As more states are emphasizing the role of privacy, the state chief privacy officer (CPO) role has grown immensely in the last decade, according to a new report from the National Association of State Chief Information Officers (NASCIO).
The report, Privacy Progressing: How the State Chief Privacy Officer Role is Growing and Evolving, follows up on a similar 2019 report to track the growth of CPOs. According to the report, the number of states with a CPO has grown from 12 to 21 since 2019.
“As states continue to evolve their privacy programs and positions, this publication gives critical ‘advice from the trenches’ and data that will help states along their privacy journey,” Amy Glasscock, the primary author of the report and NASCIO program director for innovation and emerging issues, said in the report.
NASCIO received responses from 17 of the state CPOs for the report, finding that law degrees were the most common among them. Seventy-six percent of respondents said they hold a law degree.
The report also found that 29 percent of respondents report to the state CIO, 24 percent report to the state CISO, 29 percent report to a different administrative head, six percent report to an official in the governor’s office, and 12 percent chose “other.” This reporting structure differs from 2019, when 42 percent reported to the CIO, and 33 percent reported to the CISO.
As for CPOs’ authority, the majority of CPOs – 53 percent – said they have authority over the executive branch. Thirty-five percent said they have authority over their department or agency, followed by authority over all state government branches with 12 percent.
The CPO position is also becoming increasingly established. In 2022, five CPOs were established in statute, two by executive order, two by procedure, two by administrative rule, and the rest either were not officially established, were part of an organization, or were mentioned in an official policy.
Finally, the report found that 88 percent of CPOs said their role is both policy and operational focused. However, just one state reported having a defined budget for privacy initiatives. According to the report, “most CPOs are getting funding from the IT, security or other agency budget depending on where the role is structured.”
NASCIO made three recommendations for states looking to establish a CPO or advance the effectiveness of their current CPO: ensure dedicated funding for a privacy program and staff; establish privacy governance; and develop agency relationships.
“Building a privacy program will take many years and will often require the creation of additional laws and administrative rules,” one CPO said as advice to new CPOs. “Start with a long-term view and be empathetic of the agencies you will be working with. Many of these agencies have never been told to build a robust privacy program. They want to improve; they just need proper guidance and time.”