Oct 03 2023

States Should Appoint Chief Privacy Officers and Give Them Authority

Agencies must prioritize the protection of citizen data.

By 2022, 21 states had appointed chief privacy officers, spotlighting the growing importance of the role, according to a report from the National Association of State Chief Information Officers. In 2019, only 12 states had established the position.

Chief privacy officers agree that they must be very visible and have the authority to get things done. They tell NASCIO that visibility is boosted through their placement in a key agency such as the governor’s office or the IT department.

A strong relationship with the state IT agency is important as technology officials serve as stewards of sensitive information, such as citizen data. As of last year, only five states — California, Colorado, Connecticut, Utah and Virginia — had enacted comprehensive privacy legislation.

The role of the chief privacy officer becomes even more critical in guiding those mechanisms that are available to ensure data privacy. States would benefit from such oversight.

Click the banner to learn how your agency can increase its ransomware recovery capability.

Better Secure Your Privacy Framework

In addition to funding a government privacy office, NASCIO advocates for establishment of privacy governance. In 2022, about 30 percent of chief privacy officers said their states had a privacy program, and about 40 percent said they were developing one. The remaining 30 percent lacked a privacy program.

Among those that have established privacy governance, most indicated they have adopted the National Institute of Standards and Technology Privacy Framework. “Frameworks are used to measure and improve an organization’s privacy program, and we recommend that all states use one,” NASCIO stated in the 2022 report, “Privacy Progressing: How the State Chief Privacy Officer Role is Growing and Evolving.”

The NIST Privacy Framework prescribes a flexible set of activities that government agencies can follow for privacy protection. “It is a good baseline and can be used as one tool of many for privacy management within the context of the enterprise value stream as the starting point to embed privacy protections, best practices and controls from an organizational perspective,” notes ISACA.

The framework can operate hand in hand with the NIST Cybersecurity Framework. Agencies that administer customer relationship management programs for state citizens may have a particular interest in the framework synergies.

LEARN MORE: How states are broadening their cybersecurity frameworks.

Review These Security Best Practices

New York state appointed Michele Jones as its first chief privacy officer last year, placing her in the Office of Information Technology Services. She agrees that a federal law would make protecting privacy easier.

“It would certainly be helpful if we could have a uniform approach at the national level so that we could standardize on our process for the states,” Jones said at NASCIO 2022.

That year, Congress considered the American Data Privacy and Protection Act, which gained some support but not enough for a floor debate in either the House or the Senate.

Still, the ADPPA supports several good concepts worthy of adoption by state governments. The proposal would set national requirements for data minimization, individual ownership and private right of action.

According to the Electronic Privacy Information Center, data minimization “is the standard for limiting the collection, use, transfer and retention of personal information to that which is reasonably necessary.” Individual ownership establishes the idea of data as property, requiring citizens to be informed as to how the government uses their data, reports the International Association of Privacy Professionals. And private right of action would empower citizens to file lawsuits if their privacy rights were violated, says the law firm Husch Blackwell.

EXPLORE: Does your state agency have a cybersecurity recovery program?

First Steps to Improving State and Local Security

Should a state not have a framework or other legal protections, chief privacy officers can forge relationships with the state CIO, CISO, chief data officers, general counsels and other officials to advocate for policies that work.

Officials also can start testing the waters by getting involved with NASCIO and similar organizations, chief privacy officers say.

Seeing what others are doing and gathering information can help set baseline expectations for shaping a good policy. Peers can provide resources that inform policy prescriptions and ad hoc working groups can recommend next steps in adopting effective data governance to ensure privacy protections.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.


Laurence Dutton/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT