While privacy is gaining traction as a government function, it’s still a moving target: Different state CPOs define their roles differently. While they generally have collaborative relations with the chief data and security officers, they may have different approaches to navigating the jurisdictional overlap with these areas. And CPOs have a range of views on how the larger field of privacy itself is evolving.
DEFINING THE JOB
In practice, that means embedding privacy and transparency throughout the life cycle of agency systems. “It means providing informed consent to data use,” helping citizens understand how their data will be used, and how they can amend or correct their data, Jones said. “That’s what my role is designed to do.”
In Indiana, CPO Ted Cotterill looks at privacy primarily through the lens of compliance. In his view, the role “is often more legal in nature,” focused on advancing specific business objectives, while also “getting into the regulatory hurdles.”
Overall, the CPO is looking “to enable innovation … while respecting users,” he said. Privacy supports the state’s digital ambitions, while also ensuring “the confidentiality, integrity and availability triad.”
In Washington state, meanwhile, CPO Katy Ruckle has been in her role since January 2020, and has been guided largely by the enabling legislation that created the job. That means “articulating privacy principles for the state agencies, and then helping them adopt policies that incorporate those principles,” she said.
Those principles include data minimization, purpose limitation (“collecting and using information only for the purpose that you identified”), as well as “being transparent to individuals about how you’re collecting and using their information,” Ruckle said. There’s also an accountability piece, “making sure agencies are sticking to the reasons and not misusing data in any way.”
In Utah, too, there’s strong legislative guidance over the CPO role. By law, the chief privacy officer is appointed by the governor and confirmed by the Senate, and “is viewed as an executive-level role” said CPO Christopher Bramwell. “That’s a key difference you’ll see compared to some other states where the role is not appointed, doesn’t actually have authority — but they have it in place because they’re trying to figure out what it does.”
That legislative authority defines the scope of Bramwell’s efforts. A central charge of his work is to evaluate the privacy practices of Utah’s executive branch agencies and then make specific recommendations for improvement, including legislative recommendations.
In the last legislative session, all of his recommendations were adopted. For example, Utah now has an official definition of personal identifiable information, or PII. In addition, every agency is required to keep an inventory of where PII is located, Bramwell said. He’s also made recommendations to tie privacy practices into existing records management practices to better align the two.
However they may define their roles, all these CPOs say they are striving to work hand in glove with their data and security counterparts at their respective agencies.
ROLES AND RELATIONS
There’s naturally some overlap between privacy, data and security.
“Data management, data use, security and privacy all play a role in data life cycle management,” Jones said. To keep those areas aligned, “New York state has established governmentwide best practices for the use, protection, dissemination and generation of data. What we’re trying to do through that data governance piece is ensure that data is the highest quality and is used in responsible ways.”
Given the natural overlap between privacy, security and the uses of data, strategic cooperation is key. “It’s about building a strategy together to develop an enterprise approach,” Jones said. “My role is to build privacy and transparency into every state system and application and business process at every stage of the life cycle.”
Cotterill looks to Indiana’s IT org chart to help define the spheres of responsibility. The governor appoints the chief information officer and chief data officer, and the CISO and CPO report to each of them, respectively.
“The CIO, and the CISO reporting to him, they’re focused on providing cost-effective, secure, consistent, reliable enterprise IT services and products,” he said. “For the CDO, with the CPO reporting to him … we have a threefold mission: to empower innovation, enable the use of open data, and do that all while maintaining data privacy.”
IT provides “that secure foundation to do business,” while he and the CDO “are focused on the substantive use of data to drive decisions and improve outcomes,” he said.
The CIO provides the IT infrastructure, the CISO reviews it from a cybersecurity perspective and the chief data officer ensures there is meaningful data available to get to the desired outcome. “Then from my perspective, as the privacy officer, I’m looking at it to understand how we combine data from different domains,” Cotterill explained. “Are the right individuals seeing it for the right reasons, for the right duration?”
There’s a feedback loop as well, ensuring the security protections are in place to support the needed levels of privacy. This in turn requires further collaboration.
“The thing that makes my job a lot easier in that context is that our CISO and his team are really on top of [privacy]. They’ve got a lot of established policies and procedures around agency implementations,” he said. “So they’re able to check those boxes in a very robust way.”
In Washington, CISO Ralph Johnson describes his role as being, in part, to deliver the IT supports that make privacy possible.
“My role as CISO is more about the technology of protecting the information,” he said. “My job is not to pay attention to why they’re collecting the sensitive information, but to take cues from [CPO Ruckle] as to the sensitive nature of that data, and to apply the appropriate controls to protect that information.”
The team has processes in place to ensure that all the pieces mesh together. “I have a mechanism where my team specifically works with Ralph’s team in terms of new projects that require a security design review,” Ruckle said.
“We’ve added a question to the security design review checklist that flags whether or not a new project is going to be processing personally identifiable information. If that’s the case, then it gets kicked over to my team for a privacy threshold analysis,” she said. “Then we can incorporate the privacy impact assessment into that project, so that we are aligning with security in terms of protecting the information, and also mitigating the privacy risk pretty early in the process.”
A ROLE IN FLUX
At the North Carolina Department of Information Technology (NCDIT), CPO Cherie Givensdescribes hers as a role in flux.
When she was named the state’s first chief privacy officer in late 2021, “my primary responsibilities were to build and manage NCDIT’s privacy program, to develop privacy policies and privacy statements internally and with other agencies, to describe privacy requirements” and to work with vendor partners to facilitate data compliance, she said.
Prior to this, she had spent more than a decade supporting federal privacy programs. Based on that experience, she saw a need to refine the state CPO role. “My understanding of all the things that privacy touches is perhaps broader than some others,” she said.
To that end, “we have actually proposed to the Legislature something that defines the role a little bit more thoroughly,” she said.
With an eye toward a comprehensive privacy program, she needs legislative authority to coordinate more closely with the security team. Thus, the proposed legislation describes “a closer alliance between the chief risk officer or CISO and the chief privacy officer,” and it also articulates more fully certain information privacy and data protection principles and best practices, she said.
“One of the things where I need to coordinate closely with the CISO is in the implementation of technical privacy controls,” she said, and the proposed legislation calls for such coordination.
Since the CISO and the CPO are bound to cooperate anyway, why the emphasis on a legislative fix? It’s because legislation “brings awareness to the job and to the office,” she said. The CPO needs to work with the CIO to set the standards for privacy and to establish best practices, “and this brings that to light in a way that it’s currently not as visible.”
All this can have direct, practical outcomes. Bottom line: “I needed support staff,” Givens said. “I’ve been the only person for 14 months and I needed money to fund the office. I needed support staff to be able to do all the things that I do. This helps me to get that visibility and to get that support.”
THE FUTURE OF PRIVACY
Each of these state CPOs sees privacy as an evolving field.
Jones, for example, is focused on formal structures. Her office is currently defining privacy governance goals. “We’re in the process of creating a privacy work group internally, which includes the chief privacy officer, the CISO, and the CDO,” she said. “We’re also working right now on an enterprise privacy risk management framework … so that we can conduct those privacy risk management activities as part of an enterprise approach to privacy.”
Ruckle, meanwhile, is tracking the evolution of privacy beyond compliance. “A more mature privacy program is thinking of the broader perspective,” she said. That means “thinking about how the information’s going to be used … who has access to it, for what reasons.”
That intersects with her state’s CIO, CDO and CISO concerns. Going forward, there will be “a lot more focus on collection limitation,” Johnson said, restricting how applications take in data and ensuring they collect only what’s absolutely needed.
Givens, meanwhile, sees an emerging emphasis on a risk-management approach to privacy. That will be necessary, she said, in order for states to earn and keep the public trust.
In order to provide needed services, states need people to share their data. “If we’re not handling data in a way that we’ve told people we’re going to, in a way that is looking at the risks involved, then people are going to be less likely to share that data with us,” she said. “We need to be more trusted than others, in order to get the data that we need to best serve the residents of our state.”
Who’s Doing What?
CISOs are concerned with networks and intrusion, the security of the overall IT ecosystem.
CDOs are focused on how to organize data to make it actionable.
CPOS are worried about what data needs to be protected and at what levels.
Given the inevitable overlap, these are generally cooperative roles. The CPOs need to coordinate with CIOs, CDOs and CISOs in order to ensure privacy policies and procedures are being embedded into new processes and applications right from the start. This is especially true when processes incorporate personally identifiable information and other sensitive data.
This story originally appeared in the June issue ofGovernment Technologymagazine. Click here to view the full digital edition online.