As this year’s Data Privacy Week drew to a close, a look at the privacy protection landscape for state and local governments found many reasons for optimism but more than a few areas of concern.
Risks of hacking and ransomware — along with election security — continue to command the focus of public officials across the U.S., especially as more government services and operations migrate online. Tech bans and the rise of managed services in the government technology industry are among the responses.
So, too, is the growing popularity of states putting designated professionals in charge of privacy.
At the start of 2021, the number of states that had a chief privacy officer was “in the teens,” according to Amy Hille Glasscock, program director for innovation and emerging issues at the National Association of State Chief Information Officers (NASCIO).
“Now we are well into the twenties,” she said. “In addition, more states have written the role into statute or are at least considering it in current legislative sessions.”
In fact, NASCIO in 2021 for the first time brought together in-person state privacy officers to share their experiences, she said.
“The fact that the role has grown enough to bring them together like that says a lot about the direction privacy is going in the states,” Glasscock said.
PRIVACY PROGRESS
One of the relative veterans in that job is Katy Ruckle, who became the state of Washington’s CPO in 2020.
She told Government Technology via email that in the past couple of years her most important work has included integrating privacy into project management, boosting training in basic and advanced privacy-related topics and strengthening ties among privacy practitioners in the state.
Many more challenges remain even for governments that have a head start on privacy.
As Ruckle put it, the coming year will bring fresh attention on more proactive thinking about data collection and use, and more work on integrating privacy impact assessments in the early stages of projects.
“For example, if you are creating a new intake form for the public that requires personally identifiable information, are you considering the exact data elements you need to accomplish your business purpose?” she said. “In other words, do you need full date of birth or can you rely on just month/year? And are open text fields really necessary for data collection? Sometimes people share more (personally identifiable information) than an agency really needs. Is there a way to get at the data with just multiple choice, eliminating risk of over sharing and accomplishing data minimization?”
COUNTY EFFORTS
It’s not just states that are hiring chief privacy officers. So are some counties.
That includes Santa Clara County in California’s tech-rich Bay Area, with nearly 2 million residents. In late 2022, the county hired Chris Pahl, whose experience includes cybersecurity and privacy leadership for an electric utility, as its new chief privacy officer.
In announcing the hire, county officials wrote that Pahl wants to “become more consumer-facing, which he envisions as offering more in-person meetings and conversations with the community to share important information and tips on how to stay safe in our increasingly digital world.”
As more governments seek out better privacy protections — and hire more professionals to handle that task — such jobs can become both more complex and widespread.
West Virginia offers an example of that via a contact list of privacy officers for state departments and agencies. The four pages list such job titles as chief privacy officer, agency privacy officer, department privacy officer and CISO.
PRIVACY ROLES
A report from NASCIO found that 53 percent of state CPOs had authority over their executive branches. That is actually down from 83 percent in 2019, a drop that NASCIO called “concerning” while also cautioning that the study relied on a small sample size that may not constitute a trend. NASCIO recommends giving an enterprise privacy officer authority over the executive branch.
The report also found that most CPOs have law degrees, and those who don’t tend to have “extensive experience” in privacy, security and government.
“Several CPOs mentioned working in specific sectors such as health and human services, regulatory, technology, telecom and contracting — all areas where privacy is a focus,” the report said.
No matter those findings, the need for state privacy officers will continue well into next year’s Data Privacy Week and beyond. They might be people who focus on privacy full time or as part of their larger responsibilities, according to Glasscock.
“Our No. 1 recommendation for this is for each agency to have a privacy officer, point of contact or champion,” she said. “Some agencies, like health and human services, will need someone dedicated full time with specific health-care privacy law expertise.”