State

21 states now have chief privacy officers, with more on the way

A NASCIO report found the role of chief privacy officers has grown considerably since 2019, though many hurdles remain.

June 15, 2022

(Getty Images)

The role of chief privacy officer now exists in 21 state governments nationwide, as the explosion in digital government services has put far more personal data online, according to a National Association of State Chief Information Officers paper released Wednesday.

Many states’ privacy programs are also maturing as citizens become more conscious of privacy rights and worried about how government and other entities might be handling their personal information, the association found.

The 21 privacy officers NASCIO identified represent a 75% increase over the 12 who were in office when the association last researched the role in 2019. And many of the roles have gained more solid legal footing, being established either through acts of legislation or governors’ executive orders. The position is also growing in popularity as data-privacy considerations increasingly rise to the top of IT officials’ concerns when considering new technologies or programs, Amy Glasscock, NASCIO’s program director for innovation and emerging issues and the report’s author, told StateScoop.

“It’s definitely becoming a top priority,” she said.

A range of authority

Glasscock said that in addition to the 21 states that’ve named statewide privacy officials, she’s heard of at least three more states that are planning on adding such a role this year.

Even as chief privacy officers grow in ranks, though, their authorities differ from state to state, and may be trending in startling directions, Glasscock said. Fifty-three percent of the privacy officers NASCIO interviewed this year said they have authority over their states’ entire executive branches. That’s actually down from 2019, when 83% said they had that scope. Meanwhile, 35% of privacy officers in 2022 said their oversight was limited to just their agency, while 12% said they look at the entirety of state government.

But the report points out that while the decline in the percentage of privacy chiefs who have authority over an entire executive branch could be “concerning,” the overall number of state privacy officials is still small sample size.

Those figures could also be influenced by the fact that, across states, privacy officers are scattered across different offices: 29% of chief privacy officers answer to their state CIOs; about one-quarter report to a chief information security officer; and the remainder work for a range of other officials, including some who report directly to a governor’s office.

“Get a handle on what your role is for the state and then build out from that authority,” one CPO is quoted in the report as saying. “There is a fear from others that the state CPO is there to tell everyone ‘no’ so you need to proactively counter that attitude.”

Its own thing

About three-quarters of CPOs are also trained as lawyers, though many are also earning industry credentials like the Certified Information Privacy Privacy Professional, or CIPP, mark issued by the International Association of Privacy Professionals. And 88% of privacy officers told NASCIO their days are split between writing policies and standards — based on frameworks like that issued by the National Institute of Standards and Technology — and operational duties like incident response and employee training. And 59% of CPOs said they are involved in the approval process for IT procurement and contracting.

The greater concern, Glasscock said, is that even as privacy becomes a more popular policy area for state government, it remains underfunded. Only one state, Washington, has dedicated funding for government privacy operations, spending about $3 million annually. Elsewhere, privacy functions are funded by IT, cybersecurity or other agencies where the job is stationed.

That uncertainty contributes to other worries, including shortfalls in qualified staff to execute privacy operations. Glasscock also said many CPOs encounter state employees who confuse privacy rules and trainings with cybersecurity protocols.

“That’s the nature of privacy,” she said. “People confuse it with security.”

As the 2019 report did, NASCIO’s new look at chief privacy officers makes three recommendations: Ensuring dedicated funding for privacy operations and staff, establishing clear governance structures and developing relationships with agencies.

Even with the concerns flagged in the report, Glasscock said the overall growth in the number of privacy officers is cause for optimism.

“This is what people were telling me in a perfect world,” she said. “We’re slowly inching in the right direction.”