facebook-pixel

This new state office was created to keep government from snooping on citizens. Robert Gehrke explains why.

New state privacy officer is the latest step that puts Utah ahead of most states when it comes to protecting digital privacy.

Editor’s note  This story is available to Salt Lake Tribune subscribers only. Thank you for supporting local journalism.

Back in February, the northern Utah town of Mantua announced it had purchased a pair of license plate readers designed to capture and store the plates of every car traveling in or out of the city.

If a crime is committed, the data could then be searched and suspects identified by who was driving in the area and when.

But the police department, best known in the past for running the most notorious speed trap in the state, insists that monitoring, collecting, storing and potentially searching who goes where and when at any time in the town was not an invasion of privacy.

This probably seems a little hard to swallow for anyone a titch uneasy with living in a round-the-clock surveillance state, and the City Council agreed, voting to send the scanners back to the vendor.

Still, at a time when it is cheap and easy to gather and store massive amounts of data on citizens, the episode highlights how easily governments can intrude on our desire and right to just be left alone and how tricky it can be, especially for smaller towns and entities, to strike a balance and avoid pitfalls.

That’s where Whitney Phillips will come in.

Last week, Phillips was confirmed by the state Senate to be Utah’s first State Privacy Officer, where she will consult with more than a thousand state entities — from city governments to water districts, colleges and universities to schools — on the best practices for protecting citizens’ privacy and preventing data breaches.

“I want Utah to be a leader in this,” Phillips told me in an interview. “I think it’s going to prevent a lot of big problems in the future. Technology is just going to get faster and faster and privacy is lagging behind. … Utah government workers are good people. They want to do what’s right. They need help. They need support in knowing kind of what to do. And some of the things I think we’re going to come up with are going to help.”

Phillips, who spent the last four years as the privacy officer for the Utah State Office of Education, will work in tandem with Chris Bramwell, who was confirmed in July to a similar position overseeing privacy for state departments.

Working out of State Auditor John Dougall’s office, Phillips will be responsible for getting a handle on what sensitive information these thousand entities are gathering and why, how much of it is being stored and for how long, whether all of that personal data is actually needed and how it is shared between entities.

It will mean working with the state’s 12-member Personal Privacy Oversight Commission to devise best practices to help these local governments manage their information and policies on informing citizens what is being collected and how it is being used.

“One of my hopes over the next couple of years,” Dougall said, “is letting citizens better know what data their governments have on them so then we can have the next level discussion and debate, which is: How much should they keep?”

Phillips will also be responsible for advising these entities on how to protect the information they gather from hackers — like a ransomware attack last year that cost the University of Utah nearly half a million dollars, or one in July of this year where hackers demanded millions from Clearfield City (although the city did not have to pay the ransom).

A report earlier this year by the cybersecurity company Comparitech found that between 2018 and 2020, ransomware attacks cost U.S. government entities about $19 billion, including a 2019 attack that disrupted Garfield County’s government.

“That’s the one thing I think that keeps me up at night,” Phillips said. “My fear is you’re going to have someone opening the door to the fortress. You can build the walls as high and thick as you want, but if someone is opening the door or leaving it unlocked” the information is still vulnerable.

There is one more piece to Phillips’ assignment, one I like a lot, and that is a sort of privacy ombudsman: Any citizen who has concerns about the data practices of their local entity can contact the State Auditor’s hotline (hotline.utah.gov) and lodge a complaint that Phillips can investigate and work to resolve.

All of these measures — the two privacy officers working in tandem with the privacy commission — came from varying degrees out of the state’s problematic contract with the data collection company Banjo, which promised to analyze mountains of sensitive information to stop crime.

But Banjo will certainly not be the last of its kind. Big Data analysis is a field that is rapidly evolving and governments will have to scramble to keep up. It won’t be easy, but Utah has positioned itself ahead of most when it comes to protecting its citizens and their privacy.