
4. Create an implementation plan, as well as supports to ensure success.
Plans should include performance measures to help drive execution and assess progress toward improvement goals and objectives.
Support implementation by providing staff with templated data-sharing agreements, use case descriptions, and charts that show how data is used in compliance with applicable regulations and policies. Doing so “sets clear expectations to ensure acceptable standards for data collection, use and sharing,” Snyder says.
5. Evaluate the technology infrastructure.
As part of the plan’s objectives, assess existing systems and identify opportunities to eliminate redundant data pools and upgrade technology.
Cloud-based solutions can help governments create hybrid models that use data from legacy systems as well as offer new use cases. For example, data virtualization can reduce operational workloads and storage and the associated costs of managing redundant or dated data sets. Advanced analytics can identify potentially sensitive data, map data flows and build on the baseline inventory conducted earlier in the process.
“Harnessing these new tools will help organizations identify and leverage valuable business data while managing privacy risks,” says Snyder.
Moving Forward
Once a data privacy plan is in place, privacy considerations can be addressed in the planning stages of new projects or initiatives — ensuring privacy by design. This framework will also help governments respond to changing regulations and constituent expectations.
“As data uses evolve, organizations should be prepared to adapt their digital privacy programs and governance models,” Snyder says. “Being proactive is always a good idea.”
Articles & Events
Digital Privacy: How State Governments Can Address the Growing Demand for Privacy (webinar)
Privacy, Security and the Distributed Workforce: What You Need to Know (webinar)
Dealing with Data: The Challenges of Security and Privacy of Government's Greatest Asset (webinar)
How Can Government Protect Constituents' Digital Privacy? (article)
The Downside to State and Local Privacy Regulations (article)
More States Appoint Chief Privacy Officers to Protect People's Data (article)
Data Privacy Experts Talk Future of Federal, State Legislation (article)
Privacy-specific conferences:
Educational Materials
Industry Glossary of Privacy Terms
National Cybersecurity Alliance Data Privacy Resources
Privacy Tools & Products
NIST Privacy Framework
Privacy Companion Guide: CIS Controls
Capability Maturity Model (CMM) examples
The Rise of Privacy Technology
Privacy Laws & Legislation
Other External Resources, Events & Podcasts