In May 2023, Utah’s Governor Spencer Cox appointed Steve McCown (Chief Architect, Anonyome Labs) to serve on the state’s Personal Privacy Oversight Commission (PPOC). The PPOC was created in 2021 by the Utah State Legislature (see H.B. 243) in order to develop guiding standards and best practices for protecting personal data and to work directly with the Chief Privacy Officer to have those standards and practices adopted by government entities.
What is the Personal Privacy Oversight Commission (PPOC)?
The PPOC is comprised of twelve representatives from industry and government who collectively have expertise in cybersecurity, information technology, operational technology, law enforcement, data privacy law, civil liberties law, and prosecutorial / appellate law. Each of the members has been appointed by either the governor, state auditor, or the attorney general.
Government entities are required to collect, use, and share some personal data in order to provide public services. However, all processing of personal data by public entities must be done in a manner that protects privacy rights. Privacy and security principles and best practices must guide the way.
Utah has a pioneering history in privacy and security. In 1862, legislators in the Territory of Utah introduced the nation’s first communications privacy and security law, entitled An Act For the Regulation of the Telegraph, and to secure Secrecy and Fidelity in the transmission of Telegraphic Messages (source). Passed in January 1863, this forward-thinking law also established the legal standing and privacy requirements for electronic “Contracts”, “power of attorney”, “payment or delivery of money”, etc. when delivered by telegraph. Codifying a variation of e-commerce in the 1800s is pretty forward thinking!
Modern Challenges in Data Privacy
The expanding use of digital services experienced over the last few decades has changed the landscape for privacy and how it must be protected. Like most other governments, Utah’s data privacy and security practices grew organically in a time when personal privacy threats were rare and difficult to identify. Utah is responding to changing times, just as it did in 1862, by investing in proactive efforts to protect privacy rights. Rather than simply enacting data breach penalties, Utah is demonstrating a special concern for “the privacy implications and civil liberties concerns of the privacy practices of government entities” (H.B. 243).
In June 2023, Utah’s Office of the Legislative Auditor General published a report entitled “A Performance Audit of the Collection, Protection, and Use of Personal Information by State Agencies” (summary, slides). Leading up to this report, the state conducted a statewide self-audit and found numerous different data collection policies and handling procedures. Given the current and emerging threats to personal data, the reported found that “current data collection and sharing practices create data privacy risk.”
In order to protect the personal data collected and held by state agencies, the report recommends “defining data privacy in statute for all state agencies” and “requiring government entities to adopt data privacy principles that include items such as: clear consent, notice, and the disclosure of data collection, use, and sharing”. The report went on to recommend that “Statutory data privacy guardrails could alleviate the risk.”
Privacy Guardrails: Defining the Future
What are the “privacy guardrails”? That is the central focus of what is being created in the very near-term. Defining and proposing specific actions and requirements is currently underway and is expected to include a cohesive combination of legislation, policy, and training, together with leading technologies and technology standards.
Utah’s efforts are not only vital to the protection of Utahans’ data but are foreseen to provide an example or blueprint for other states and governments to follow. The work of the PPOC gives the state government important insights from experts in several key legal and technology domains, which will ensure that Utah’s solution meets the state’s technical and legal requirements. Utah’s privacy efforts are expected to provide far reaching benefits to government and private organizations globally. Anonyome Labs is proud to support Steve McCown as he serves as a member of Utah’s Personal Privacy Oversight Commission.
