CHEYENNE – It’s going to be a busy summer for Flint Waters, courtesy of the Wyoming Legislature.
As the state’s chief information officer under the Department of Enterprise Technology Services, Waters knows his way around the business of data security. And he will be using that knowledge to help state agencies, counties, cities and towns revisit their own data policies this summer, as part of a law passed by the Legislature earlier this year.
Senate File 38 was one of several bills brought to the Legislature this past session by the four-member Joint Task Force on Digital Information Privacy. During the last two years, the task force has been looking at ways state government can help protect the public’s information, and SF 38 takes one of the broadest approaches to that topic.
The bill consists of two parts. The first requires each state agency to launch an in-depth look at its policies for data collection, handling, security and management. Included in that assessment is a “data inventory,” in which each agency must look at all the data it has collected, and then explain why it collected it and whether it really still needs to.
“That’s what’s most important from a citizen perspective,” Waters said. “Before we can have a meaningful conversation about citizen privacy, we need to have a conversation about what data (state agencies) already hold.”
In past years, Waters said he has found that some agencies may begin collecting citizens’ data for one very specific reason, and without anyone catching it, that data keeps getting collected years later, whether the original reason is still present or not.
But given the increasing sophistication of modern hackers and the cyberattacks they’re capable of launching, Waters said it may make sense to dial back certain kinds of data collection in such instances.
“Let’s say, hypothetically, that 15 years ago a legislative inquiry prompted someone to need to know a correlation between student behavior and employment rates,” Waters said. “And there was a study done linking student behavioral details with data shared with (the Department of) Workforce Services to generate that report.
“So now, sitting in that system could be additional updates in case the Legislature ever asks that question again,” Waters said. “But maybe it’s not a good idea to have student behavioral data sitting outside the Department of Education, and that’s why it might need to be cleared up.”
The first part of SF 38 would essentially task state agencies with tracking down those sorts of loose ends. According to task force member Rep. Mary Throne, D-Cheyenne, the idea is that if an agency finds it has a bunch of data it can’t justify keeping, then it may be best to simply stop collecting it altogether.
“It does make sense to look at how much is collected and perhaps collect less if you don’t really need it,” Throne said.
“We want to make sure that, in this digital world, our state agencies have some consistent protections across the board. And certainly you don’t have to protect data that you don’t collect.”
But while SF 38 seeks to get state agencies to revisit and refine their data collection policies, the second part of the bill is designed to get local governments to begin adopting their own such policies.
Specifically, the law tasks Waters and his department with meeting government and IT staff from cities, counties and towns across the state to discuss what sorts of policies they should consider.
“We want to document industry best practices and the tiered adoption of those that might be viable,” Waters said, noting that not every city or town is going to require the same level of protections. “You’ve got towns out there with two staff, and they do everything on one laptop. They don’t need 15 pages of policy.”
But the idea is that even those tiny towns should have some sort of policy in place, as long as they’re handling people’s sensitive information. That’s why SF 38 tasks Waters with hosting informational meetings across the state with government officials to provide some basic guidelines as to what policies they should be thinking about.
“We’ll be saying, ‘If you have five or less computers, here are some ideas about what you might want to do;’ five to 50, here are some more,” Waters said. “Then we will discuss with cities and counties, if you were to implement one or more of these, what would the fiscal impact be?”
The goal is for Waters to write up a report to the Legislature by Sept. 1, describing the practices cities, towns and counties are already using and suggesting additional steps they could take without breaking their budgets.
“We will do our best, though the window they gave us to do this is extremely small,” Waters said. “The bill takes effect July 1, and the report needs to be finished by September.”
Throne said the portion of SF 38 covering cities, towns and counties is not prescriptive – no municipality is required to adopt any specific policy as a result of the bill’s passage. But she said it could provide some useful insights into what cities and towns are doing currently to protect citizens’ privacy, and if the Legislature sees any troubling trends in the final report, it could be moved to act on them.
“What we’re hoping to see is maybe an overview of what’s happening at the local government level, and then from that we can determine if we do need to do something more specific for municipalities and local government,” Throne said. “But we also recognize Cheyenne’s needs aren’t going to be the same as Pine Bluffs.”