The Rise of the Chief Privacy Officer
January 02, 2020 by Melissa Crowe
Photo credit: DJANDYW.COM AKA NOBODY/Flickr
City governments across the U.S. are grappling with how protect residents' privacy while increasing the use — and value — of smart technologies in the cloud.
Chief Privacy Officers, long employed in the private sector, are increasing in demand among government agencies.
Today, at least eight states have them, and a handful of cities, including Los Angeles, New York City, Santa Clara, and Seattle.
When it comes to implementing policies — where the public's information is concerned — Seattle is recognized as being ahead of the game. It was one of the first cities in the nation to establish a Privacy Program and Chief Privacy Officer.
In light of Cybersecurity Month, Ginger Armbruster, the city's Chief Privacy Officer, caught up with Tyler Technologies Inc. to talk about her role in keeping residents' information safe while providing needed public services, the public perception about data collection, and best practices to get organizational buy-in for a privacy program.
- Name:Ginger Armbruster
- Title: Chief Privacy Officer
- Hired: July 2017 after previously serving as the city's privacy program manager
- Duties: Ensure data use aligns with Seattle's Privacy Principles
- Previous role: Senior Privacy Manager in the Office of Marketing at Microsoft Corp. resolving multi-million-dollar marketing initiatives.
- Accolades and Honors: Recipient of the National Science Foundation's Scholarship for Service Program (CyberCorps), graduate of University of Washington's Infrastructure and Planning Management master’s program with a focus on critical infrastructure cyber resiliency
- Why work in the public sector: "How we handle information affects my community, including me and my family, and I like directly participating in the decisions about how we behave as a city."
Establishing a Privacy Program
Shifting technologies are changing the way cities operate.
And while there's the potential to improve operations, increase efficiency, save money, and more, there are also concerns about privacy. In some communities, residents and officials are even pushing for constitutional amendments to protect privacy in a digital age.
In Seattle back in 2014, residents and city council members were concerned about the use of smart technology, including drones, police body-worn cameras, advanced utility meters, wireless mesh networks, and waterfront surveillance cameras.
“The issue wasn't that technologies were being used for nefarious purposes, it was that people didn't know how or why they were being used,” Armbruster says.
The city wanted to stand up a privacy program to help the public understand what data was being used, what it was being used for, and as a byproduct, build public trust. It was the same time Washington state was grappling with the similar issues and hired Alex Alben as the state's first-ever Chief Privacy Officer.
“The one thing I learned early on is you need to start with a set of principles when you build a program,” Armbruster says. “What do you stand for?"
Seattle City Council adopted its first Privacy Principles in February 2015 with input from thought leaders from multiple disciplines in the private and public sectors. The move created a framework for dealing with current and future technologies that impact privacy — and put the city at the forefront of technology and digital service delivery.
Seattle's principles speak about the importance of data, keeping it secure, managing it the way it says it does, giving notice and consent opportunities, sharing it only as needed by law or agreement, and making sure people know what's happening.
“How we handle information affects my community, including me and my family, and I like directly participating in the decision about how we behave as a city,” she says.
“You can have all the technology in place in the world, but people make mistakes, and they do it all the time.” Ginger Armbruster, Chief Privacy Officer, City of Seattle
Embedding the Program
Since last September, Armbruster's office has reviewed about 850 privacy cases involving all types of data — traffic patterns, program registration, public safety, and more.
Armbruster works with privacy champions, who are embedded within each department. They have a day job, and also help to make sure the city carries the privacy message forward. One larger department in particular has about six.
“The program was designed to bake privacy into all our programs and projects,” Armbruster says. “Privacy reviews are now a required step in our purchasing program, too.”
On the state level, Alex Alben, CPO of Washington State, says in a recent interview with the state technology services agency that he's interested in the steps other states are taking. For example, West Virginia has a privacy assessment that must be completed for technology purchases.
“This is how deeply privacy can be embedded in the procurement cycle,” Alben says in the interview. "I'm not saying we should do this here, but it's interesting to know what other states are doing."
For other cities interested in starting their own program, Armbruster recommends it be “embedded into as many processes as possible,” and be in the process early. If a department wants to conduct a public survey, for example, have a review process in place early on to identify the information that will be collected — and whether it's necessary to the objective.
Best Practices
Privacy is not about locking down public information. Making data available is an important part of government transparency and building public trust. It's about making sure the city is collecting and storing only the information it needs to deliver services, and that vendors comply with privacy regulations.
“You can have all the latest security technology in place, but people make mistakes, and they do it all the time," Armbruster says. With every piece of information the city collects, she looks at it with a critical eye.
“What are the possible secondary uses, and what are the unintended consequences of having this in the wrong hands,” she says. Also, consider that data deletion is a critical part of the data lifecycle.
“If somebody breeches your system, and you have more information than you need, you make it vulnerable when you didn't have to,” she says. In addition to good data management practices, Armbruster encourages agencies and government organizations to address policies specific to data brokering. If a city chooses to monetize their data, they should know how it's being used, and have a plan for where the money is going and how to keep the public informed.
“The issue wasn't that technologies were being used for nefarious purposes, it was that people didn't know how or why they were being used.” Ginger Armbruster, Chief Privacy Officer, City of Seattle
“Manage record retention, and stay within the law,” Armbruster cautions.
But above all, the only way the program works — and it's the same with cybersecurity — is departments and broader governmental organizations need an executive who understands and supports the effort.
One pitfall could be relying solely on a strong IT leadership support. If the message to embrace privacy hasn't spread among business leadership as well, the privacy program may not have the support it otherwise would have, she says.
“It's about helping educate and ensuring that you have strong executive support, and that they understand the benefits and concerns about data privacy,” Armbruster says.
Tips of the Trade
- Identify your principles
- Work with privacy champions who are embedded within each department
- Get executive support and understanding
- Establish guidelines to be an early on projects and processes.
- Set policies specifically for data brokering
- Manage records retention