In March, Utah’s first chief privacy officer, Christopher Bramwell, set a goal of identifying and providing at least 50 personnel across the state’s government with specialized training in privacy management. On Wednesday, Bramwell told StateScoop that goal has been surpassed, and that 59 state personnel will have completed the training by the year’s end.
Bramwell’s initiative has led to those 59 completing the certified information privacy manager, or CIPM, training through the International Association of Privacy Professionals. Seven have passed the exam to obtain certification, and the rest are working on their certifications.
Bramwell was appointed to his office in July 2021, and he told StateScoop his position in the Utah Division of Technology Services has allowed him to hone in on practices and policy within state agencies. Another privacy official in the state auditor’s office is designated to handle privacy governance for non-state agencies and local governments.
‘Privacy as a component of security’
“[Government agencies] already have to designate records officers, and we asked that they should have to designate security officers,” Bramwell said. “They all overlap records management. Privacy is a big part of that data management lifecycle.”
Another recommendation was the CIPM training, which Bramwell said was funded in part by state Chief Information Security Officer Phil Bates through the American Rescue Plan Act of 2021.
“He recognized privacy as a component of security — you cannot have privacy without security controls in place. So this actually helped to better mature his program too,” Bramwell said.
Bramwell said IAPP, with its global reach, was an “obvious partner” for the training program.
“They provide the domain privacy certification across the world being used by everyone, and they don’t have many competitors,” he said. “And so we we’re able to use existing contracts, purchasing mechanisms to partner with IAPP to start that rollout of a statewide certification or training and certification program.”
The first training was conducted in June, and Bramwell said he worked closely with the association to tailor the two-day sessions to Utah’s laws and structure. Participants received textbooks, guides, sample test questions and certification exam vouchers. The 31 government personnel who attended the first training represented 16 state agencies or divisions and six non-state agencies.
More than just privacy
In considering options for the training, Bramwell said that there were a number of advantages to offering privacy training through his office.
“One of the benefits of this approach is that it was very time-consuming. Setting up the contracts, getting the training scheduled, reserving the rooms, coordinating with IAPP, it takes a lot of time,” Bramwell said. “So you can imagine if each state agency had to do this themselves. It’s not realistic. They’re not going to allocate 40-50 hours to get this set up for one person. So, us doing it for all state agencies was, I think, a good example of just a scaled approach that was smart of how to help everybody with just one process or procedure that we’re doing.”
And ensuring that state privacy specialists have the proper training includes more than fortifying governance, Bramwell said — it’s also a matter of reinvigorating public trust in government.
“Right now, the public doesn’t trust anybody with their personal data. They think companies are using it inappropriately, they think the government’s using it inappropriately,” he said. “You need to have a plan that says, ‘Here’s what we’re doing to protect your privacy rights, here’s the metrics and here’s who’s assigned to ensure that’s being enforced.’ We have committed so using the certification as the way to show the public that we have competent people in each agency that can manage the plan that we’re building.”