Georgia lawmakers walk a tightrope when it comes to finding the balance between data protection and the health and prosperity of the state’s diverse business interests. Over-regulate and you risk holding back valuable innovations. Under-regulate and you put potentially millions of constituents' information in harm’s way.
Managing data and the privacy issues associated with it was part of an extensive discussion at the Georgia Digital Government Summit* in Atlanta Sept. 29. During the panel discussion, which included Sen. Bruce Thompson, R-Dist. 14, and Rep. Mike Dudgeon, R- Dist. 25, experts from various stations throughout the government enterprise hashed out the necessary considerations that must be made around the increasingly valuable and abundant digital asset.
Since computers first arrived on the scene, the role, and certainly the value, of data has changed. As panel moderator Howard Woodard, with Georgia College and State University, explained, the transition from strictly computational to hyper-valuable has taken several decades.
Though this evolution may have happened gradually, Woodard asserted that policies and best practices have not necessarily kept pace with the various channels of data gathering and uses of the last decade. Dudgeon, a member of the House Science and Technology Committee, agreed.
“The technology for wiring and accessing data has gone at such an amazing pace the last 10 years in the big data world, where the tools just for everybody to gather enormous amounts of data and access it anywhere has just grown way faster than anybody thought about how to secure it,” Dudgeon said.
Thompson, who serves as chair of the Senate Science and Technology Committee, said the growing number of uses for personal data has added another component to the issue — the challenge of balancing business, convenience and modern expectations with the inherent vulnerabilities.
“As many of the businesses out there continue to use credit and personal data to be able to drive rates, you look at the insurance industry, you look at the various things that are out there, they look at the model of the individual and their data to be able to do that,” Thompson said. “Well, then you have to have access to be able to do that. The more points of access you have, the more vulnerable it becomes.”
The conversation around data is further complicated by the expectations of stakeholders. While many millennials are comfortable sharing their personal data, experts argue that the older generations are more hesitant.
There may be a willingness by younger age groups to provide data, but it still comes with an expectation of security, said Robert Orr, CIO for Georgia College and State University. “I think from the higher ed perspective, we are no different from each of you in the room. If you are collecting data on somebody, they expect you to keep it secure,” he said. “Following best practices, following NIST standards, following whatever standards that you have in place.”
In addition to policies and standards, Orr said audits ensure compliance within his organization.
“The challenge for us is that we have to rely on our policies, we have to rely on our processes and we have to rely on a very good data governance structure," Orr said. "I think the ability to move forward with protecting personal data and using it rely on those three things."
Fulton County CIO Sally Wright said much of the privacy conversation developed out of the Health Insurance Portability and Accountability Act (HIPAA) of the mid '90s around medical information sharing. Since then the wealth of data on the market and the applications for it have exploded.
While the myriad uses present opportunities, some of which Wright called “scary,” she said the opportunities need to be measured against the larger costs to privacy. The open data movement is one where she said extra thought is needed before simply making “everything open.”
“It sounds good, but if you don’t take a step back and start to think, ‘What does that mean?’ you could get in a lot of trouble.” She advocates for a clear data classification policy to help define the various forms of information collected and maintained by an organization. This policy should be reviewed and revised regularly.
“If you define that upfront, when organizations want to do open data, you already know what is open and what is not,” Wright said. “There are things you have to start with, but it’s always evolving, so having a general policy in place doesn’t mean it is good to go forever. It needs to be on some kind of a cycle to be reviewed, especially IT policy.”
*The Georgia Digital Government Summit is produced by the Government Technology events division and the Center for Digital Government, both owned and operated by e.Republic Inc., the same parent company as Government Technology magazine and Govtech.com.