Back in October 2021, Katy Ruckle, who is the current chief privacy officer (CPO) in Washington state, articulated her views on why privacy and security are two sides of the same coin at the National Association of State Chief Information Officers (NASCIO) Annual meeting in Seattle.
Fast forward to the 2022 NASCIO Midyear conference in Maryland earlier this month where I met Ms. Ruckle during a session on providing great customer service within state governments. Katy and I had a great discussion on the roles played by privacy, security and system development teams, and it was immediately clear to me that I needed to interview her for this blog.
Katy started the CPO role in Washington state on Jan. 1, 2020, just before the global pandemic took hold. She brings a wealth of knowledge and experience on privacy topics. Before taking on this statewide role, she was previously the privacy officer and information governance administrator for the Washington Department of Social and Health Services (DSHS), where she instituted privacy practices for five administrations with well more than 15,000 total employees. Ruckle created and put in place the privacy program at DSHS. She has also managed the activities of 18 privacy coordinators at the agency and has extensive experience helping with contracts that involve protection of sensitive data.
Last year, Katy described Washington state’s “Privacy 101” training in this video clip:
Interview Between Katy Ruckle and Dan Lohrmann
Dan Lohrmann (DL): Tell us about your passion for privacy. Why is it such an important topic in 2022?
Katy Ruckle (KR): I recently wrote about the debate about whether privacy is dead. My firm answer to that question is always no. Not only is privacy not dead, it is in fact becoming more and more of a focus and priority for business and government. Privacy professionals right now are in high demand because of the reckoning that is occurring regarding the collection and use of personal data by both the private and public sectors. Five states now have consumer privacy laws on the books and state legislatures across the country are introducing privacy laws on a regular basis. Washington state has been actively exploring a privacy law and has already taken steps such as regulating facial recognition services by government entities.
DL: Are cybersecurity and privacy in competition in state and local governments or are they partners? Why?
KR: My experience has always been that privacy and security are partners. In my previous roles, I would work closely with security to ensure contracts include correct technical security requirements and rely on security expertise when determining whether a device is encrypted to appropriate standards, etc. This is not my area of expertise, and I am always grateful to the IT security professionals who can guide me in those areas. On the other side, I was always a partner with security when evaluating incidents and determining whether there was a breach, as well as notifying and speaking to the individuals affected by the breach and professional regulators. These are all somewhat reactive instances in which privacy and security work together. However, at the state level I work to ensure the initiatives in the privacy office align with the initiatives in the security office. This way we can make the most of our collective resources and expertise.
DL: At the recent NASCIO conference, there was a lot of focus on end-user customer satisfaction and ease of use with online services. Does privacy help or hurt government app usability?
KR: That’s tough. I would say that privacy can help with government app usability, but it needs to be done right. Personally, I have experienced annoying “privacy” features that get in the way of my use of a particular product or service, like constant cookie notices. There is a way to do it right, but it is a balancing act. I find the most useful way to incorporate privacy is to follow the privacy-by-design methodology and be thoughtful of the data the service needs to accomplish its business purpose, and then delete it when no longer needed and meets its retention schedule. This really incorporates the data minimization principle. The other usability feature that I find helpful is having the little information radial that provides a quick explanation for why that data element is needed to provide the service.
DL: What do you think the biggest privacy challenges are in state and local governments today?
KR: The biggest challenge that I am seeing is lack of resources. However, with the increasing emphasis on the importance of privacy, I think that is changing. There is a collective awareness that is building about the importance of privacy in both the private and public sectors. Look at the recent attention to privacy by Porsche, which allows users control over whether to share their data with the company. Whenever I present to state and local audiences, I find them all to be very receptive to the message addressing privacy, but the next question is “who” will do it. The workforce for privacy is competitive because there is not a clear pipeline for the field and privacy professionals are in high demand. So that gets to the workforce issue. I am encouraged though by other state’s efforts in this area to grow the workforce and hope to emulate that in Washington. In the meantime, I am doing my best to be a resource for state and local government, which is proscribed by the law that creates my position.
DL: Has the explosion of data use and our new developments in analytics and AI made privacy easier or harder to implement? Why?
KR: I think the explosion of data collection, data analytics and the application of AI to personal data has made ensuring there is lawful, fair and responsible use of data more challenging. However, the speed of development of automated decision-making technologies has also highlighted the need to ensure there are more guardrails around their use on personal data, especially for technologies impacting the rights and freedoms of individuals. Washington lawmakers are paying close attention to the use of AI and have already regulated facial recognition services by government entities. As I said before, I see that government entities are receptive to addressing privacy and data stewardship issues; they just need help doing it.
DL: Looking out to 2030, how will online privacy be different in America? What do you see coming in five-plus years that we don’t have today?
KR: So, I don’t have a crystal ball for what will be, but my hope is to see comprehensive consumer data privacy regulation at the federal level. However, I think that residents in the U.S. will also continue to benefit from some of the leadership that is occurring in Europe on privacy. Global companies are already incorporating many of the rights and privacy processes into their products and services and are even incorporating Europe’s General Data Protection Regulation (GDPR) rights. As that increases, more consumers will come to expect their data be handled in certain ways, which starts to also create the demand and value-add for companies to meet consumer expectations. What I hope will be less pervasive is putting all the onus on the individual to track and opt out of all the different ways in which a company can use their data. Instead, we should have a baseline of protections that consumers can rely on when engaging in commerce.
DL: Anything else you’d like to add?
KR: Thanks for your interest in privacy, and if others have an interest in the resources we have put together for state and local government in Washington, you can find information on our website at www.watech.wa.gov/privacy. Thanks!
DL: Thank you for taking the time to answer questions on privacy, and for your outstanding public service!