Creating a culture: How state privacy officers hope to rebuild public trust
A government that the public does not trust is collecting more of its data than ever before.
Recent landmark data-privacy laws — like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act — reveal a growing interest to protect consumers from companies that would otherwise capitalize on their personal information in questionable ways. But it’s only more recently that some governments have started holding themselves to the same elevated standards. They’re asking which data is appropriate to collect, how it should be handled and — often for the first time — whether it ought to be collected in the first place.
A growing number of states are trying to reverse their collective neglect. There are at least 23 states with a chief privacy officer or equivalent, compared to just 12 in 2019. More states are training employees on privacy practices and stationing throughout their enterprises “privacy liaisons” — allies for the privacy chief who speak the lingo and are sold on the primacy of keeping private information private.
But it takes more than a handful of legal experts scattered around state governments to curtail the next data breach or to restore the battered public trust. Layering privacy practices into the bureaucracy requires political will and funding. It requires state government employees everywhere to shift old ways of thinking and working. All of this could take many years.
The state chief privacy officers interviewed for this article commonly described their roles as mitigating forces in their organizations. Government agencies are required — often by law — to collect rafts of personal information before they can provide services, and the privacy officer’s official job is to ensure that’s done as legally and ethically as possible.
But this task collides with the so-called “datafication of government” — a trend that’s exploded over the last decade — to capture as much information as possible with the purported goals of providing services to the public that are more tailored to their needs and making agencies run more efficiently.
Rebecca Williams, the data governance program manager at the American Civil Liberties Union, said government’s datafication trend is apiece with the sanguine “smart cities ethos” — yet another modern trend — found bubbling through many city halls.
“It’s this promise that if we collect enough real-time data, we can provide all these new solutions, because we’ll have new information,” Williams told StateScoop. “But you don’t really need real-time granular identifying information to get to a better analysis or solution, most of the time.”
In fact, Williams said, governments don’t need to collect any data to provide services. But the datafication has already commenced. The vendor contracts have been signed, the laws have been written and the political opposition to universal social services is mighty. Privacy officers, then, are left with the task of hipping everyone else in government to the new rules of privacy.
Washington state’s chief privacy officer, Katy Ruckle, said that a decision as innocuous as adding a freeform text box to a web form can unwittingly encourage users to share private information the state doesn’t want. She also described a data breach in Washington state in which “an entity” had needlessly stored 50 years of employee data. For the privacy-conscious, such information is a liability.
It’s the privacy officer’s job to help agencies observe these “blind spots,” Ruckle said. South Carolina CPO David Sella-Villa described his job as thinking about privacy when no one else is. Indiana’s privacy chief, Ted Cotterill, said roles like his help government adapt to the public’s growing sensitivity to privacy.
“Having that privacy officer, somebody who is the guiding hand, is important,” Cotterill said. ”Rather than getting periodic attention, maybe from various employees spread across an organization, you get that focused attention that is really needed to create an advanced privacy program.”
Cybersecurity, which is often conflated with privacy, saw a similar surge of development in government a decade ago, and today the best practices cybersecurity officials should follow are well documented. While groups like the International Association of Privacy Professionals and government agencies like the National Institute of Standards and Technology have useful guidance on privacy, states are still largely pulling themselves up by their bootstraps.
Utah is among the frontrunners.
While it’s become increasingly common for states to have privacy liaisons, Utah’s are unique in their level of training, which includes advanced certifications — the envy of privacy officers in at least a few other states. Utah is also one of only four states with its own consumer privacy data act. And while many states don’t yet have a chief privacy officer, Utah has two: one in the state auditor’s office for regulating private businesses and one to improve the state’s own privacy practices.
Christopher Bramwell, Utah’s government operations privacy officer, told StateScoop that while his job is largely to prevent agencies from doing things they shouldn’t do, his work actually empowers agency leaders. He said that by establishing clear privacy rules, agency heads gain a license to do projects they previously might have avoided for fear of overstepping privacy boundaries they couldn’t see.
“Especially in this age of Big Data, everyone wants to use data to provide better services. And privacy provides that key question: Should you?” he said. “Privacy brings those parameters to say, should we do it, what’s the purpose of it, do we have a legal basis to do it and have we been transparent with the public so that they know what data we’re collecting about them and how are we using it?”
Building the guardrails
In developing more sophisticated policies, privacy officers are tasked with a balancing act that includes current laws. In Utah, the foundation of data’s legal usages are partially informed by the consumer privacy law, which Bramwell said is a useful framework that helps him find gaps in agencies’ operational privacy that his office fills with its own regulations.
Finding gaps also means working retroactively. Bramwell said his job partially entails reviewing data-management processes the state already has in place, and then using state rules, federal laws and other regulations to build out a policy that makes proper data usages clear so state leaders are aware of the guardrails.
“It’s not that they’re doing something wrong. They might not even know what they should be doing, but you need that accountability there,” Bramwell said. “There’s a level of expertise the public requires from their government, and privacy is not something that can be arbitrary and capricious. You can’t just ad-hoc say, ‘Yeah we’re doing privacy.’ You have to be able to show it.”
But what does “doing privacy” look like? For starters, it’s much different than cybersecurity, although the two have operated as one for some time. In Virginia, where privacy efforts are split between Chief Information Security Officer Michael Watson and Chief Data Officer Ken Pfeil, the two said there’s a natural overlap between cybersecurity and data privacy.
Watson said it can be difficult to see where privacy diverges from cybersecurity because while there’s much more of a consensus on the purpose of cybersecurity and how to keep data safe, the varying opinions on the ‘right’ way to do privacy can be daunting.
“That concept of what is ‘right’ is going to always be a little bit fuzzy. Because not everybody agrees on what the way that we’re supposed to use the information that’s available,” Watson said.
In New York State, this uncertainty means building a privacy practice that is adaptable. The state’s CPO, Michele Jones, said that even though her office is still growing, having only been created last August, this pliability is defining her state’s privacy methods.
“So privacy might not mean the same thing agency to agency, but it’s the idea of coordinating, setting the policy for it, sort of establishing good governance, good practices around data privacy,” Jones said.
‘No. 1 concern’
Though states are paying more attention to their own privacy practices, sustaining that interest will require new, consistent funding streams, privacy officers told StateScoop. Utah’s Bramwell said his current privacy assessments of state agencies, which will inform the future of the state’s privacy policies, won’t be complete for another three-and-a-half years. Doing those assessments — and continuing to offer training — requires new operational funding not just for his office, he said, but for all the executive branch.
“My approach is very data-driven. We’re assessing practices and that data will then be used to justify any recommendation for funding,” Bramwell said. “And absolutely funding is going to be the No. 1 concern that has to be addressed.”
According to a 2022 NASCIO survey, Washington is the only state with dedicated funding for privacy operations. Ruckle said that creates a “consistency and stability” in her program that ensures a level of permanence that’s not guaranteed in other states.
“We don’t have to worry year-to-year whether or not certain things are going to be funded or positions are going to be funded depending on the priorities for certain leadership,” she said. “This way, we know we have the support of our lawmakers and our governor.”
Sella-Villa, South Carolina’s privacy chief, said that while funding isn’t a “challenge,” it’s essential to his work, which emphasizes training more people in state government to be privacy-conscious. South Carolina each year holds as many as 10 privacy training programs and two certification classes, plus his office aids in large, one-off projects requiring privacy help.
Sella-Villa said he focuses extensively on training because, as with cybersecurity, resolving privacy issues is largely a human problem.
“In [a] hypothetical immature-privacy state, the base issue is a lack of awareness of what the privacy issues are,” he said. “At its core, if you have an immature privacy circumstance in your organization, you have to fix awareness first. Because if nobody’s asking the question, ‘Do we need to hold onto this [data],’ then it’s hard to solve that problem.”
Funding for privacy may not be certain, but the officials interviewed for this story often invoked phrases like “shifting privacy left” and “privacy by design” — insider speak for introducing privacy concerns early in the development of new projects — suggesting that privacy’s at least partially gained a cultural foothold in state government.
“It is helpful to have that common language so everyone understands where they need to be focusing and what they should be trying to do as they mature their program,” Ruckle said.
States are maturing their privacy practices against a backdrop of sinking levels of public trust. While polls show state and local governments enjoy higher levels of confidence than the federal government, several privacy officers told StateScoop they’re concerned by the overall trend, but said they believe good governance could help shift the tide back in their favor.
“Our whole goal with privacy is we want the public to trust us with their data,” Utah’s Bramwell said. “I think it’s fair to say the public has a lot of distrust of any large entity when it comes to their data, whether it’s a private company or public, and that’s for good reason.”
There’s a lot at stake with any entity using personal data. Williams, the ACLU data governance manager, said the group has grave concerns about how handily technology is eroding personal privacy rights enshrined by the Fourth Amendment, which prohibits unreasonable searches and seizures of personal property. The group isn’t worried about the DMV collecting addresses — it’s the possibility of that data being repurposed for some unspecified secondary use, without oversight or transparency. And Williams and her fellow advocates are generally dubious anyway about the purported benefits to the public of broad data collection.
“In reality, politics is the forcing function of what ‘gets done,’” Williams said. “I don’t fully believe they need to collect [data] to get things done.”
But many privacy officials said they believe that by crafting policies with the right transparency and consent, data-collection doesn’t have to be an Orwellian specter.
Sella-Villa pointed out that state agencies often don’t have the luxury of choosing which data they collect before they provide services, but with privacy officers’ help, that could be OK.
“If our job was, ‘Don’t collect any data,’ then we’re not doing our job as a government. That doesn’t mean our job is to collect data specifically — our job is to do things,” Sella-Villa said. “Data is a necessary part of that. Can we do the thing and collect the data in the best way possible? I’m excited about that.”