Oregon lacks a senior official responsible for managing data privacy, which increases the risk that private, personally identifiable information is not appropriately safeguarded, according to an audit released by the Secretary of State. The findings are outlined in the report titled: The State Does Not Have a Privacy Program to Manage Enterprise Privacy Risk.
State agencies collect and store personally identifiable information from virtually all Oregonians. This data includes health information, driving records, education data and more. However, auditors found there is no statewide official charged with assessing the risks associated with processing that information and ensuring appropriate response strategies are in place.
As a result, the state has not established a privacy program to assess and respond to risk. The state has also not established guidance on incident response roles when security incidents arise that involve personally identifiable information.
“Oregon has an ethical responsibility to safeguard the privacy of its citizens’ data,” said Secretary of State Bev Clarno. “It is important that a senior official is charged with ensuring risks to data privacy are understood and addressed throughout the state.”