March 14, 2024
The Data Integration Support Center (DISC) at WestEd helps public agencies that seek to make informed decisions that benefit the whole child, whole person, and whole communities. In the third blog in our series about DISC’s work, experts Sean Cottrell, LeAnn Fong-Batkin, and Laia Tiderman describe how public agencies can accomplish their missions and goals while navigating the intricacies and preponderance of data privacy laws.
Why are there so many new privacy laws being introduced every year?
Sean Cottrell: The greatest factor contributing to this movement is the increasing awareness and concern about data privacy among the public and policymakers. High-profile data-breaches, misuse of personal information, and advancements in technology have highlighted the need for stronger privacy regulations. As a result, many states are introducing their own laws to fill gaps left by federal regulations and to address unique concerns within their jurisdictions. Additionally, some states want to ensure that their residents’ privacy rights are protected when federal laws are perceived as lacking or insufficient.
LeAnn Fong-Batkin: Concerns about privacy are widespread throughout the country. With prevalent data leaks and breaches occurring frequently, the public wants to protect themselves and their information. State legislators and governors are listening and passing privacy laws.
Laia Tiderman: Legislators are also responding to the success of consumer protection laws to remediate harms, but those laws focus on the aftermath rather than the prevention of a data breach.
Worst-case scenario: What happens when public agencies do not understand the impact of proposed legislation?
SC: Several things happen. First, they may inadvertently violate the legislation, leading to legal liabilities and penalties. Second, they may not adequately protect individuals’ privacy rights, resulting in breaches of trust and public outcry. Third, their operations and services may be disrupted or inefficiently adapted to comply with the new requirements, leading to wasted resources and diminished effectiveness. Finally, lacking understanding of the legislation can hinder the agency’s ability to provide guidance and support to the public, further exacerbating confusion and compliance challenges. Therefore, it’s crucial for public agencies to invest in understanding and properly implementing new data privacy laws to avoid these pitfalls.
LFB: Ideally, the public agencies that might be directly affected should be consulted prior to the legislation passing. This can help prevent unintended consequences that can result in state laws that are too restrictive or are not restrictive enough.
The UC Berkeley Center for Long-Term Cybersecurity’s white paper details the effects and unintended consequences of the European Union’s General Data Protection Regulation (known as GDPR) and the California Consumer Privacy Act that include vague language and costly implementation. The authors of the white paper also note that it is important to use consistent language.
LT: As a former public servant, I was often in the position of figuring out how to implement legislation that resulted in administrative burdens to the people we served or did not have the legislature’s desired effect. Ideally, legislation sets high-level policies or priorities, and the public agency’s regulations describe how that policy or priority is operationalized.
When new laws are introduced, how do public agencies make sure that they are following the rules and keeping people’s information safe?
LFB: Public agencies should work with their legal counsel, data privacy office, and program staff to ensure that they are properly following current laws and any new rules that result from new legislative bills. Ideally, there would be a governance committee that can help determine any changes and implement these new laws and regulations, keeping people’s information safe.
LT: LeAnn is absolutely correct. This is where organizational governance comes in. The agency’s governance structure should support the analysis and execution of new laws.
SC: In addition to the measures LeAnn and Laia mention, there are several specific measures that public agencies can use to ensure compliance:
- Training sessions and awareness programs can be conducted to educate employees about the requirements of the new laws, proper data handling procedures, and the importance of protecting individuals’ information.
- Agencies should review and update their policies, procedures, and internal controls to align with the new legal requirements, incorporating measures such as data encryption, access controls, and data retention policies.
- Agencies should also conduct assessments to identify the potential impact of new laws on their data processing activities, including the collection, storage, and sharing of personal information.
- Agencies should appoint Data Privacy Officers responsible for overseeing data protection efforts, ensuring compliance with relevant laws, and serving as points of contact for data privacy inquiries.
- Regular audits and monitoring activities are conducted to assess compliance with data privacy laws, identify vulnerabilities, and address any issues or discrepancies promptly.
- Public agencies should also collaborate with industry associations, legal experts, and other government entities to share knowledge, best practices, and resources for achieving compliance with data privacy regulations.
How does DISC help public agencies navigate these complex regulations and understand the impact of new laws on their existing systems for collecting and sharing data?
LFB: We help public agencies by providing technical assistance—whether it is for a statewide longitudinal data system or an integrated data system. Our team can help agencies review legislation and regulations, provide advice on implementation plans, and ensure the agency’s plans will properly implement the new laws.
For example, DISC helped California design its legal and technical framework that consists of legal agreements and data and security policies.
SC: There are several ways that our team can help
- educate agency staff about the requirements of new data privacy laws and provide customized training to ensure they understand how the laws impact their existing data collection and sharing processes
- evaluate the agency’s current data infrastructure and practices against relevant regulations to identify areas of noncompliance and provide recommendations for aligning with the new laws
- develop and update policies, procedures, and guidelines to reflect the requirements of new data privacy laws based on the specific needs and challenges faced by the agency
- integrate privacy by design principles into the agency’s processes and systems, ensuring that privacy considerations are incorporated from the outset of any new projects or initiatives
- provide ongoing support, including monitoring regulatory updates, offering guidance on emerging privacy issues, and assisting with periodic audits to ensure continued compliance
We believe legislation is an important tool to protect all communities. With DISC’s support, agencies can accomplish their goals while ensuring regulatory compliance.
Learn more about the WestEd Data Integration Support Center.
Read the first two blog posts in this Q&A series
- Building and Modernizing Integrated Data Systems to Support the Whole Person
- Privacy Within Data Integration Systems: Q&A With DISC’s Laia Tiderman and Sean Cottrell
Sean Cottrell is the Director of Operations for DISC, where he provides strategic oversight and administrative functions. Along with serving as a senior subject matter expert on privacy law and governance, Cottrell also serves as partnership director by seeking opportunities to align and support similar efforts to advance the development of integrated data systems.
LeAnn Fong-Batkin is the Senior Project Manager for Intersegmental Data Systems for the WestEd Center for Economic Mobility. She provides consultation and facilitation for the implementation of the California Cradle-to-Career Data System and other intersegmental data projects, including WestEd’s DISC.
As Associate Director for DISC, Laia Tiderman connects DISC’s subject matter experts and resources with public agencies, identifying gaps and developing solutions with states to support the development of integrated data systems. She leads the development of DISC tools and resources to support public agencies in their integrated data system modernization.