This move comes at a time when governments across the U.S. are collecting greater volumes of data — making it essential that all that information be handled safely and appropriately, Stewart told Government Technology.
Whoever fills the role of SCPO will focus on how the state informs residents about what data it seeks to collect, keeps private personally identifiable information (PII) and ensure that agencies avoid gathering more sensitive details than they absolutely need, states one executive order. The SCDO will be charged with overseeing how state agencies share, use and manage the data it holds, according to a second executive order. A CISO, meanwhile, homes in on defending the data.
The two new roles are expected to collaborate closely with the CISO, with each officer applying a different lens to state use of data to ensure all important considerations are covered.
“Privacy, security and data governance go hand in hand,” Stewart said. “If you look at events across nation over past few years, a consistent theme in all of these breaches is that at least some component of all three of those roles could’ve helped prevent the breach.”
One might consider achieving that kind of close coordination across data governance, privacy and security responsibilities by putting all three under the CISO’s oversight, but Stewart said it was important to create separate offices that would ensure each focus had equal standing and priority.
“With housing those roles under cybersecurity, you run risk that security has too much of a seat at the table, and that in interest of security, you give up usability or utility of the data,” he said.
These new privacy and governance positions come as part of a series of initiatives intended to better safeguard resident data and produce more meaningful insights from it to improve how the state delivers services.
DRIVING DATA GOVERNANCE
The state chief data officer is one of several efforts to improve data governance approaches. The SCDO is intended to develop best practices, policies and standards and enshrine them in a statewide “Data Strategic Plan,” according to the executive order. Government agencies will provide their perspectives as well, and have until Oct. 1, 2021 to appoint their own data officers who will work with the SCDO on that strategy.
Hogan is also looking to federal expertise to guide Maryland’s approach and additionally announced a new partnership that will see a senior-level data analyst from the NSA advise on data security and governance, according to a press release.
MORE INFORMED SERVICES
The SCDO will additionally focus on helping agencies safely share and analyze the data they hold so that all parties can draw more useful insights. The order particularly focuses on doing so to create more informed approaches to public health and safety.
The SCDO is asked to help produce data-driven public safety initiatives that reflect, recognize and respond to the impacts of childhood trauma, as well as data-based proposals for reducing opioid use and overdoses.
Slightly more than 90 percent of drug overdose deaths occurring in the state in 2020 involved opioids, a rate “higher than at any other point during the opioid crisis,” according to an April 2021 report from the Maryland Opioid Operational Command Center, which used preliminary 2020 data.
A separate executive order announced yesterday further drives efforts to tap into state data to improve services to vulnerable residents. Maryland has enabled states to share and store data on a joint cloud platform since 2017, known as Maryland Total Human-services Integrated Network (MD THINK). The new order establishes a committee responsible for guiding how agencies use MD THINK and for supporting state efforts to address multigenerational poverty and the effects of traumatic childhood experiences.
SPOTLIGHT ON PRIVACY
Any such support programs will need to also ensure that they are protecting the privacy of the residents they aim to serve.
“When you talk about social services, you're talking about some of the most vulnerable folks that we need to do everything we can to protect — to ensure that their data is kept private and not used for any purpose that we know they wouldn't want,” Stewart said.
The state chief privacy officer is intended to create a privacy framework for agencies to follow, regarding everything from gathering and leveraging data to disclosing and ultimately destroying it.
Each agency will also appoint its own privacy officer, by Jan. 1, 2022, who will meet regularly with the SCPO to give feedback on privacy policies. Agencies also will need to let users correct the PII it has about them as well as delete it and opt out of having it shared – except in cases where law prevents this.
The state defines PII as a first name or initial, plus last name, that is also combined with any of the following details about a person:
- social security number;
- state-issued identification number — such from a state ID or driver’s license;
- passport number;
- details related to legally protected classifications;
- and/or biometric details that could be used in isolation or in combination with other information to identify a person.
WORKFORCE DEVELOPMENT
A memorandum with UMB rounds out the governor’s series of actions, with this one focused on building a larger pool of in-state cyber talent and tapping it to fill agencies’ needs. The effort
will create a new institute within University of Maryland, Baltimore that is focused on artificial intelligence, cybersecurity and data science and will engage that institute’s faculty and students in providing technological support and solutions to state and local agencies.