More states appoint chief privacy officers to protect people’s data

 

Connecting state and local government leaders

To ensure the public's trust, more states are hiring privacy officers who understand the rules and risks around the release of personal information.

This article originally appeared on Stateline, an initiative of the Pew Charitable Trusts.

In this age of hackers and cybercriminals, every state has a top security official focused on preventing breaches and protecting the vast amounts of data it collects. Now, a growing number also are hiring a top official to make sure that the privacy of residents’ personal data is protected as well.

Many large companies have employed chief privacy officers for years, but they were rare in state government. A decade ago, there were only a few; today, at least eight states have them — Arkansas, Indiana, Kentucky, Ohio, South Carolina, Utah, Washington and West Virginia, according to the National Association of State Chief Information Officers. Arkansas hired its first in June.

“I expect we will see more states doing this in the future,” said Amy Glasscock, a senior policy analyst at the association. “It’s good to focus on privacy rather than just security because of the sensitive information that state governments have on citizens. Educating state agencies how to keep things private is very important.”

States collect reams of confidential information from residents, such as Social Security numbers, health records, tax forms and credit card numbers. Much of it is stored digitally and some states also use the cloud, remote servers that can be accessed over the internet instead of on a computer hard drive.

Chief privacy officers are tasked with ensuring that state agencies safeguard that information and comply with privacy regulations. That means state employees who handle data must know how to protect sensitive information when they use or share it.

South Carolina created its chief privacy officer position, for example, after a major data breach at the state Department of Revenue in 2012 that compromised the personal information of nearly 4 million taxpayers.

Chief privacy officers typically create statewide privacy policies that apply to every agency and require that staffers be trained. They meet regularly with state agencies’ privacy teams and evaluate new technology to make sure it doesn’t conflict with privacy protections. Some also offer services to consumers to educate them about protecting their privacy.

“It’s a great idea to have state privacy officers,” said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based digital civil liberties group. Governments must “understand that in their information and data operations they can actually do bad things when it comes to privacy.”

Alex Alben, Washington state’s chief privacy officer, said his office is rolling out a privacy checklist app for state and local governments with dozens of topics employees can search, such as how to assess the impact of a program on privacy or protect location-tracking data on mobile devices.

His office also has created a privacy guide for residents and does public outreach.

“You don’t want to just live in this bubble in the state capitol,” Alben said. “It’s important to know what residents’ concerns are about privacy and how their data is being used. We respond to people’s questions and try to be advocates for them.”

Privacy and cybersecurity

State chief privacy officers work closely with chief information security officers, who oversee cybersecurity. Cybercriminals are constantly scanning state computer networks seeking out vulnerabilities. In recent years, they have stepped up their attacks.

“If there’s been any sort of infiltration of a system, privacy is very important,” said Sallie Milam, West Virginia’s chief privacy officer. “We need to know what individuals are affected, what data was impacted, and what is the risk of harm.”

In a 2016 survey of state CIOs, 65 percent said recent cybersecurity incidents had changed the way they approached oversight of privacy issues. Still, only 11 percent said their state had an executive-level chief privacy officer.

The CIOs said they were concerned there was a lack of awareness in state agencies about the importance of privacy.

“If you’re really focused on security, it’s easier not to give as much attention to privacy issues,” said Glasscock, of the chief information officers’ association.

And chief privacy officers don’t just deal with external threats. Sometimes, breaches occur when state employees inadvertently release data that contains personal information, email a confidential document in an unsecured format, or don’t securely store it.

“As long as we have humans in these jobs, mistakes can happen,” Milam said.

Facing challenges

A major challenge for chief privacy officers is ensuring that state vendors follow the proper privacy procedures. That can be difficult, given their numbers and the fact that many are small businesses.

“A lot of vendors, I imagine, just sign the document, and are not engaged in extensive compliance,” Milam said.

Washington state’s Alben said he worries about who is overseeing contractors to make sure they’re abiding by privacy rules.

“What are their privacy policies? How do you know they’re enforcing them? What happens when the contract ends?” he said. “These are all things we need to know about.”

Chief privacy officers also must make sure their efforts don’t impede the public’s right to know. A lot of data collected by states isn’t private; it’s public information that should be accessible to anyone.

Glasscock, of the chief information officers’ group, said many states haven’t bothered to create chief privacy officer positions because they don’t want to spend the money.

“You need buy-in at the executive level and from the governor,” she said. “You need people who feel really passionate about the issue.”

But that may be changing. “I think there is a growing trend toward governors caring about this issue and considering it as a priority,” she said.

Milam, who was appointed in 2003 and was the nation’s first state chief privacy officer, agrees the concept is gaining momentum in state capitols.

“There will have to be more of us in the future,” she said. “Privacy officers understand the rules and risks around the release of data. You have to have someone with that expertise, or you’ll lose your public trust.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.