Why Data Privacy Should Be Central to Your Data Governance, and How to Achieve It

Why Data Privacy Should Be Central to Your Data Governance, and How to Achieve It

By Carlos Rivero, VP of data and analytics, GCOM

State and local agencies amass great quantities of data about residents and the demographic, societal, and health factors that influence them. The more they can leverage this data, the better they can target services and ensure government programs achieve desired outcomes.

At the same time, agencies have a responsibility to safeguard the personal identifiable information (PII) of the individuals they serve. After all, if data is misused or falls into the wrong hands, that breach can result in significant negative consequences for the people affected as well as damage the reputation of the organization. Residents have a right to expect that their privacy and confidentiality will remain protected.

The agencies GCOM partners with take their responsibility to shield resident data seriously. So, it’s no surprise more and more organizations are interested in best practices for protecting resident data and maintaining trust in government.

The good news for agencies and residents alike is that there are effective strategies for safeguarding PII. Making data privacy central to data governance can do more to protect privacy than cybersecurity technology alone.

In 2020, nearly 2,400 state and local governments, healthcare facilities, and schools were victims of ransomware, according to the security firm Emsisoft.

Converged Datasets, Separated Data Streams

For government, the purpose of data governance is to manage data in a way that makes it optimally useful to agencies and the communities they serve. But an equally important purpose is to protect the privacy of residents.

Yet there needn’t be a dichotomy between data utility and data privacy. After all, the value of data analytics isn’t derived from identifying individuals, but through understanding trends and uncovering opportunities to benefit individuals. You can apply data analytics to improve agency operations and services without needing to see the PII of the people you serve.

A recent Pew Research report found that 8 in 10 Americans now feel they have little to no control over how their data is collected by the government or private companies.

How do you achieve the goal of understanding data without placing PII at risk? The key is to categorize data attributes so that even if you’re converging datasets to gain new insights, you’re not combining data streams that identify individuals.

Some data attributes refer to trends that affect residents – such as rising unemployment rates – or to services consumed by residents – such as whether they receive Supplemental Nutrition Assistance Program (SNAP), are enrolled in the state’s Medicaid program, receive unemployment benefits, or have been treated for an opioid overdose. Other attributes, in contrast, refer to the identity of specific individuals – such as name, date of birth, Social Security number, driver’s license number, as well as other identifying attributes.

You can keep those categories of attributes separate by creating a universal entity index. The universal entity index acts as a crosswalk table linking residents across programs, benefits, or systems – without using any PII.

That way, you can understand which residents are included in multiple datasets, and whether that has implications for targeting existing services or creating new services. But you never actually see data that identifies an individual.

Data Trusts and Data Privacy

A great example of data governance centered around data privacy is the Commonwealth of Virginia’s Framework for Addiction Analysis & Community Transformation (FAACT). We collaborated with the state to create this interagency data-sharing platform, which has empowered agencies to address opioid use.

FAACT identifies demographic differences in opioid user populations to better respond to their needs. It enables law enforcement and healthcare organizations to respond to usage spikes, and it helps evaluate the impact of relevant agency programs. For example, one FAACT dashboard shows local leaders the distance between an overdose incident and the nearest medical facility or support center, allowing them to identify areas where more resources are needed. Another dashboard helps leaders understand the correlations between unemployment trends and opioid use.

The innovative approach to data sharing was enabled by a data trust. A data trust is a legal framework that defines the roles and responsibilities of the entities that participate in the data sharing relationship. Whether your organization is a Data Trust Member whose data is available through the trust, a Data Trust User leveraging trust resources for specific projects, or the Trustee responsible for managing the operations of the trust, each organization certifies they understand their roles and responsibilities and compliance with the rules established by the governance body. In addition, the governance body carefully vets members and oversees data sharing to ensure members adhere to the rules.

FAACT members can converge datasets – such as police incidence reports, EMS dispatches, and hospital admissions – to predict and respond to spikes in opioid use. But they can see only a universal entity index, not resident PII. Even the small team that manages creation of the universal entity index is constrained by cybersecurity controls such as access management, security logs, and audits.

Going forward, your agency will manage more and more data that pertains to residents, and data analytics will give you new opportunities to serve those residents more effectively. When data privacy is central to data governance, your data will deliver real resident outcomes without sacrificing their privacy.