Among those, privacy has long been a strong concern for Goulet, who is seeking approval to bring on a state chief privacy officer. That goal’s getting closer, with the position making it into the latest budget. Still, Goulet needs legislation passed and compensation set before he can start hiring.
In the meantime, the state’s been working to inventory and classify its data. As Goulet thinks about privacy, he’s focused on the idea that agencies should have access to only as much sensitive data as absolutely necessary. For example, a Health and Human Services (HHS) official may need to conduct a background check on a foster parent applicant. But the HHS official doesn’t need to store any sensitive law enforcement information about that person. Instead, the official can just store the answer — yes or no — to whether the would-be parent has a disqualifying criminal record.
Some of New Hampshire’s approach to cybersecurity can also be a good model for approaching privacy. In both cases, Goulet said a primary goal is to create a culture in which everyone understands the guardrails and sees maintaining privacy — or cybersecurity — as everyone's responsibility.
And just as New Hampshire has a Cybersecurity Advisory Committee, Goulet would like a similar body to advise on privacy.
Privacy is also a concern as the state considers how to use AI. Agencies must be very careful with resident data used to train AI functions, ensuring the data “doesn’t end up in the wind as part of a relationship with a vendor who’s supplying us AI technology,” Goulet said. The state will also need to examine how existing privacy laws affect potential AI use cases.
New Hampshire has released its Code of Ethics for AI Systems, and IT has been trying to help state officials understand potential business cases for AI and how to implement them.
“What I found is that AI really isn't going to be helpful unless you understand that it's a different approach; you have to think differently to make it create business value,” Goulet said.
A current bill would charge the Department of IT with enforcing ethical AI rules on the executive branch, but Goulet says he plans to testify against such an approach. Taking on this kind of “traffic cop” role would be a departure from IT’s traditional relationship with agencies, he said, and his team lacks the visibility to know when agencies incorporate AI capabilities into their solutions.
But one big reason for Goulet’s opposition is he also believes it’s too soon to turn ethical guidelines into statute. The state doesn’t yet know enough about AI to be able to pinpoint legislation in a way that precisely bans dangers without also having a “chilling effect on the positive things we could do” with it, he said. Language in the current bill might limit helpful use cases while trying to prohibit harmful ones.
New Hampshire has also been building a whole-of-state approach to cybersecurity, fueled in part by State and Local Cybersecurity Grant Program funds. One initiative is the popular “.Gov In a Box” program that provides funding and assistance to local governments to shift over to .gov websites. Local entities often need help with the logistics and administration, and the state has been securing contractors to provide just that.
Other federal funds will be deployed in 2024, too. The state is planning to put its American Rescue Plan Act funding toward modernizing systems. As New Hampshire looks to improve customer service, it’s particularly focused on relationship management, licenses and permitting. Improvements there could affect many people. For example, it could make it easier for homeowners to get septic tank permits, or for qualified people to get nursing licenses. And New Hampshire IT is also working to train agencies on agile and minimum viable product implementation methodologies. This sees agencies quickly adopting solutions and subsequently modifying them based on constituent feedback.
Alongside a presidential election, New Hampshire is gearing up for a change in governor. Goulet was already reconfirmed for another four years back in May 2023, but a new governor could impact IT’s projects or processes. For example, a policy change around Medicaid benefits would affect IT work on eligibility and claims systems, or a new governor may want to receive cybersecurity briefings with a different frequency or format. And Goulet might need to quickly revise the IT budget proposal under the new governor’s direction.
Having been through a gubernatorial transition before, Goulet says the most important thing that a CIO can do is listen and learn about the new governor’s focuses and priorities.
