Skip to Content

Secretary of state audit: Oregon lacks program to manage data privacy risks


SALEM, Ore. (KTVZ) — Oregon lacks a senior official responsible for managing data privacy, which increases the risk that private, personally identifiable information is not appropriately safeguarded, according to an audit released Wednesday by Secretary of State Bev Clarno.

The findings are outlined in a report entitled: “The State Does Not Have A Privacy Program to Manage Enterprise Privacy Risk.”

State agencies collect and store personally identifiable information from virtually all Oregonians. This data includes health information, driving records, education data, and more.

However, auditors found there is no statewide official charged with assessing the risks associated with processing that information and ensuring appropriate response strategies are in place.

As a result, the state has not established a privacy program to assess and respond to risk. The state has also not established guidance on incident response roles when security incidents arise that involve personally identifiable information.  

“Oregon has an ethical responsibility to safeguard the privacy of its citizens’ data,” said Secretary of State Bev Clarno. “It is important that a senior official is charged with ensuring risks to data privacy are understood and addressed throughout the state.”

Read the full audit on the Secretary of State website.

KTVZ news sources



  1. If this were the private sector, people would be held accountable and fired. But not here in Oregon, this will likely result in promotions of people who have failed at previous projects. The amount of money the DAS EIS division has wasted on failed projects in the last 10 years is staggering, 100’s of millions, and now we lean that our incompetent leadership can’t even protect our PII data.

Leave a Reply

Skip to content