As part of Industry Insider — California’s ongoing efforts to educate readers on state agencies, their IT plans and initiatives, here’s the latest in our periodic series of interviews with departmental IT leaders.
Chris Pahl is chief privacy officer (CPO) at Santa Clara County, a role he has had since December. He is also appointed adviser to the Data Privacy and Integrity Advisory Committee for the U.S. Department of Homeland Security, a position he has held since December 2020. Other previous roles include serving as cybersecurity governance senior manager at Southern California Edison during a more than 14-year career that ended in December; and, before that, serving as senior compliance officer and privacy and anti-money laundering officer at AIG Retirement Services from June 2004-November 2008 before joining SCE.
Pahl has a Master of Business Administration in global business from the University of Phoenix; master’s degrees in organizational leadership and quality assurance from, respectively, National University and California State University, Dominguez Hills; and a Doctor of strategic leadership from Regent University.
Industry Insider — California: As CPO at your organization, how do you describe your role? How have your role and responsibilities changed in recent years in terms of their intersection with IT and innovation?
Pahl: The Privacy Office’s role is to serve the county of Santa Clara by helping to ensure that privacy is safeguarded and treated with integrity and respect. Building strong relationships with stakeholders and commitment to public service are fundamental to building the trust to embed privacy by design, assessing risk, and providing guidance and training. By focusing on privacy in technology and developing public-private partnerships, the Privacy Office strives to balance the county’s need to collect and process personal information with its responsibility to protect it. Not unique to the county, all companies are tackling innovation and technology to make their operations more efficient. Inherent with any new process or technology is the risk that personal information may be used in ways inconsistent with the organization’s risk framework or the data subjects’ expectations. Privacy offices must be more technologically versed to be effective stewards in company processes and provide value-added input as new technology is introduced frequently. This requires all staff to continuously learn about new technologies, including risks and potential benefits. Strong partnership with cybersecurity assists with building unified positions on the technology’s benefits and risks.
IICA: Does your organization have a strategic plan, and may we hyperlink to it? How big a role do you personally play in writing that strategic plan?
Pahl: The county of Santa Clara Privacy Office’s vision and mission statements may be found here. The vision and mission statements will be revalidated in the coming year, as the current chief privacy officer started in December.
IICA: In your opinion, what should local government be doing more of in technology?
Pahl: Like the private sector, local government should be familiar with emerging technology but prioritize investments based on the public good. However, even the most benign technology must be carefully assessed to ensure the technology does not introduce unintended privacy or security risks. I firmly believe that government agencies and monopolies within the private sector, such as investor-owned utilities, have a higher ethical obligation to ensure their clients’ data is used ethically to help them procure services, including connecting to resources or finding public documents, as these individuals cannot choose a provider. Where it makes sense, more routine, manual transactions may initially be considered for automation, allowing the agency to redeploy staff to more complicated work. In addition to technology implementation, government agencies must be transparent with new technology to allow their users to understand its impacts and benefits. Sometimes, the most significant misunderstanding comes from entities not assessing their clients’ concerns during the technology procurement and implementation phases. The Privacy Office is uniquely positioned to support client concerns and shape business requirements, balancing public good with risk.
IICA: How do you define “digital transformation?” How far along is your organization in that process, and how will you know when it’s finished?
Pahl: I follow the CIO publication’s definition of digital transformation, calling it a “necessary disruption.” CIO defines digital transformation as “the rethinking of how an organization uses technology, people, and processes to pursue new business models and new revenue streams, driven by changes in customer expectations around products and services.” While local governments do not prioritize new revenue streams in their business models, they must always consider client expectations, both pre- and post-implementation expectations. Technology is rapidly changing, and local governments must continue to work with their stakeholders to monitor technology uses and effectiveness, which is where well-defined and integrated privacy controls will help monitor outcomes. It is common that new technology continues to have new functionality rolled out in phases. Those future implementations may change the risk profile as more sensitive data is added or processed. Again, as technology changes, clients need to be kept informed and the privacy office can assemble the appropriate internal stakeholders to address when technology risk outweighs the benefit. Digital transformation will continue as private and public entities constantly assess how technology, people and processes can be modified to meet customer expectations.
IICA: What do you read to stay abreast of developments in the gov tech/SLED sector?
Pahl: I read various journals and articles to stay abreast of technology, such as The Wall Street Journal’s technology publication, the Daily Dashboard from the International Association of Privacy Professionals (IAPP), and the National Institute of Standards and Technology (NIST) frameworks and newsletters. Also, various law journals and alerts help understand how the legal community may shape future technology uses.
IICA: What are your hobbies and what do you enjoy reading?
Pahl: I enjoy environmental and youth-oriented volunteer programs. Before relocating to the Bay Area, I was involved as a Court Appointed Special Advocate (CASA) for foster kids and hosted high school foreign exchange students. I am still involved with the Griffith Observatory Foundation in Los Angeles. I enjoy music, sports and dining out. Admittedly, my loyalty to professional football teams is in conflict as I am a Los Angeles Rams and San Francisco 49ers season ticket holder. However, there is no dispute that the UCLA Bruins is my college team of choice. I do not have much time for reading, but when I do have time, I like to read books on various privacy and security and more general topics, such as National Geographic. However, the most iconic privacy book is George Orwell’s 1984.
Editor’s note: This interview has been lightly edited for style and brevity.
County Privacy Officer: Local Government Should ‘Prioritize Investments Based on the Public Good’
