The tool can help agencies and businesses build privacy into initiatives with a modeling platform that allows them to "look before they leap." And it could catch on across the country.
Access to nearly endless supplies of constituent data puts a great deal of power in the hands of state government at all levels. But with that power comes the caveat of great responsibility for the management and protection of that data.
So to stop data use conflicts before they become ingrained in new initiatives, Washington state officials launched the beta Privacy Modeling Tool. And the idea is incredibly simple: Look before you leap, said Chief Privacy Officer (CPO) Alex Alben.
“This is definitely meant as a first-step tool when you are designing something that is going to use personal information,” he said. “It’s not really intended for a business or an agency that knows the lay of the land in terms of privacy laws that apply to them … It’s really meant for an agency that is working outside of its domain of expertise, or a city or county that doesn’t necessarily have privacy resources.”
The modeling tool prompts agency users through four simple steps:
“There are sort of two approaches, someone like me can go around like Paul Revere and cry about privacy, which is fine, but it doesn’t always scale," Alben said. "Or, you can try to use technology to give people tools so that they can do a lot of the groundwork themselves in terms of finding out what they need to know. Privacy modeling is an example of the latter approach. It is a novel concept.”
Take, for example, an agency that handles insurance and licensing information — which includes PII like driver’s license information, Social Security numbers and financial information — that's looking to publish/disclose, rent/sell or share the information through a new program. The privacy model would alert the user that there were 12 acceptable uses and six limitations, including limits on sharing Social Security numbers and driver’s license information.
Within each limitation alert, state laws are cited so that the user can dive deeper into the nature of the issue they're facing by reviewing the tagged laws in the application’s results dashboard.
To build the tool, Alben’s privacy team partnered with law students for the time-intensive process of identifying and tagging the applicable state and federal laws to their corresponding types of PII within the modeling database.
“It wasn’t that easy to build this database. We basically had to take over 25 federal laws and about 10 state laws, and then tag every type of PII that is mentioned in those laws, and then relate those to the user cases that we have as search options," he said. "So there are more than 4,000 permutations in our database."
But, Alben added, the tool is far from an end-all legal guide.
“When you get the green light, this means that no law has been found on the topic. There aren’t that many privacy laws on the state level, but just because there is no law doesn’t mean something is okay,” he said. “You have to think about how the data was collected, whether the user gave consent to a use other than the original use. And also, the tool doesn’t interpret laws; it doesn’t have the human ability to look at one situation and compare it to another.”
But with those limitations, he added, the hope is that privacy modeling will give the user an orientation of the privacy laws that apply to their scenario, "and would be a really quick research tool because it links directly to the law that is relevant.”
The Washington privacy team plans to make adjustments as it receives feedback on the tool, and Alben said it could come out of the beta stages as early as a month or two. There also are plans to make the final product open source for any other jurisdictions interested in building their own laws into the application.
Alben said the beta platform is not only meant to be a resource for government agencies and businesses new to the data privacy environment, but also as an insurance policy for a state that spends tens of millions of dollars on its networks and security.
“I do see this as a framework that can evolve over time,” he said. “We are going to make it open source so that the framework can be extended if others want to take the code and customize it for their needs. For example, I’d be delighted if another state looked at this and said, ‘Oh, we can do this for our state law.’”