Data Privacy and Information Technology Security Governance Board

This board was established by HB2 Section 126-A:102, to oversee the Department of Health and Human Services' use of data, data privacy, and information technology security. Meetings will be held 3 times a year with meeting minutes posted within 2 weeks of meeting. 

Board Members

The Data Privacy and Information Technology Security Governance Board (Board) shall consist of the following members:

• The commissioner of the Department of Health and Human Services (Department), who shall serve as the governance board chair.
• The Department's privacy officer.
• Three directors of the Department who have responsibility for one of the following areas: Medicaid services, public health, behavioral health, children, youth and families, or long-term support and services.
• The director of the Department's Bureau of Human Resource Management.
• The director of the Department's Bureau of Information Services.
• The Department's chief legal officer.
• The commissioner of the Department of Information Technology.
• Up to 2 additional voting members appointed by the commissioner of the Department, if needed.

Duties  

The Board shall:

1. Meet at least 3 times a year and post public facing meeting minutes within 2 weeks of the completion of each meeting on the department's web page.
2. Become educated in what data governance means, how it will work for the organization, and what it means to embrace data governance and activate enterprise data stewards.
3. Actively promote improved data governance practices across the Department.
4. Identify and approve of pivotal data governance roles and responsibilities for the Department including cross-enterprise domain stewards and coordinators.
5. Advise, review, and approve the Department's data control, governance, and privacy practices in compliance with federal and state law and federal and state information privacy and security policies, with the goal to meet or exceed private market benchmarks for governance, risk management, and compliance.
6. Drive strategic and timely implementation of a department-wide privacy policy, related procedures and processes to operationalize policy-derived controls, and effective risk management methodologies, including industry standards such as privacy impact assessments and privacy by design.