Collecting, storing and sharing data is essential to a DMV’s function. This data isn’t just license plate numbers, either. It includes everything from personally identifiable information, vehicle information and driving records to details on individuals’ health, finances and employment. This data is essential beyond roadways, too; air travel and public safety also rely on this information.

Accordingly, a robust data governance system is crucial for managing such a large volume of sensitive information. “Data governance promotes or encourages data integration consistency, reduces risk and is compliant within the various regulatory frameworks that may exist,” says Julie Knittle, AAMVA’s regional director for Regions 3 and 4. “It adds a level of accountability as well.”

This accountability is only growing more important, especially given that jurisdiction-issued ID is at the nexus of many identity efforts. “A driver’s license is critical to drive a motor vehicle, and you must have proof of identity to gain credit. The ability to get on airplanes now is tied to the information at the DMV,” says Mike Wyatt, a principal at Deloitte & Touche LLP and the Global Identity Offering leader of the Cyber & Strategic Risk practice of Deloitte.

Establishing a framework

In the United States, DMVs are subject to the Drivers Privacy Protection Act (DPPA), as well as state privacy and public records laws. In Canada, the Consumer Privacy Protection Act (CPPA) provides rules for handling personal information. These laws regulate the protection and sharing of certain data, but they don’t dictate how DMVs handle data governance. It is up to each DMV to create a framework that promotes data accuracy, accessibility and security.

“These laws regulate the protection and sharing of certain data, but they don’t dictate how DMVs handle data governance. It is up to each DMV to create a framework that promotes data accuracy, accessibility and security.”

To develop a well-defined approach, frameworks like the DAMA Data Management Body of Knowledge can be a handy guide. “You can take the general principles there and align them with the size of the organization, using the structure that it provides,” Wyatt says.

This data framework enables an organization to establish standard terminology, define key functions and roles, and build methodologies to effectively manage data. According to Wyatt, core policies and controls should include data quality rules, such as mandatory address standardization and state-to-state pointer checks; defining the different types of data and who has access to them; and establishing data lifecycle and retention policies aligned with the Department of Homeland Security (DHS) guidance.

Creating a diverse team helps establish and maintain the data governance framework. “The governance decisions need to be made by a team with an agency-level view,” says Will Saunders, data stewardship and privacy administrator at Washington State Department of Licensing. “One of the key components of our data governance strategy is what we call our data governance committee.”

Saunders says this group typically includes individuals from various agency areas, such as legal, compliance, IT and data management, as well as some members from outside the agency. This gives the committee a holistic view of the agency and the various data stakeholders.

It’s also important that agency leadership is involved. “Data governance starts and should be supported from the top and works its way down,” Knittle says. “It has to be supported at all levels if you’re going to have true governance and integration.”

Data quality

A data governance system is only as effective as the data it contains. After all, the volume and variety of data that DMVs handle can lead to challenges with accuracy and consistency.

As an example, Saunders points to a common data point: addresses. “There’s a big difference between a home address and a registered vehicle address, particularly when you’re talking about company vehicles,” he says. Defining common terms and how they are used in the data system helps avoid misunderstandings. “We have a business glossary that goes into a new employee orientation and is available to staff all the time, and it’s amazing how useful it’s been,” Saunders says.

Knittle emphasizes that providing formal training for staff on data levels, types, processes, policies and risks is crucial for effective data governance. Saunders adds that his organization has started providing education on data literacy, so employees not only know how to handle the agency’s data but also understand it. Both agree that training should be ongoing, ideally repeated annually.

When mistakes are made, there should be policies and people in place to fix them.

“DMVs are responsible for issuing documents that enable people to function bureaucratically within our society,” Saunders points out. “A mistake by a DMV can lead to serious consequences for a customer.”

The Washington State Department of Licensing has a team in the Support Services department that is dedicated to corrections. The privacy section of their website details an individual’s rights regarding their data and how to request a correction. “If a customer finds that something about their data is wrong, we do our best to correct it as quickly as we can,” Saunders says.

Privacy and data security

DMVs collect data with varying degrees of sensitivity, some of which is governed by the DPPA and state laws, such as the California Consumer Privacy Act (CCPA). Saunders refers to the National Institute of Standards and Technology (NIST) as a resource for cybersecurity standards, guidelines and best practices. Every system should be built with industry-standard security. However, security breaches or unintentional data loss may still occur, whether from human error, cyberattacks or other issues.

Wyatt advises implementing access controls, data masking and tokenization to limit data exposure. “Only provide the information to the DMV staff that they need to perform their job function,” he says.

“When sharing data with an external organization, it’s important to have a clear legal agreement in place that defines what will be shared, how the organization may use the data and how to address contract breaches.”

In addition, Wyatt cautions DMVs against storing data that is no longer needed. “One of the things we find is when an adversary gets into a system and is able to take data away, a lot of times there’s an excess amount of data that was retained beyond the legal retention limits. That’s very unfortunate and easily preventable,” he says.

Data sharing

DMVs must strike a balance between keeping data secure and facilitating data sharing. Various entities, such as auto manufacturers, commercial data brokers and law enforcement agencies, require different levels of access to DMV data.

When sharing data with an external organization, it’s important to have a clear legal agreement in place that defines what will be shared, how the organization may use the data and how to address contract breaches. Saunders adds that the agreement should have a defined, limited term.

It is also essential to share data using encrypted, secure formats. “A lot of times, I’ll see information that is encrypted within the DMV environment, but when it is shared, it is put into plain text and insecurely transferred,” Wyatt says. Best practices for sharing sensitive data include using an application programming interface (API), which allows a computer-to-computer connection governed by a set of rules and protocols.

Keep in mind that not all data requests require the highest level of security. Saunders suggests looking for alternative methods for sharing non-protected information.

“We’ve been able to replace some of our confidential data contracts with non-confidential open data,” he says. “It lets us do the data cleanup ahead of time, make sure that it’s understandable and well documented, and then we put it out there where people can get it through the state’s open data portal. This relieves our staff of supporting yet another technology system.”

Hands-on approach

Data governance is a continuous effort. “It’s not just one-and-done,” Knittle says. “The world of data privacy is changing rapidly.”

Having a strong data governance framework in place enables an agency to adapt to the changes more easily. “If they have the foundational elements in place, they can look at the current environment and anticipate the impacts of change—things like moving to a mobile driver license and the risks and opportunities of various AI tools,” Wyatt says.

No matter how the technology landscape changes, one thing remains constant: Data governance begins with people and processes.