From California to New Hampshire, states around the country have been focused on protecting consumer privacy, often turning towards comprehensive statewide legislation.
But from obtaining a driver's license to registering to vote, state and local governments also require the disclosure of an array of personal information for a variety of services, and some states are turning the focus inward, working to establish protections for the personal information they collect and maintain.
Utah Chief Privacy Officer Christopher Bramwell, CIPM, said the information collected by state and local governments is different and more vast than what is handled in the consumer-focused private sector, simply by nature of the services governments provide, and protection of that information must be given special consideration.
While Utah became the fourth state to enact comprehensive consumer privacy legislation — in March 2022 with the Utah Consumer Privacy Act, which goes into effect 31 Dec. — the state is also working to create a statewide strategic privacy plan that Gov. Spencer Cox, R-Utah, said should contain "recommended baseline privacy practices for state agencies to use to safeguard the privacy of the personal information of Utahns" in an executive order 23 April.
Cox also signed House Bill 343 into law in March, establishing privacy practices for government records, including standards for handling personally identifiable information, documentation and transparency requirements for data collection, and updated collection-notice requirements.
Bramwell — whose position was created by the legislature in 2021 to oversee the collection, storage and protection of information acquired by state agencies — said the work has been "setting the stage" for a "multi-year approach" to creating "a solid structure of what's going to happen around governmental entity privacy practices and programs."
"Every state agency is siloed. They have their own records-management programs. And the code wasn't written necessarily to focus on privacy, but more on records management," Bramwell said. "So, what this executive order is going to allow us to do is help all agencies at once by making it clear what you should be doing."
Cox called the relationship between personal data and state governments "a sacred trust," which Bramwell said shows how seriously the state is taking this effort.
"We're a government entity, you have to give us your data if you want services. This isn't like consumer privacy where you can choose. There's a higher expectation of what we're going to do to protect your data," he said. "And that concept of sacred trust is one we're taking very seriously. We are going to protect (data) and we're going to build a program that's transparent, so you know how we're protecting it, and if we're failing in that program, you're going to know what our recommendations are to fix it."
The statewide strategic privacy plan, due to be presented by 1. Aug., will cover all executive branches under the governor, as well as state boards and commissions. It will outline the data-governance structure for all agencies and staff, Bramwell said, and explain the data "lifecycle" from "collection of data all the way through to the actual disposition, deletion or archiving of it."
"It starts and ends with the public," Bramwell said. "Trying to define what is reasonable that should be expected of government to protect their rights. Like ensuring they retain and delete PII according to retention schedules. Is there a limitation of use around the purposes and uses of data? Are we providing notice to the public every time we collect it? We're putting it all in one plan."
In crafting the plan, Bramwell said Utah's Personal Privacy Oversight Commission, an independent, 12-member statutory board made up of appointed representatives, is a "key partner."
Commission member and Inspire Privacy and Security CEO and Founder Denise Farnsworth, CIPP/E, CIPP/US, CIPM, PLS, said the statewide strategic privacy plan will ensure state branches have a "North Star."
The reason that's so important today, she said, is because of technology and its rapid advancements. Just a few years ago, obtaining a public record required a visit to a state office for hard copies. Today, technology has facilitated the ability to share information like never before, she said.
"It's not that the original drafters of laws didn't think about it, it's that the technology didn't require laws to be written that way," she said. "We're creating a very agile framework for the whole state to map to."
The state of Washington implemented a privacy framework for state agencies in recent years that CPO Katy Ruckle, CIPP/US, CIPM, FIP, said was developed based on the NIST Privacy Framework and highlights principles of lawful, fair and responsible use of data, data minimization, due diligence, security, transparency and accountability. Those principles continue to evolve, Ruckle said, noting a principle of accuracy and data integrity is likely to be incorporated in response to advances in artificial intelligence and large language models.
"Our statute requires us to articulate privacy principles, and so that's what we have put out for agencies to encourage those principle adoptions into their own privacy programs, agency by agency," Ruckle said. "Our main objective is to help state agencies and local governments improve their privacy program maturity and posture."
Bramwell said other state CPOs expressed interest in how Utah's plan moves forward, and he hopes it becomes a model for how states can be transparent around privacy.
"For the state governmental entities, every state is going to have to define it themselves," he said. "The time is now. We're at an inflection point of how data is going to be used. You see technologies coming and being adopted. They can do great things to help deliver government services and benefit the public, but they can also do not so great things around privacy. You have to have a plan to ensure that, yes, we want to deliver more efficient services and we want to help those that we serve, but we want to make sure we protect your privacy at the same time. Now has to be the time because, really, if you don't take it seriously now, you're going to be too late."
