Privacy

As technology becomes more fully integrated with government services and private life, the data it produces must be managed carefully and guarded from malicious hackers. States play an important role in safeguarding privacy, employing cybersecurity measures to protect citizen data, and shaping privacy standards for the private sector.

Know the Difference: Privacy is Not Cybersecurity
  • While cybersecurity is essential for safeguarding privacy for citizens, non-cybersecurity measures can also enhance privacy.
  • Even if privacy is well-protected, cyber risks still pervade all aspects of the state enterprise.

Essential Term: Personally-Identifiable Information

Although the definition of personally-identifiable information (PII) varies across states, it generally includes names, identification numbers, addresses, personal characteristics, biometric data or information that, when linked to other PII, can identify a single person. PII is protected under a variety of state and federal laws because hackers can use it to commit identity theft, financial fraud or additional cyberattacks.
What are the Critical Questions for Enhancing Digital Privacy?
  • Do state agencies follow standardized privacy policies?
  • Do state agencies anonymize data, collect necessary data only, destroy data that is no longer useful, and limit the combination of time and location data?
  • Does the state offer identity protection services to victims of data breaches?
  • Do third parties have access to state-controlled PII?
  • Is state-controlled PII encrypted? Why or why not?
How Can Governors Implement Privacy-by-Design?

It is difficult to inject security and privacy principles into finished projects. It is much easier to adhere to change to privacy best practices by building them into the earliest proposals for any state initiative, whether it is a new web application or a new agency.

  • Embed Privacy: Ensure that every state initiative that collects, creates or uses data includes a privacy strategy from its earliest planning stages. Privacy considerations should be addressed in all relevant concept proposals, budget plans, implementation strategies and reports.

  • Be Transparent: Publish a public, comprehensive guide (updated annually) on how state agencies collect and utilize the data of private citizens. Solicit public comments from industry and academia for possible improvements.

  • Minimize Resistance: Standardize state policy and statutory law governing how state and local agencies manage PII, eliminating duplicative privacy audits and conflicting rules.