A report published earlier this year by the National Association of State Chief Information Officers found that 21 state governments now employ chief privacy officers, with more expected to be added in the coming years.
New York State recently added itself to that group, when state CIO Angelo “Tony” Riddick and Marcy Stevens, the chief general counsel for the state Office of Information Technology Services, hired Michele Jones, an attorney and former longtime compliance and risk management officer.
In an interview Wednesday at NASCIO’s conference in Louisville, Kentucky, Jones said she plans to spend the first several months in her new role evaluating data-privacy frameworks and determining which best suits New York’s sprawling state government. She said the goal is to give the state’s more than 19 million residents assurances that the data they share with agencies is safe.
“I want to give New Yorkers confidence in their systems,” she said. “We need to tell people how we use their data and how it’s controlled.”
Jones, who was hired away from Capital Region BOCES, an educational and workforce development organization in the Albany area, said New York agencies currently store their digitized data separately, though that could change if the state centralizes its data storage. That, she said, would create the need for safeguards so that personal data used by one agency — such as gender or impaired vision on file with the Department of Motor Vehicles — is not misused by another agency that has no need for such information, like the state Department of Taxation and Finance.
“Agencies don’t need to share all their data,” Jones said. “There’s a lot of talk to create one big database.”
Jones said she’s looking at the data privacy framework issued by the National Institute of Standards and Technology and that she anticipates drafting an executive order for Gov. Kathy Hochul to sign eventually. Once implemented, she said, the New York Office of Information Technology Services will be better equipped to set levels of encryption and access around personal data held by the state government.
Jones also said that while government data privacy is closely tied to cybersecurity policy, she sees a strong distinction between the two practices.
“I’ve got the constitutionally protected right to keep my data private,” she said. “That’s due process. That’s the Fourth Amendment. Cybersecurity is about protecting data. But I get to tell you who accesses it.”