5 Reasons Your State Needs a Chief Privacy Officer — Now

This July, the National Association of State Chief Information Officers (NASCIO) will hold the third in-person meeting of state chief privacy officers (CPOs) as part of our Leadership Summit. As of this writing, 25 states have identified someone that handles privacy at an enterprise level; four states have created the position in the last year and a half alone.

The role is growing fast, but unlike the chief information officer and chief information security officer roles, not every state has a CPO. While privacy advocates wait to see if a national policy can be agreed upon in Washington, here are five reasons why every* state should hire a chief privacy officer today.

1. States collect more information from the average citizen than any one company. Chief privacy officers are common in the private sector — especially for large companies. However, companies only collect the data they need to do business with an individual. States collect information on birth certificates, health records, various licenses, benefits eligibility and tax information, just to name a few. With this high level of personal data held by states, someone should be appointed to oversee its protection.
2. One major theme coming out of the COVID-19 pandemic is that digital government is here to stay. Digital government came in second (only behind cybersecurity) on NASCIO’s list of State CIO Top 10 Technology and Policy Priorities for 2023. This means states are collecting even more private information from citizens than ever before. This is likely one of the reasons that the CPO role has been growing rapidly over the last two years.
3. Citizens are more aware of their privacy rights than ever before. Due to data breaches in the news (and possibly our inboxes if our data was compromised), and state and federal bills to address consumer privacy, the average citizen has never been more aware that they have data privacy rights. They also have never felt more uneasy about the way their personal information is collected and used. According to the Pew Research Center, 63 percent of Americans feel that it’s impossible to go about their daily life without the government collecting data about them. Hiring a state CPO is one way to signal to citizens that your state is taking their privacy seriously.
4. You need a privacy program, and a CPO can help you build one. A privacy program helps an organization proactively avoid data breaches, maintain governance, create influence with stakeholders and comply with data privacy laws. It’s not an easy task, but a chief privacy officer can start steering things in the right direction.
5. An enterprise-level CPO will help to coordinate with agencies to ensure everyone is up to date on trainings and following privacy laws. While various agencies will have privacy professionals with expertise in certain privacy laws, a state-level chief privacy officer can ensure that all agencies are working toward the same privacy goals under one enterprise policy to protect citizen data. The state CPO can also ensure that government employees are trained in privacy along with cybersecurity. Having a privacy point of contact in each agency will ensure that this is coordinated effectively.

Over the next several years, it is our hope at NASCIO that not only will all states have a chief privacy officer, but that those roles will be increasingly established in statute and given dedicated budgets for privacy initiatives. You can learn more about the state chief privacy officer role in NASCIO’s 2022 publication Privacy Progressing: How the State Chief Privacy Officer Role is Growing and Evolving.

*California does not have a chief privacy officer, but instead has an entire California Privacy Protection Agency.

Amy Hille Glasscock, a Certified Information Privacy Manager, is program director of Innovation and Emerging Issues with the National Association of State Chief Information Officers.