How Indiana’s data-privacy policies prepared the state for COVID-19

Data-privacy is a widespread concern in government, but many states have yet to formalize the practice.

In an online conference hosted by the National Association of State Chief Information Officers on Wednesday, Indiana Chief Privacy Officer Ted Cotterill encouraged other states to consider adopting his state’s privacy model, which he said was invaluable to policymakers this year as they responded to the COVID-19 pandemic.

Cotterill outlined several new programs developed through his office in recent years that were designed to shift the Indiana state government toward a “culture of yes” when it comes to enterprise data-sharing practices. State agencies were previously inclined, he said, to refusing every interagency request for data, often citing federal privacy regulations regarding health information, education or law enforcement.

“Interagency sharing is much more efficient and I think, as a result, effective for state government and then ultimately for our citizens,” Cotterill said. “We worked to change the culture there and I think the interagency default has now become ‘yes.’”

‘A labyrinth of rules’

Cotterill said that his state’s data analytics office, called the Management Performance Hub, establishes policies and mechanisms that remove legal or technical reasons to decline data-sharing requests. Ensuring the relevant agencies were kept at the center of the decision-making process was a particularly important step in this cultural transformation as he sought data he said was behind “a labyrinth of rules and regulations and forms and contracts.”

“Throughout all of this time working with these agencies, we’ve developed lasting business relationships,” Cotterill said. “And this really goes to the heart of: we don’t believe we’re the smartest people in the room. We’re the data folks, and we have degrees of subject matter expertise, maybe in health and human services or in education and workforce, but we don’t have the depth of expertise that our partner agencies do.”

One common snag was the sometimes months-long effort it took to launch each new project, so the office streamlined the technical and legal aspects of data-sharing, Cotterill said. Previously, he said, each new instance of data sharing required a new agreement, but after determining that 90% of the language in those agreements was near-identical, the documents were standardized. Now the Management Performance Hub simply keeps a single data-sharing agreement on file for each agency that can be recycled for new projects.

COVID-19 response

Sharing data with outside researchers, particularly at public universities, he said, presented the data analytics office with additional challenges. Each data-sharing agreement required a lengthy questionnaire and they eventually expired. To streamline that process, Cotterill’s office created the Enhanced Research Environment, a data-sharing “sandbox” built on Microsoft Azure that allows teams in various organizations to work together on projects without worrying about whether they’ll face a federal audit for their work.

The platform was completed in March, just as the coronavirus pandemic reached Indiana.

“It came at a good time. This was a huge win for the COVID-19 response,” Cotterill said. “This includes the department of health folks, social services people, our chief data officer and people from other agencies, but it also includes those Ph.D. level researchers. We have these talent partnerships with our research universities, whereby this Ph.D. epidemiologist person can sit alongside our team and help to inform our exploration of this COVID-19 response.”

According to a presentation submitted for NASCIO’s annual awards, the Enhanced Research Environment is used by officials to collaborate with the Regenstrief Institute, an Indianapolis medical research facility, the Indiana Health Information Exchange and Indiana University. Predictive models for disease propagation and resource distribution are shared with Gov. Eric Holcomb’s office and used by the National Guard to provide supplies and stand up field hospitals. The data’s used by health care providers to monitor and allocate resources like hospital beds, ventilators, personal protective equipment and viral swabs.

“If data-sharing had been relegated to email, most of the computation would have been pushed to local environments, which would have been less secure, less accurate, and a lot slower,” the presentation read. “[Third-party partnerships were] also critical to the speed of the response in the early days of the outbreak when every minute mattered. The ERE enabled analysts and researchers to access critical datasets within hours, rather than weeks.”

‘Partner in privacy’

But none of this collaboration can happen if data practitioners write policies that try to circumvent federal privacy rules, rather than working with them, or foist privacy requirements on the agencies they work with, Cotterill said.

“CIOs need to know they have a partner in privacy that wants to get things done, somebody that is trying to find a way to ‘yes,’” he said.