According to plans shared with StateScoop, the update includes a refresher training on the requirements of a 2017 law that standardized the city’s privacy practices and created a chief privacy officer role. The update also urges privacy officers to establish monthly meetings with their agencies’ chief information security officers to help increase communication between the two branches of the city’s Office of Technology and Innovation.
The update comes as part of the city’s continued work in establishing standardized privacy practices across its agencies that stand independent of cybersecurity efforts on the local level, leading many other states and municipalities by several years in the maturity of its office and policies.
Michael Fitzpatrick, who has served as the city’s chief privacy officer since last April, told StateScoop that improving the collaboration between privacy and cybersecurity has been a priority area of improvement. He said it starts with informing each about what the other does.
“And so one of the ways that we do that in the policies is to really provide an education and an overview of the role of the cybersecurity professional, as it overlays into the privacy landscape and the role and the work of a privacy officer,” Fitzpatrick said.
This education is important to unifying the city’s approach to its privacy practices, Fitzpatrick said. Since the city does not yet have a set requirement on education or training for its 175 agency privacy officers — which Fitzpatrick said is a challenge — providing in-house training throughout the onboarding process for new agency officers and supporting them throughout the year helps bridge the divides in approaches to the field.
“We hold regular meetings for privacy officers, generally, where we can take deeper dives on specific topics,” Fitzpatrick said. “And one of the areas that we’re going to update this go around as well is also integrate a refresher training for our agency privacy officers, recognizing some of them may have been appointed now, maybe four years ago. Just giving them a regular update on the current state of play on local law, compliance, as well as privacy best practices generally.”
Fitzpatrick’s office is also updating the agency privacy officer toolkit hosted in the city intranet. It provides the city’s privacy officers compliance models and guidance on issues like how long their agencies should be holding onto sensitive data.
Along with the recommendation for a monthly meeting between each agency’s privacy officer and the agency chief information security officer, the updated toolkit will also supply officers with template agendas for those meetings, he said.
The recommendations, Fitzpatrick said, were formulated with input from the Citywide Privacy Protection Committee. The group was created by the 2017 Identifying Information Law and is comprised of several New York City agencies and officials appointed by the city mayor. Every two years, the committee gathers to review and analyze the biennial privacy practice reports submitted by city agencies, and this year, a top policy recommendation was to increase communication between the cyber and privacy sides of agencies.
Fitzpatrick said driving this communication has been a determining factor for New York City’s privacy practices since his office was created in 2018. Even though he said New York City was forward-thinking by anticipating the growing need for privacy infrastructure as its own field in tandem with cybersecurity, it’s imperative to keep that going.
“I think it’s really important to make sure that while that those communications can also be technical, we’re again, we’re driving that conversation and that collaboration that at the agency level, and then certainly in the world of investigating potential or known incidents, we work very closely together as well,” Fitzpatrick said. “And I think it’s it’s critical that you have that partnership between privacy, privacy and security in that context.”