Vermont Governor Signs Bill Requiring Data Privacy Inventory of Citizens’ PII
On March 5, 2020, Vermont Governor Phil Scott signed into law Senate Bill 110, “An act relating to data privacy and consumer protection,” which provides authority to develop a statewide data privacy inventory of the personally identifiable information (PII) that the state collects from and maintains of its citizens.
According to the bill, the data privacy inventory will be developed by, and be the joint responsibility of, the State Court Administrator of the Judicial Branch, the Director of Information Technology for the Legislative Branch, and the Chief Data Officer of the Secretary of State’s Office for the Executive Branch. Those individuals will be responsible for directing the state’s efforts in conducting a privacy audit around 1) the state and its agencies’ collection of residents’ personal information; 2) state and federal laws applicable to PII; 3) arrangements or agreements, whether oral or in writing, about the sharing of PII between agencies; and 4) provide recommendations for proposed legislation regarding the collection and management of PII to the Governor.
The bill also expands the definition of personal information subject to the Security Breach Notice Act to include biometric, genetic, tax payer identification numbers, health, medical diagnosis or treatment information, and health insurance policy numbers.
Back to the data privacy inventory. This is also called “data mapping” in the privacy world.
Mapping which state agencies collect, use, maintain and disclose citizens’ personal information will be a monumental task, even in the small state of Vermont. Nonetheless, as private businesses have learned over the years, it is nearly impossible to assess the risk of the data the organization has in its possession, as well as put measures in place to protect it, if you don’t know where it is or what is being done with it.
It is unclear how many states are trying to accomplish this task, but when you look at the amount of sensitive personal data states collect and maintain, this is a worthy and impressive goal by the legislators and Governor. Kudos to lawmakers in Vermont, and may other states follow in Vermont’s footsteps.