Governments have increasingly prioritized inclusive data collection practices, taking into consideration things like disability and gender identity — in part as preparation for AI deployment. This shift broadens the need for governments to protect privacy, especially as federal data collection by the Department of Government Efficiency (DOGE) creates concerns.
A March 20 EO issued by President Donald Trump, "Stopping Waste, Fraud, and Abuse by Eliminating Information Silos," raises questions for some.
“[The EO] … said that federally funded state programs will be required to report personal data to the federal government,” said Elizabeth Laird, director of equity in civic technology for the Center for Democracy and Technology (CDT), who described the new rule as a “significant shift.”
CDT is a nonprofit organization committed to influencing technology policy to maintain a free and open Internet. It conducts research and works across sectors and with different political parties to identify tech policy solutions, and holds informational events on topics related to tech policy.
This EO is relevant to both state and local agencies, Laird said, noting the EO did not specify what type of information and which programs will be impacted. The risk, she said, is that data that was collected for one intent could be used for another without the explicit consent of those who provided it.
At the federal level, since DOGE’s creation, Laird said it has become clear the agency perceives itself needing access to millions of people’s information. This data collection poses questions about the legality of such sharing, she said, especially with consideration to existing privacy protections.
“Most of the privacy protections that exist really focus on putting in place guardrails to prevent the sharing of personal data outside of agencies without the person’s consent,” she said, explaining this is based on the constitutional right to privacy.
At least 14 lawsuits have been initiated addressing the lawfulness of such data collection, according to Laird, who noted questions remain.
There are numerous existing privacy protections that may prevent the federal government from collecting data in this way. These include the Privacy Act of 1974, Internal Revenue Code Section 6103, the Fifth Amendment, the E-Government Act of 2002, the Computer Fraud and Abuse Act, and Social Security Act Section 1306.
While those protections are focused on federal agencies, Laird said she believes that some of them will also apply to states; and states also have their own privacy protection policies in place.
“So, if you are in a state or local agency, it’s going to be really important that you know what your local laws are — and that there are likely additional protections that will limit how you share information,” she said.
What remains to be seen, Laird said, is what may occur if there is a contradiction between state policy around privacy protections and federal data collection mandates.
Some states, like Pennsylvania, have reportedly denied federal access to state data in the past.
When asked about the March EO, Pennsylvania Office of Administration Director of Communications Daniel Egan said in an email that the office does not have an information technology policy that prohibits state agencies from sharing data with the federal government.
“However, there may be legal, security, privacy, confidentiality, or other considerations that could factor into an agency’s decision about sharing a specific data set,” Egan said.
In North Dakota, no current data policies, either statewide or specific to North Dakota Information Technology, conflict with the March EO, state CIO Corey Mock said via email. However, he noted, “individual agencies may have their own policies since they retain ownership over their data.”
North Dakota's data sharing is addressed in the state's open record laws, Mock said, explaining that state record classifications as defined in these laws are the state's foundation for data sharing policies.
Another state that denied federal access to state data in the past is Massachusetts; in 2017, the state declined to share voter registry information with the Presidential Advisory Commission on Election Integrity.
“Nothing in our state laws or regulations regarding authorized access to the state voter file has changed since 2017,” Debra O’Malley, communications director for the Massachusetts Office of the Secretary of the Commonwealth, said via email. State voter files, she said, are only accessible to entities specifically named in state statute: state party committees, statewide candidates, and statewide ballot question committee.
An EO cannot order a state directly to comply with data requests because it would be considered “unconstitutional commandeering,” according to an email from Sophia Cope, a senior staff attorney for the Electronic Frontier Foundation. Importantly, she underlined that the EO is directed to “agency heads” within the executive branch, rather than states.
If a state’s privacy laws prevent providing access to its data, Cope said the state could have to forego federal funding to comply with its own laws. If certain funding was granted to states with conditions enacted by Congress about data access, she said that would be an important consideration.
“However, if Congress directed funding to the states for various programs, and the president is trying to take that money away (unless the states grant data access), the president/executive branch is likely engaging in illegal impoundment, and the EO would be considered improper,” Cope said. Impoundment refers to a president withholding funds that were appropriated by Congress, a power limited by the Impoundment Control Act of 1974.
Issues with public trust in government already exist, Laird said, citing her own public-sector experience, which included more than two years as a deputy assistant superintendent at the Office of the State Superintendent of Education in Washington, D.C. Anything government does with people’s information, she said, must center on public trust. People who are impacted by data sharing practices should be part of the planning process for how data may be used, Laird said.
For governments that are trying to keep up with how these policies will impact them, groups like CDT are trying to track actions at the federal level and create resources to explain how these will impact other stakeholders.
State and local agencies should spend time assessing and understanding their own policies and best practices around data collection, management, and sharing, Laird advised. While the federal government’s actions have demonstrated a lack of transparency to some extent, she said, state and local leaders can proactively and publicly communicate how they are safeguarding constituents’ information.
In time, more information is expected to be revealed about the EO, Laird said, and what it will mean for state and local leaders.
