States looking to improve their privacy policies should ensure their top privacy officials are correctly positioned in their organizations and have authority over executive agencies, according to a policy brief published Wednesday by the National Association of State Chief Information Officers.
Data privacy issues have become prominent in state government in recent years as more data breaches have occurred and internet-connected devices have become more common. The report notes that 12 states have hired chief privacy officers since 2003, when West Virginia was the first to create such a position.
“This is a great time to highlight this role for states that are just getting started down this path,” Jennifer Davis, Arkansas’ chief privacy officer and a co-chair of NASCIO’s privacy and data protection working group, said in a press release.
The nine-page document draws on interviews conducted earlier this year with the 12 state privacy officers and distills the talks into three lessons thought to yield the highest degree of privacy consideration and efficacy from the role:
1. Give the chief privacy officer an enterprise view and authority
Some privacy officers argued the role belongs in a compliance or legal environment, while others said the CPO belongs within an information technology office, but NASCIO reports a consensus on the role needing to have “authority and placement over the state government enterprise to be most effective.”
Those in favor of putting the privacy office in the IT office noted that such an arrangement only works if the state has a consolidated IT environment in which that office has centralized authority.
2. Chief privacy officers are most effective if given enforcement authority and a budget
NASCIO reports that many CPOs only have the option of making their services available when other agencies ask for them. But having the ability to enforce privacy policies, “results in consistency among the executive branch agencies on how they collect data and why it is collected.”
3. Chief privacy officers can do their jobs better if given a designated privacy contact in each agency
Privacy officers said having designated contacts helps them to understand the business processes for each agency and provides a formal channel for maturing the privacy policies of those agencies.
The report says that having those contacts in place also provides a chance to share best practices with other agencies.