MADISON - To better protect sensitive personal information kept by state government, including Social Security numbers, more should be done to train employees on how to handle such data, a new report recommended.

Gov. Jim Doyle said Tuesday that all recommendations made in the report by Milwaukee-based Metavante, Inc., should be implemented. He called for a new training program for state workers, appointment of privacy officers in every agency and annual risk assessments.

Doyle also said all state agencies should stop using Social Security numbers, unless required by law, as soon as possible to improve the protection of private information.

The Metavante report was not highly critical of the state's efforts to protect private information, despite two high-profile breaches this year. Instead, it noted a number of strengths, including existing privacy policies and procedures and an ongoing effort to consolidate computer servers to allow better control of sensitive data.

Sen. Ted Kanavas, R-Brookfield, a frequent critic of the state's efforts to protect private information, said the recommendations, such as not using Social Security numbers as identifiers, were obvious and should have been implemented years ago.

"The recommendations are pretty pedestrian," Kanavas said. "It's pretty sad that practices the private sector have been using for 20 years are suddenly news to the government."

Implementing the recommendations will take "significant resources," but they are a priority, said Linda Barth, a spokeswoman for the Department of Administration. A time line is being developed, she said.

The report recommends developing standardized privacy and training programs across state government, including establishing procedures related to who collects, processes, stores and transmits sensitive information.

And while the report said there are "reasonably sound security measures in place," a formal testing program should be started to determine whether those controls actually work.

It also recommended creating a program to determine just where all the sensitive information is kept within state government. Given all the new ways to transport information — including lap tops and memory sticks — that could be a "daunting task," it said.

The report also called for greater consistency in handling contracts with vendors outside of state government.

One of the security breaches this year was by Texas-based EDS, a company that contracts with the state for Medicaid services. EDS sent a mailing to 260,000 Medicaid, BadgerCare and SeniorCare recipients with their Social Security numbers on the address labels.

Later in January, there was another security breach when up to 5,000 tax forms were improperly folded so that Social Security numbers could be viewed from the address label.

Metavante, a company that focuses on financial services and privacy protection, did the review for free. Its report was dated Monday and released Tuesday along with Doyle's letter.

The state maintains a wide array of personal information, not just Social Security numbers. It has drivers license numbers, phone numbers, e-mail addresses, financial account numbers, health information and criminal histories. Any or all of that information could be used to steal a person's identity.

There have been no reported cases of identity theft stemming from the two incidents this year in which Social Security numbers were revealed on the state mailings.

"The citizens of Wisconsin trust that state government is doing everything possible to protect their sensitive information," Doyle said in a letter to DOA Secretary Michael Morgan. "We will work diligently as an administration to ensure their trust is well placed."

The Metavante report comes after Doyle ordered state agencies in January to conduct their own audits of how they handle sensitive information.

Heavily edited copies of those audits were released to The Associated Press two hours before the Metavante report was made public. The AP requested the reports on Feb. 5.

Those reports show inconsistencies across state government in the handling of sensitive data, who has access to it, training of those employees, and procedures in case of a breach.

In many cases, the agencies' responses regarding a plan to respond to a security breach was edited out.

Details including what private information the state holds, methods used to secure it, and potential weaknesses in its handling of that information, was withheld because releasing it could "provide a 'key to the lockbox' to potential hackers and identity thieves," said Cari Anne Renlund, the head attorney for the Department of Administration.

Releasing the audits with the edits strikes the proper balance between protecting the information and giving public access to the audits, Renlund said.