laptop user (4Max/

States giving privacy officers a seat at the table

The chief privacy officer role in state governments is relatively new, but increasingly important. States manage a great deal of personal information -- birth, death and marriage certificates; driver’s licenses; criminal and victim records; and financial information, to name just a few -- and must adhere to privacy regulations, which differ based on data type. States are recognizing the value of CPOs, according to a new report by the National Association of State Chief Information Officers.

The number of state CPOs has risen from one in 2003 to about 12 now, according to the report, titled “Perspectives on Privacy.” Eighty-three percent of CPOs have been in the position for less than four years.

The structure of the role varies from state to state. Forty-two percent of CPOs report to the state’s CIO, 33% report to the chief information security officer, 8% to the chief data officer and 17 percent to others, the NASCIO report stated.

All but two CPOs said they have authority over the executive branch, while two said they have authority over only their own agencies. Most also said they consult with and advise the judicial and legislative branches.

The 12 CPOs described typical workday activities, which depend on the maturity of the state’s privacy program and how much authority the office has. Several CPOs recommended learning about agencies’ business, so they can better meet their privacy needs, and many said they conduct or administer privacy training for agency employees. Some work with a point person at other agencies to delegate privacy-related tasks.

“Of course, despite their efforts at training and striving to bring agencies into a proactive mindset around privacy, any CPO will spend time responding and reacting to privacy incidents and answering the privacy, legal and compliance questions that arise from agencies,” the report stated.

Unsurprisingly, privacy culture also is related to how mature a program is. Those with more-developed programs view privacy proactively, while newer ones take a more reactive stance.

When NASCIO asked survey respondents what state leaders considering adding a CPO should think about, three main themes emerged: CPOs need an enterprise view, a budget and enforcement authority and a point of contact at every agency.

CPOs have a variety of titles -- chief compliance officer, privacy program manager, compliance and privacy officer, for example -- but regardless of the specifics, the report stated, “it’s safe to say that most states have someone working on privacy issues even if it’s not their full-time job or not at the enterprise level.”

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected