By Matthew P. Barach, Esq., CIPP/G
States grapple not only with legal and regulatory issues surrounding privacy, but also with how to handle personal information collected by state agencies. Despite this, the vast majority of states lack dedicated privacy offices and/or chief privacy officers. The state of California is an exception. Its approach to information privacy for state government should serve as a model for the other 49 states.
In 2001, California became the first state in the nation to dedicate a state agency to information and data privacy—the Office of Privacy Protection. Last January the state merged the Office of Privacy Protection and the State Information Security Office, creating the California Office of Information Security and Privacy Protection (OISP). The OISP mission now “unites consumer privacy protection with the oversight of government’s responsible management of information.” The OISP provides services to consumers, recommends practices to business, and provides policy direction, guidance, and compliance to state government.
“It facilitates a more holistic approach to information management,” says California Chief Privacy Officer Joanne McNabb, of the recent structural change. “And it fosters collaboration between privacy and security.”
Traditionally, California has led the United States on information privacy practices. The California state office approach is novel as it combines privacy with security for more efficient administration of information management. “It can be a better model than the silo approach to privacy and security,” says McNabb.
The combined security-privacy agency model also is beneficial in that it makes privacy a one-stop shop. This helps the public understand the interplay of privacy and security and allows for greater collaboration among privacy and security officers. “It is more efficient,” says McNabb, who adds that the setup also “builds a consumer ombudsman role into state policy-making and provides a feedback loop on state practices.” Further, the model rightfully elevates privacy’s importance and highlights the role of the privacy professional.
|Originally, the California Office of Privacy Protection was organized as a part of the Department of Consumer Affairs. The State Information Security Office was a branch of the Office of Technology Review, which was part of the Department of Finance. The new configuration for privacy and security in state government was established as of January 1, 2008. Today, the Office of Information Security and Privacy Protection (OISP) are under the State and Consumer Services Agency, which is aligned with the Chief Information Officer and the Governor of California.|
A survey of the other 49 states reveals that technology, cyber, or other critical infrastructure agencies exist, but their efforts focus in whole or part on state government information security. For example, Florida’s Office of Information Technology exists to improve “government services and to ensure that the state’s technology infrastructure is reliable, secure, and cost-effective, and meets the business requirements of state agencies.” New York’s Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), established in September 2002, focuses on the state’s cyber-security readiness and critical infrastructure coordination, and coordinates cyber-readiness efforts, geographic information systems, and critical infrastructure preparedness.
All states emphasize data security and technology, but most have not fully embraced the potential value that state government can bring to information privacy. They have not established a clear information privacy directive or created privacy offices.
Only four other states have privacy offices: Arizona, Wisconsin, Ohio, and West Virginia. Each of these states differs substantively from the California model.
“My role is to establish consistent standards in information privacy for agencies in state government,” says Mary Beth Joublanc, chief privacy officer for the state of Arizona. Arizona’s Statewide Information Security and Privacy Office (SISPO) operates within the Government Information Technology Agency, serving as the strategic planning, facilitation, and coordination office for IT security. Ms. Joublanc has taken guidance from her neighbors in California and says she could see Arizona’s privacy role expanding in the future. “As we get things in place, we want to be more out-focused on citizens,” says Joublanc.
Wisconsin modeled its Office of Privacy Protection on California’s approach, according to Susan H. Schliz who leads the office and serves on the state’s privacy committee.
“[It’s] a place for consumers who have been a victim of identity theft,” says Schliz. The office, which resides in the Department of Agriculture, Trade and Consumer Protection, also provides training for consumers and businesses. Its mission is “to protect the privacy of individuals’ personal information by identifying consumer problems and facilitating the development of fair information practices.”
Unlike California, the Wisconsin Office of Privacy Protection does not oversee the state’s information privacy program. Instead, each Wisconsin state agency maintains a separate privacy program. Also, there is no security or technology component to this office; although the agency does collaborate closely with law enforcement on identity theft.
The West Virginia Privacy Office dedicates efforts towards the protection of personally identifiable health information and protecting the privacy of personally identifiable information collected and maintained by Executive Branch agencies.
Lastly, the state of Ohio’s Privacy & Security Information Center provides technology, policies, standards, and solutions for enhancing the privacy and security of Ohio's data and systems. Additionally, the state’s Web site aims “to act as a privacy and security knowledge center for the citizens, businesses, and employees of the state.”
Various states’ consumer affairs divisions and/or state attorney general offices house privacy professionals. Generally, state attorneys general have the enforcement power to bring actions for failing to file required data breach notices pursuant to state breach notification statutes and/or conduct investigations involving identity theft. However, these agency roles generally focus on consumer protection laws and do not involve privacy management within state government. For example, the New York State Consumer Protection Board provides guidance on information privacy for consumers and businesses, but is not responsible for privacy within New York state agencies.
This survey of the 50 states reveals an overall information privacy void in state governments. Security offices have received the majority of state funding and resources, while privacy has been largely diminished as a funding priority at the agency level.
This void in turn diminishes the role of the privacy professional. This runs counter to the federal government, which has made privacy an imperative at the agency level through the creation of chief privacy officer positions (although no national privacy officer has been established).
Moreover, there is a lack of consistency in state governments’ approaches to administrating information privacy. This can cause confusion about the role of the privacy professional and can lead to a duplication of efforts in state agencies.
Privacy professionals should become better organized at the state level and actively engage in the political process to lobby state legislatures to adopt the California model, taking care to ensure the information privacy message remains apolitical.
The work won’t be easy. The results of the Blue Ribbon Commission to Establish a Comprehensive Internet Policy effort in the state of Maine may foreshadow the challenges privacy professionals might face in this regard. In 2000, commission member Sally Sutton introduced what might have been the first proposal in the U.S. calling for a privacy advocate in state government. The proposed advocate would have been responsible for receiving and investigating complaints, providing legal representation, making policy recommendations, assisting public and private entities in the development of information policies, coordinating the state’s treatment of personal data, and educating the public. The revolutionary proposal was never adopted. “The Legislators who sponsored were not re-elected and the proposal died,” Sutton said recently.
California’s heavy lifting in this area provides states with a new model to use in their own efforts. The California approach can and should be recognized as an example of the important role privacy offices can play at the state level. The efficiency of the California model enables better administration of information privacy for consumers, businesses, and state government
California Governor Arnold Schwarzenegger has released a Reorganization Plan for IT Governance that proposes to once again realign the Office of Information Security and Privacy Protection—breaking it into two separate offices. The information security area would fall under the state’s Office of the CIO, and the Office of Privacy Protection would remain under the State & Consumer Services Agency, with a continued focus on consumers and businesses. This proposal will go before the California legislature this spring.
Matthew P. Barach, Esq., CIPP/G, is the Internet and Information Privacy Counsel for the New York State Consumer Protection Board (CPB) and founder of Boston Privacy Group, where he advises numerous businesses on information privacy best practices. He is the author of a column entitled “Think Privacy,” and he created the New York State Business Privacy. Barach has been a business lawyer and entrepreneur for 14 years. He is an avid golfer and a proud, but slow, marathon runner. He lives with his wife and two children in Sudbury, Massachusetts. He can be reached at firstname.lastname@example.org.