Dec 22 2016

Why Some States Are Hiring Chief Privacy Officers

Data breaches and proactive consumer and internal awareness are the driving forces behind a renewed focus on privacy leadership.

As the digital revolution continues to make waves in the C suite, we’re seeing yet another title emerge among state and local governments. We first made way for the chief digital officer, and now we’re seeing chief data officers pop up in cities across the country. But some states are zeroing in on privacy as a C-level discipline and focal point.

There are currently six states that have a chief privacy officer (CPO), says Amy Glasscock, a senior policy analyst at the National Association of State Chief Information Officers (NASCIO): Washington, West Virginia, Ohio, South Carolina and Arizona and Utah.

“I believe the first chief privacy officer was in West Virginia, and that’s Sallie Milam. She’s been doing that for a while,” says Glasscock. “They have quite a network of chief privacy officers.”

What has led states like West Virginia to prioritize privacy at such a high and visible level? Part of it can be attributed to the fact that as citizens’ lives become more digital, more compromising information is gathered and shared by governments on their behalf.

“When you look at the sort of information that states are collecting, there’s a lot of sensitive information that the states do hold from their citizens. This kind of goes hand in hand with cybersecurity as well. Every state now has a CISO, so when there is a breach of data, it’s a security issue but also a privacy issue,” says Glasscock.

South Carolina’s office of privacy was created, Glasscock points out, in response to a breach the state suffered in 2012.

So What Does a Chief Privacy Officer Do?

The roles and responsibilities of a chief privacy officer vary, depending on the level of the state organization. At the highest level, it often involves things such as directing policy writing and standards definitions.

In an interview with Government Technology, Washington CPO Alex Alben said his role and responsibilities were covered in three broad categories:

  1. Internal policy and education within the state agencies
  2. Evaluation of new technologies the state is considering for privacy implications
  3. Consumer awareness and education on privacy issues

While these responsibilities might roll up to a CPO, that doesn’t mean that states that don’t have a CPO aren’t doing similar work. In many cases, this kind of work falls on the chief information security officer.

“There’s definitely overlap,” says Glasscock. “If there is a chief data officer, CISO and CPO, they’re likely working together on all of those things.”

When a dedicated office of privacy is set up within a state, it’s often due to a lack of a centralized privacy plan and focus. While many states are doing some privacy work — as privacy becomes an increased pain point for citizens — some states are deciding that a dedicated leader (and potentially an entire team) make the most sense to get ahead of the issue.

Especially since the definition of privacy — and what is and isn’t deemed to be private — is fuzzy, at best.

“From NASCIO’s perspective, we’re just thinking of it from the things that citizens expect to remain private, remain private,” says Glasscock. “Be straightforward with citizens about what you’re collecting.”


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.