As more states are prioritizing the role of data privacy, the state chief privacy officer (CPO) role is continuing to grow in importance, according to a recent report from the National Association of State Chief Information Officers (NASCIO).

The report, titled “The Shifting Privacy Paradigm: State Chief Privacy Officers’ Evolving Roles and Persistent Realities,” is an update to NASCIO’s last CPO survey published in 2022. According to the latest report, the number of states with a CPO has grown from 21 to 25 since 2022.

“As states grapple with the complexities of privacy governance, state CPOs play a pivotal role in safeguarding citizens’ privacy rights and fostering trust in government operations,” Amy Glasscock, program director of innovation and emerging issues at NASCIO, said in a March 21 press release.

The report found that the prevalence of the title “chief privacy officer” has surged to 88 percent, which NASCIO said “is a reflection of the importance of the role.” In 2022, just 65 percent of CPOs had the chief privacy officer title.

It also found that state CPOs are increasingly reporting to administrative officials rather than CIOs or CISOs, “reflecting a broader understanding of privacy beyond technology-centric domains.”

Of the 17 CPOs who responded to this year’s survey, 19 percent reported to the state chief information security officer (CISO), 25 percent to the state chief information officer (CIO), and 37.5 percent to another administration official.

Yet despite the prioritization of privacy, only 24 percent of respondents reported having an established privacy program. Forty-one percent said they are in the process of developing an established privacy program and 35 percent said they did not have one.

Notably, these numbers are worse than in 2022, when 29 percent of respondents said they had an established privacy program.

“While it remains a priority for states, it seems many are still struggling to establish a privacy program,” the report says. “It’s also possible that with so many choosing the ‘in process of developing option’ that some CPOs may feel like the program is just not mature enough to be considered ‘established’ even if they do have an active privacy program.”

Based on survey data and advice from state CPOs, the report offers three recommendations for states. These include: establish privacy governance, ensure dedicated funding and authority for CPOs, and establish and train agency privacy leads.

“Focus on incremental improvements that will be long lasting. Privacy is too important to not get right, and in government, privacy needs to be operationalized in a way that it will exist and function with CPO turnover,” one state CPO respondent advised.

Read More About
Grace Dille
Grace Dille
Grace Dille is MeriTalk SLG's Staff Reporter covering the intersection of government and technology.