Better Secure Your Privacy Framework
In addition to funding a government privacy office, NASCIO advocates for establishment of privacy governance. In 2022, about 30 percent of chief privacy officers said their states had a privacy program, and about 40 percent said they were developing one. The remaining 30 percent lacked a privacy program.
Among those that have established privacy governance, most indicated they have adopted the National Institute of Standards and Technology Privacy Framework. “Frameworks are used to measure and improve an organization’s privacy program, and we recommend that all states use one,” NASCIO stated in the 2022 report, “Privacy Progressing: How the State Chief Privacy Officer Role is Growing and Evolving.”
The NIST Privacy Framework prescribes a flexible set of activities that government agencies can follow for privacy protection. “It is a good baseline and can be used as one tool of many for privacy management within the context of the enterprise value stream as the starting point to embed privacy protections, best practices and controls from an organizational perspective,” notes ISACA.
The framework can operate hand in hand with the NIST Cybersecurity Framework. Agencies that administer customer relationship management programs for state citizens may have a particular interest in the framework synergies.
Review These Security Best Practices
New York state appointed Michele Jones as its first chief privacy officer last year, placing her in the Office of Information Technology Services. She agrees that a federal law would make protecting privacy easier.
“It would certainly be helpful if we could have a uniform approach at the national level so that we could standardize on our process for the states,” Jones said at NASCIO 2022.
That year, Congress considered the American Data Privacy and Protection Act, which gained some support but not enough for a floor debate in either the House or the Senate.
Still, the ADPPA supports several good concepts worthy of adoption by state governments. The proposal would set national requirements for data minimization, individual ownership and private right of action.
According to the Electronic Privacy Information Center, data minimization “is the standard for limiting the collection, use, transfer and retention of personal information to that which is reasonably necessary.” Individual ownership establishes the idea of data as property, requiring citizens to be informed as to how the government uses their data, reports the International Association of Privacy Professionals. And private right of action would empower citizens to file lawsuits if their privacy rights were violated, says the law firm Husch Blackwell.
First Steps to Improving State and Local Security
Should a state not have a framework or other legal protections, chief privacy officers can forge relationships with the state CIO, CISO, chief data officers, general counsels and other officials to advocate for policies that work.
Officials also can start testing the waters by getting involved with NASCIO and similar organizations, chief privacy officers say.
Seeing what others are doing and gathering information can help set baseline expectations for shaping a good policy. Peers can provide resources that inform policy prescriptions and ad hoc working groups can recommend next steps in adopting effective data governance to ensure privacy protections.