Washington shines a spotlight on privacy
- By Sara Friedman
- May 17, 2018
Washington state Chief Privacy Officer Alex Alben is encouraged by growing public interest in data privacy and is working with agencies to more responsibly manage the data they collect on residents. Alben spoke with GCN about his efforts to educate state agencies on improving privacy practices.
Alben’s answers have been edited for length and clarity.
How does Washington protect the privacy of residents' data?
Over 40 states including Washington have some sort of data breach notification law, but we have specific laws that deal with certain data types. For example, last year the state legislature passed two laws that covered biometric identifiers, which is your DNA, fingerprint or voiceprint.
The legislature thought it was important to get ahead of the curve with this kind of data since it is so valuable and personal. We have one law that governs what state agencies can do with biometrics, and we have another that is a consumer protection law, which sets out a framework for what companies can do with biometric identifiers.
How are you educating agencies around data protection issues?
One of our initiatives is to promote the concept of data minimization. Many states across the country still collect lots of information about their residents thinking that information might come in handy one day. Now, we live in an age where it is very easy to collect information and store it. As a result, it is critical that we shift our mentality and only collect the kind of data that we need to in order to provide a specific service or transaction for a customer or resident. It is a big shift because it means that we will collect a little less data, but it will be much easier to manage that data. Data minimization isn’t unique to us, but it is a core privacy principle that we are trying to distill throughout the state.
What tools have you developed to help agencies manage privacy?
When I came into the office in 2015, it became apparent that I could give talks to different agencies, but we needed to create some tools to help them realize their goals. The first tool that we developed was a privacy modeling app. Many people dealing with data didn’t know what the laws were, if any, that applied to that data. Therefore we put together a web-based application that calls on a database of state and federal laws that pertain to privacy.
This tool enables a user to look up a specific concept or use case and find the ways that privacy laws apply. For example, if you wanted to use a Social Security number and publish it somehow, the application would tell you what the state and federal laws applied to Social Security numbers and if there were restrictions based on the laws that exist in the state of Washington and the U.S.
The tool establishes a baseline understanding of privacy laws for agencies building an application or a new service. In regards to specific kinds of data like health care data, our state health care agencies know the federal HIPAA law very well, so this application isn’t designed for someone who has that expertise. But for the person or programmer who wants to understand if there are laws that apply to certain kinds of data, privacy modeling can be a useful tool.
The next application that we are launching is privacy checklist. I can advocate privacy best practices in talks, but it is not specifically helpful when an agency or local government is trying to adopt these practices with respect to certain aspects of data. For example, there are various ways to do data sharing. You can hand someone a hard drive or you can make them sign an agreement on how long the data is going to be used and kept.
This application generates a checklist of best practices that is specific to the user query. When someone types "data minimization" into the search bar, it will give the user multiple checklists that have to do with data minimization. The overall goal is to put the tools in the hands of the users to let them manage the details when it comes to privacy.
When will the privacy checklist to go live?
We are doing a beta test first of the checklist, and I would expect the beta test to roll out in an about a month. We are working with an outside developer in Seattle on both of these projects. We received funding from the Hewlett Foundation, which has a cyber initiative and the work that we are doing fits under that initiative.
How do you see data protection standards evolving?
People move across borders and their data moves across borders. A lot of our data is processed by computers and databases all of over the world. It begs the question of whether we need an international standard for data as opposed to trying to fit this under little boxes of where the person happens to be at the time. Thirty years from now, we are going to think that it is silly to have local laws governing data.
Will the European Union's General Data Protection Regulation protecting the privacy of EU citizens affect your office's operations?
It is hard to envision scenarios where an American state would monitor behavior inside the EU, but if it did then it would be subject to GDPR. We are educating agencies what GDPR does.
Part of the role of our office is to educate consumers. We also work with the legislature on creating new laws that will protect the data of Washington residents. There is a growing realization that people don’t have much control over the data collected about them. This has come to bear in the Equifax breach and recent Facebook controversy. We are finding that people are very upset about how their data is being used without their consent.
GDPR is going to raise the bar for data protection. First, it will happen in Europe, but we do see some American companies saying that they will apply the GDPR principles across the globe even to their users in the U.S. I find that kind of thing very encouraging because it means that Americans will enjoy more data protections. This will also increase pressure on Congress and state legislatures to improve data protection for American citizens.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.