AAMVA publishes managing data privacy and external access best practice
Motor vehicle agencies (MVAs) collect and store vast amounts of data, much of it containing personally identifiable information (PII). Past incidents of data being stolen from government and commercial entities have made consumers understandably nervous about the security of their information. MVAs are faced with the increasing challenge of balancing transparency with their obligation to protect personal data.
AAMVA is helping MVAs navigate this challenge with the Managing Data Privacy and External Access Best Practice report, published in February. The introduction states, “This document is a best practice guide for motor vehicle agencies to protect driver and vehicle records, provide access and authorize usage consistent with law, and apply effective and efficient approaches to internal and external audit practices.”
Although there are numerous data privacy documents, resources and information written for private companies, until now, nothing existed that addresses the specific complexities of MVAs. The Best Practice report was developed over a two-year process by a working group that included 12 jurisdictional experts who run data privacy programs in their jurisdictions. They took the unusual approach of opening the working group to other industry representatives, ultimately consulting with more than a dozen organizations, including private companies and law enforcement, to learn about various privacy practices and procedures.
This broad input allowed the working group to create the first comprehensive document on privacy protection that is tailored to MVAs.
One of the key components of this document is data governance, covered in Chapter 1. Data governance is the framework of rules, processes, responsibilities and formal decision-making used to manage data. In a 2019 AAMVA survey of MVAs, only about half of respondents were aware of a data governance program at their agency. The remainder indicated they did not have a data governance program, they were not sure if their jurisdiction governed the use of data, or they were not familiar with data governance. The Best Practice report provides data governance models that will be useful to a variety of MVAs, from those that lack data governance to those that want to enhance their current structure.
Another highlight of the document is the chapter on compliance and audits. A compliance and audit program ensures that appropriate policies and procedures are in place and helps enforce data protection requirements. This chapter covers how to monitor data recipients’ use of access to MVA records to make sure outside organizations are receiving PII appropriately and protecting it as much as the MVAs.
Sharing data is an essential function of MVAs. The Driver Privacy Protection Act (DPPA), as well as local laws, protect PII in the United States, and they also permit or require disclosure for certain reasons, such as motor vehicle or driver safety and theft. In order to balance the dual obligations to share data and keep it safe, every MVA must have robust practices in place to manage data privacy and external access of PII. AAMVA’s Best Practice report provides a much-needed comprehensive look at how to do just that.