Utah auditor names statewide chief privacy officer
The Utah state auditor this week named Whitney Phillips, who’s spent the past five years as privacy officer for the Utah State Board of Education, as its first statewide privacy chief.
The announcement Tuesday follows the role’s creation earlier this year, along with several other recent measures that advanced Utah’s efforts to protect residents’ personal data. While Christopher Bramwell, the state’s new government operations privacy officer, evaluates the privacy practices of agencies within the Utah state government, Phillips, who’s set to start at the end of the month, will be tasked with monitoring the rest of the state, including cities, counties, school districts, colleges and universities.
Both roles were created by a law passed this year that also established a 12-member Personal Privacy Oversight Commission, mostly composed of private-sector advisers, that reports to the state legislature. Utah Auditor John Dougall told StateScoop the law was preceded by concerns arising last year that surveillance technology from a state vendor, Banjo, had not been properly vetted before being implemented. Dougall said his recent audits of the state’s controlled substance and driver’s license databases, which found the state was holding onto more information “than seemed necessary,” also primed the law’s passage.
Dougall said many residents have remaining concerns with technologies such as facial recognition and automatic license plate readers, but that Phillips’ role will begin with the broad task of surveying the Utah public sector for possible flaws in data-privacy governance.
“I think the first task is to get a lay of the land,” he said. “What are the risks, what are the practices? And try to get a better understanding of these governmental entities and what’s really taking place.”
Phillips, whom Dougall said will compare notes with Bramwell, will be responsible for the oversight of about 1,000 government entities in Utah. She’s supposed to analyze government practices, provide training materials, spot the greatest risks and then tell the legislature what should be done about them.
As the education board’s privacy officer, Phillips has attempted to wrangle a public education system that during the pandemic rushed into new technologies and practices, often at the expense of student data-privacy. In a July 2020 interview with an education initiative led by the Future of Privacy Forum, Phillips called this compromise by educators “understandable” and “not necessarily nefarious,” but she said she’d been encouraging educators to work with their IT departments and to consider privacy.
“Schools should have direct control over the use and maintenance of education records shared with any online learning tools, and these tools should be vetted,” she said. “Schools should also have conversations with students and parents on how to protect their own privacy, for example, thinking about when it is advisable to have the mic muted or webcam turned off — so teaching families and students how to navigate these tools and think about privacy and security.”
Fewer than 10 states — including Arkansas, Ohio and Washington — have created chief privacy officer roles in recent years, and even fewer have dual privacy roles, as Utah does. Dougall said he believes the practice is “leading-edge” for government.
“When I was in college — late 80s, early 90s — my Social Security number was on the bulletin board, along with my grade for the class,” Dougall said. “Nobody thought twice about that, that was your student ID. It was nice and convenient. Today, heaven forbid. We would never do that, but sometimes government has practices from decades ago and it hasn’t recognized how society has shifted.”