Paul Hopingardner, CIO of Travis County, Texas, and Bryan Langley, senior fellow for the Center of Digital Government* and former senior vice president of defense development of Indiana Economic Development Corp., answered these questions last week during a webinar hosted by Government Technology.
Typically, legislation in this space aims to protect sensitive information about individuals, including employees or constituents, explained event moderator Deb Snyder, a senior fellow for the Center of Digital Government and the former CISO for the state of New York.
One of the most important things to understand, Hopingardner explained, is that the size of government can significantly impact how it looks at and responds to an issue like data privacy.
For example, larger organizations tend to recognize risk management, privacy and other similar concepts, he said. Smaller organizations, however, sometimes struggle with applying those concepts — particularly in states where there may not be laws addressing them.
Langley agreed, adding, “I think a lot of it is just managing the risks, particularly in dealing with vendors and vendor management, to ensuring where your data is going and who’s actually responsible for that.”
"It also involves being notified of what you have, where you have it and where it’s going," Langley said. "With that in mind, recognizing there is a patchwork of guidelines for states, counties and cities, it can be challenging to determine what is the one thing we should be thinking for, and I think that’s inherently how to manage your risks."
As for privacy, Snyder asked participants to share their general perspectives on the topic regarding state government organizations and how they manage associated risks.
For Hopingardner, the answer was twofold. “As I look at the patchwork of laws across the United States, I would like to see more federal legislation because it would give us the baseline.” However, he added, privacy sometimes seems disconnected, resulting in the adoption of a manage-as-you-go mentality.
“We’re adding a privacy officer under the same umbrella as risk, and then the same group is with chief information security,” Hopingardner explained. “My goal is to try and keep those very closely aligned with each other in those conversations, and hopefully provide a better way for us to navigate that.”
Langley, meanwhile, reiterated the importance of knowing how data is being used and shared.
“When you show up to work, you imagine having some kind of fiscal custody of your assets when you log in,” Langley said. “But when you start using multiple technologies, you aren’t sure who is receiving that information, who the vendor is or where your data is going.”
Langley added that having some level of opt-in consent or data minimization is helpful when working through various channels and technologies.
According to Langley, states should be looking at two areas when it comes to data privacy. The first is data control measures, and the second is external influences.
“I think a lot of it’s going to be on data control measures and the influence of individuals trying to work with the state legislature to see where we’re going regarding data privacy,” he said. “There’s just going to be a lot of external influence on states and legislatures from different sectors, but I do believe that states and the federal government are creating more of an overarching structure to address these issues.”
Hopingardner, on the other hand, highlighted the need for comprehensive data governance.
"What you have to recognize and understand is where your data lives, who controls it and those kinds of things," Hopingardner said. "If organizations don’t completely understand their current processes or how their data is managed and stored, it could make it difficult to implement data loss prevention."
The challenges associated with identity, privacy and other technologies were also discussed during the webinar.
"The biggest thing is your opt-in consent, governance and data minimization," Langley said. "What do we need to flesh out specifically for a company or government, particularly if you’re working with a vendor? What are they going to do with that information you provide?"
"I also think about technologies like facial recognition from a homeland security perspective; you’ve got multiple groups transacting information. But where is that going? How is that being used?" he added.
Another area to consider is stronger ID evaluation and analytics. In the end, it’s all about making sure that the information is out there combined with being transparent and communicative about the issues at hand and how to address them, Langley said.
“I think a lot of it’s stronger ID evaluation, and I think a lot of it is analytics," Langley said. "It’s also about making sure you’re providing information to the right people at the right time so they understand what kind of governmental structure could be in place and what kind of standardization needs to be implemented.”
*The Center for Digital Government is part of e.Republic, Government Technology's parent company.