First-ever Utah privacy audit finds 66% of government entities failed to meet compliance requirements
Utah’s Office of the State Auditor on Monday announced that the state’s privacy officer had completed a comprehensive privacy review of governmental entities and nonprofit organizations in the state. The results showed that 66% of those reviewed failed to meet a requirement of the state’s privacy statute.
The review examined more than 1,600 organizations — including counties, cities, school districts, charter schools, water districts and nonprofits — for compliance with a section of the state’s Governmental Internet Information Privacy Act. The act requires organizations post a clearly written privacy policy statements on their websites if they collect personally identifiable information. Only 34% were compliant with this requirement.
Utah State Privacy Officer Whitney Phillips told StateScoop in an email that she’ll help the non-compliant organizations come into compliance. She said her office did not assess whether the organizations were actually following the guidelines laid out in their privacy policy statements — if they had one — but only assessed if policies had been published.
According to the Governmental Internet Information Privacy Act, an organization’s privacy policy statement should include: the identity and contact information of the website operator; the personal information that is being collected; a summary of how it is used; practices related to the sharing of personal information; the procedures — if any — of how users may request access to or correct their information; and security measures to protect the information from unintended sharing.
Phillips said initial data from the assessment will help to “set a baseline” so she can target support and measure the improvement over the coming months.
“We plan to first reach out to all government entities to provide them with their compliance determination, as well as additional resources (template, checklist, and training modules) to either become compliant, or improve upon their privacy policy statement,” Phillips wrote.
Phillips said her office has also analyzed compliance by organization type, but has not made that information publicly available.
Along with providing targeted support, Phillips said she hopes the review will improve transparency and accountability across the state, which is one Utah’s fundamental privacy principles, by the time the next assessment comes around.
“I hope to see significant improvement of compliance when we reassess in 6 months. I especially want to see an increase in compliance with government entities that pose a higher-risk level,” Phillips wrote. “Being transparent about how personally-identifiable information (PII) is collected, used, shared, and protected can build the public’s trust in Utah’s government entities.”
