State

State privacy chiefs are watching AI closely

Three state privacy chiefs said they're paying close attention to AI is they bootstrap their practices inside government.

By Colin Wood

March 5, 2024

(Getty Images)

Privacy practices are in many states are only in their nascent phases, but three state chief privacy officers told StateScoop that AI will be a core concern as they scout for policy potholes and identify useful new tools.

Indiana Chief Privacy Officer Ted Cotterill said his state may be the “new kid on the block” when it comes to privacy policy, but privacy is getting more attention as state policymakers figure out how to use emerging technologies like generative artificial intelligence.

“It’s a function of privacy that we’ve been put front and center in Indiana’s AI governance initiative,” Cotterill said Tuesday during StateScoop and EdScoop’s Cybersecurity Modernization Summit. “I recently testified before our Interim Study Committee on Commerce and Technology around AI and what we expect state agencies to do and the constraints we want to put on those implementations to ensure we do it the right way. We want to adopt trustworthy AI with outputs that align with our values.”

In the same session, Utah’s Christopher Bramwell said the state must determine how to “do privacy” in relation to a technology as new as generative AI.

“In my view we have to watch it very closely,” said Bramwell, Utah’s chief privacy officer of government operations. “We’re not going to hinder AI, but make sure privacy gets incorporated into how they’re building out these AI architectures and solutions to ensure we can still meet our privacy obligations and adhere to those privacy principles

Washington state Chief Privacy Officer Katy Ruckle said she intends to build on policies and practices already established by her state and federal agencies for other purposes, rather than start from scratch. She pointed to the executive order Washington Gov. Jay Inslee signed in January that directed 12 months of policy work, some of it based on various AI, cybersecurity and privacy frameworks established by the National Institute of Standards and Technology.

Cotterill said that for all of Indiana’s privacy work, not just with AI, it’s important to align policies with the agencies’ existing missions to encourage participation and compliance.

“They all have something they’re already charged with,” he said. “We have to do more with less, always. That’s the expectation, so we come to them and say, ‘Now you have to do privacy and you need to do governance. Our goal is really to articulate the value for the enterprise, maybe even for that business unit, and make it easy.”

In Utah, the state legislature is still deciding where to house the state’s new privacy practice. Bramwell said that while existing state and federal policies and frameworks can be useful, privacy in Utah is sometimes challenged by the headstart enjoyed by its cybersecurity policies.

“[Privacy is] happening naturally because we realize it’s a big social issue of the time,” Bramwell said. “Part of the difficulty, and some of the pain, [is] we’re having to build privacy when there’s already an established cybersecurity strategy, so we’re having to put a lot of emphasis into aligning our privacy strategy with cybersecurity. … There’s a lot of pain points in that you have to get a uniform strategy in how to pull this all together.”

The good news, Bramwell said, is that as with cybersecurity, Utah is pursuing an “all of state” approach to privacy that could ensure a uniform approach to how all public-sector agencies across the state manage privacy risks.