GovTech360: Agile Millennials and American-Style Privacy

The debut episode of GovTech360 features two GT Doers, Dreamers and Drivers. We talk to Nebraska Chief Information Officer Ed Toner and Seattle Chief Privacy Officer Ginger Armbruster about their award-winning work.

by Noelle Knell and Paul W. Taylor / May 21, 2019

 Add GovTech 360 to your feeds for free on Apple PodcastsGoogle Podcasts or Stitcher.


Each year, Government Technology names 25 Doers, Dreamers and Drivers — innovators working inside and alongside government to bring about transformational change. It’s a list that’s grown to nearly 500 people in the almost two decades since the Top 25 program began. 

There are usually several chief information officers on the list, and this year is no exception. Ed Toner is the state chief information officer for the state of Nebraska, a role he’s held for about four years now. During that time, he led a massive consolidation of IT infrastructure and personnel, and he did it without a mandate. And Toner counts a significant cohort of millennial employees among his IT team. They run his content management system and they’ve been instrumental in helping introduce agile development methods (and bidding farewell to waterfall) throughout the enterprise.

This year’s Top 25 list also includes a fairly new title that’s creeping into many organizational charts, that of chief privacy officer. As states and cities across the country grapple with how to safeguard citizen data while still taking advantage of smart city technologies, many are looking at the emerging privacy practice led by Seattle Chief Privacy Officer Ginger Armbruster. She thinks a national privacy policy akin to the European Union’s GDPR is likely the best course. But in the meantime, Armbruster is building a team that incorporates privacy considerations into everything the city does. 

Audio Index (Time Stamps):
  • Growing your own agile development team of millennials who code @ 1:58.
  • Organic agile training after they come out of college and join your team @ 3:45.
  • Stronger privacy protections in the embrace of smart city technologies @ 6:05.
  • Public records and privacy: what we should not know @ 8:30.
  • Sorry, states and locals, the EU GDPR may make federal pre-emption the only path forward @ 10:25.
  • What gov tech startups often miss about privacy in their business models — less is often more and the legal landscape is fraught @ 11:35.
  • Dustin's Takeaways: On workforce (14:20) and privacy (14:55).
Transcript (Edited for Length and Clarity):
 
[Opening Billboard]
 
GovTech360: The Intersection of Government, Technology and the Future. Agile millennials cutting code for the future. And a distinctly European turn on privacy. We’re making the pivots with two of the country’s Doers, Dreamers and Drivers. All that on the premiere of a new podcast from Government Technology.
 
[Body]
 
Paul: From the Market Navigator Studios, I’m Paul Taylor with Government Technology Editor Noelle Knell. Hi there.   
 
Noelle: Hi Paul, How are you?
 
Paul: Never better. On this debut episode of GovTech 360, we are tapping two of this year’s Top 25 Doers, Dreamers and Drivers whose work is particularly on point. Picking favorites is hard. But we did it. Tell me about Favorite No. 1.
 
Noelle: It is hard enough narrowing the field down to 25, never mind just two, but as you said, we’ve chosen a couple whose body of work fits with the theme of the podcast. First up is Ed Toner, state CIO for Nebraska.
 
When appointed in 2015, he took on the heavy lifting common to many state CIOs — enterprise consolidation, both technology and people. With that in the win column, doors are opening for him around town.
 
[Clip: Family Guy: “Welcome to Boop. As our name suggests, our mainframe connects you and powers every server on the globe.”]
 
Paul: Toner knew he couldn’t compete with even made-up big names on the Internet. But as a brilliant episode of Family Guy suggests, he wanted what they had.
 
[Clip: Family Guy: “Millennials crave things like instant gratification, authentic experiences, and for some reason we haven’t figured out yet, improv comedy.”]
 
Paul: With the help of a local college, Ed found millennials who were willing to delay gratification for an authentic experience in public service.
 
Noelle: His developers had way more work than they could handle. They already had a waterfall team and were fostering an agile team with a view to transitioning over time to all agile. It gave them lots of flexibility, just not enough capacity. Ed says they were way behind and were willing to make a deal — with millennials who code and those who teach them. 
 
SOT: Ed Toner: “We didn't have enough talent to really fill the orders that we were getting for work. The state was, at that time, looking to automate and our tool helps in that automation. And we had about 20,000 hours of development that we were behind. We needed to get help and we needed it quickly. And so we went to the local community college. They helped us; they asked us about the curriculum that we would like to see. We are an agile development shop. And so we wanted him to get agile training and some of the basic programming skills. Then we brought him on as a special office staff, which meant they weren't an intern. They were actually paid very similar to an entry-level employee. And then within their goal, we, they knew was to become billable for us within six months. If they did, we brought him on board, to date. We brought in over 40.
 
Paul: I thought it was interesting that Ed realized he could not outsource all this agile goodness. Significantly too, the millennials were agile natives, and had no old skills to unlearn.
 
Noelle: That’s exactly right. The partnership with the colleges was a great kickstart for the process, and provides a continuing pipeline for his shop. But Ed says you will need more training — both technical and translation.
 
SOT Ed Toner: “I think that's really my biggest advice is if you're going to go agile, make sure that you provide the training beyond what they receive at the college or the community college. We have coaches that we pay for to continue to educate our workforce. Now we're really at a point where it's starting to organically grow. So whenever an agile team is working with a waterfall team, the waterfall team has really adapted to the agile development, and not vice versa. Now it's actually bringing, being spread into those other Web development teams to adapt … or adopt some of the techniques that are being used by the agile development teams. A lot of that is because, as you said, our agile development teams don't really understand the waterfall piece. So the waterfall chains have to adapt to the agile.
 
[Bridge and Reset]
 
Paul: We travel to the Northwest for Favorite No. 2 from Government Technology’s Triple D's on the re-emergent issue of privacy, which casts a long shadow at the intersection of government, technology and the future. And there is someone in Seattle who is working to figure it out.
 
Noelle: Her name is Ginger Armbruster, named almost two years ago as Seattle’s first Chief Privacy Officer, who has grown the city privacy program from the ground up, which defines how it collects, uses and disposes of personally identifiable information. That data, in aggregate form, is also the fuel of smart cities. I asked Armbruster about the tradeoffs.
 
SOT Noelle: "You've talked about the potential privacy dangers and embracing certain smart cities technologies, a phenomenon where well-meaning people in government agree to quote unquote free digital services that are paid for in citizen data. Is there a way for cities to embrace smarter technologies while protecting citizen privacy?"
 
SOT: Ginger Armbruster: “I believe there is. And I think it starts with an acknowledgment that nothing is for free. So smart technology, certainly the tradeoff about employing it has to be weighed against what you do with all the information you're collecting. And I think acknowledging that and recognizing it's not just, ‘Plug it in, then let's go,’ like we might in our own homes, with Alexa and other technologies that we have to take into account that this isn't just our world. It's the public's information we're dealing with. When I sit down with different departments, part of the very first part of the conversation is, ‘OK, what are we gonna do with the data we're collecting? What data do you need? Why do you need it?’ And I believe there is a way to do this. It's just acknowledging that what you can collect and what you can get out of smart technologies is not necessarily what you want, at least as a city entity. You're going to have to find a way to recognize that privacy will be impacted if you give out all of the bike-share information. And give people's route information. I think we're seeing that playing out in L.A. right now around data and concerns about what does that mean if someone rents a scooter and I know everything about where they went that day. I think that that's the way that I approach it with everyone — it's great technology. I certainly see the benefits for your mission. Let's talk about the data. How can we make this less invasive for folks? So they will want to embrace this technology so that you can now use privacy as a way to promote this technology beyond just the benefits for whatever you're trying to accomplish. That's how I approach it.
 
Paul: The way that Ambruster approaches it in 2019 is different than it would have been a decade ago. Then, every transaction began and ended with a paper form. Of course now, public records include all the data extracted from devices — particularly phones — used to unlock bike shares, pay parking meters and conduct most any other kind of transaction that takes place voluntarily on an app. 
 
But you told me she is also thinking about personal data that comes from involuntary encounters between residents and their government.
 
Noelle: Yes, people are often compelled to give up information about themselves in exchange for public services. Again, Ginger says there are sensitive tradeoffs to be navigated here.
 
SOT: Ginger Armbruster: “And then this issue of public records, I think, I don't want to have that be misinterpreted as lack of transparency at the government level. What it is for me is we should know everything government is up to, but we shouldn't know everything about the people who get those services. I shouldn't necessarily be able to see all the private details of people getting services from the city. Because when you get a service from the city of Seattle, you're either having a really bad day, you're having a medical emergency or maybe you've interacted with our police for some reason or you need services ‘cause you're a member of a vulnerable community and you are needing services from your community. It seems to me that we collect too much, and that too much of that is available because of public records. That's the thing I'd like to see if there's something we can do something about.
 
Paul: Doing something about it means getting traction in a pretty fluid environment legislatively — and one that, at the local level, is pretty squishy. That is thanks in no small part to the effects of the EU General Data Protection Regulation — or GDPR as its now more commonly known. 
 
Now a year old, it covers data and privacy in the European Union, and beyond. The export provisions of GDPR touch companies that do business in Europe. And with the Internet, that is a large universe of companies, including most American companies.
 
Ginger spoke hopefully about the Washington state privacy bill during the interview. Lucas Ropek from your staff followed the bill throughout the legislation session — including the tussle between privacy rights advocates and big tech — and chronicled the bill's collapse in closing days of the session. It’s a really good read — and we’ll have a link to it in the show notes on govtech.com.
 
Noelle: Ginger doesn’t think that cities — or even states — can do their own thing — in the era of GDPR. She thinks that a national policy may be the only thing that keeps things coherent for international players based in the United States.
 
SOT: Ginger Armbruster: “You know, we have a Washington state privacy act that's looking like it's probably going to be a little bit like the California one based on GDPR around data rights and the right to your information and the right to try, you know, all the things that you see in GDPR. And I don't think that's sustainable for companies that do business around the world, that have different small states have their own versions of this. I don't know how a Microsoft or an Amazon, you know — that's a huge endeavor. How do I make sure California and Washington are both happy? Oh, something happening over here in Oregon, I believe that we're going to see the technology companies wanting to push for a federal legislation around this so that they have one set of rules. That's what I believe. And I believe that we've seen some of the large companies involved in some of the state activities, probably hoping to get these sort of in alignment.
 
“I also think the large companies have simply said, ‘We're making GDPR functional for everybody because we can't keep two different systems going.’ I think, you know, in this worldwide marketplace and where there really are no boundaries, barriers and borders, I believe that's why we have to get to a common understanding of what is acceptable for doing business with an entity so that we're not in this sector-based regulatory situation with states running their own thing.
 
“I don't know. I know that something is being looked at at the federal level right now, I don't know what the appetite is for that, with all the other things that are going on politically, but it seems to me that is a matter of just having a common landscape. That's what I think we're going to be heading to. And it seems to make sense to me.
 
“Should we get to a place where we have a unified federal policy relative to data privacy? What should that look like? What do you think Americans have an appetite for based on your expertise in this area? Well, it's interesting, you know, I live in an area that's very privacy cognizant, right? And I have this viewpoint that says, I believe people want privacy protections. Although I also wonder sometimes if some of the more active privacy activists are maybe keeping us from moving forward on technologies that people have already accepted, I mean some of the things that we would say I would see very invasive. You know, some of the home systems that we have that are listening all the time.
 
“What we're willing to put up with in the private sector, we are not willing to put up with in the public sector.
 
Noelle: And that is the dilemma right there. People have higher expectations of how their data is handled by government than by the private sector, where personal information can be used as a coupon to get a few cents off a roll of paper towels.
 
Paul: I think that difference is sometimes lost on gov tech startups whose founders may have backgrounds in retail, services or fintech. As we wrapped up with Ginger, we asked her about that too.
 
SOT: Ginger Armbruster: “... the thing that I find from the privacy perspective is there are so many good ideas out there about how to make life better, right? Oh, how can I help the city and how can I — I see a need and they're probably right on from the privacy perspective. What I want those companies to have done is their homework around the privacy and data policies. What do you do with the data you collect? Because so much of the business models are around, ‘I'm going to collect data and I'm going to sell it over here. I'm gonna use it in this other way while I provide the service to the city that they need.’ And that may be OK, but I need to be able to give answers to the questions.
 
“What are you doing? I would love companies to come in with a clear idea of their data collection practices and what they're using the data for and their privacy policy. What do we protect and what are we doing so that I don't have to, I've been, I've been a couple of times asked to build somebody's privacy policy. That was sort of interesting. In my mind, I can't tell you your business model. You have to tell me, and I can't build you your privacy policies. You need to do that for me. I also want companies to understand that the legal landscape of the city there and state that they're in. We've had people come in who have no idea about our public records act and so they get really surprised when they find out that everything is public.
 
“So we don't want all that information. You trying to tell us is a benefit. I actually prefer not to have it. Understanding the legal landscape both at the city level and at the state level so that they understand the privacy limitations that we have as they're promoting whatever they're promoting. And then I also think companies tend to go into the departments and get people sold on benefits, and that's great. I mean, I used to be a salesperson. That's certainly what you want to do, generate the interest to make sure you have some sponsor, but not waiting too long to get involved with the compliance side of the house. Right? Don't wait too long before you’ve talked to the privacy and security people. Don't wait too long before you realize they're going to be the ones who say, ‘Nah, it's not gonna happen until I've had a chance to repeat you.’ So there's a lot of delay that can happen. Someone's trying to sell something that can be a real disappointment and it can be a real tension. Get involved early with the legal side of the house. Make sure you've covered your bases on those compliance issues.
 
Paul: Noelle, Thanks for bringing both these guests to the table. As we said at the top, there is a total of 25 Dreamers, Doers and Drivers. How can listeners read more about the whole list and assuage our guilt about picking only two for the podcast?
 
Noelle: Yes, please go visit and read the profiles of all 25 at govtech.com. Search for “Top 25” to get the individual profiles, infographic and all kinds of interesting information that kind of sums up this group.
 
Paul: Noelle Knell, editor of Government Technology. Thank you very much. 
 
Noelle: Thanks Paul. 
 
Paul: Our colleague, co-host and chief Innovator, Dustin Haisler has been listening in. What did you hear in the conversation with Ed Toner?
 
Dustin: We've talked at length about this talent gap that exists in the public sector, and I think they've really shown in Nebraska that solving the talent gap requires creative approaches. And for them, that was going to a community college and partnering, and kind of using that as a resource to incubate talent. But this is something that agencies have to look beyond: just the benefits they provide. You know, a flexible work day is not going to get someone to come and work for you. You have to really look at going to where they're at and finding a way to incubate the talent there. And then eventually you can start to see the results like Nebraska has seen with getting talent to come back.
 
Paul: And what about the chat with Ginger and the privacy pivot?
 
Dustin: Her takeaways are really telling when it comes to what's just happening in the national landscape around privacy. And three things that stood out for me in her interview is No. 1, we have to start to think about designing for use. And so, she asked questions about what are we doing with the data that we're collecting? What data do you need? Why do you need it? How do we make it less invasive? These are all questions that should be asked as a part of any type of procurement process as we're — you know, even before that — as we're designing what solution we need to solve the problems that we have, we need to start to think about the role that data plays in that and how we design for data as you use it. The second thing that stood out is this unsolved challenge.
 
How do we extract what we know about people while providing them better service delivery? And so, you know, Ginger said she would love for companies to come in with a clear idea of their data collection practices and what they're using the data for and a robust privacy policy. And I think this is something that the market really needs to move on. Companies that are in the space need to start to think about helping government solve this challenge. How do we extract all of the personally identifiable information that's not necessary, but sometimes we still need to know as a part of the experience delivery while not creating risk in the process. And the third thing was that a more holistic approach to data regulation is coming and it's going to come first through state and local policy, which we've seen. And that's part of the reason why we're seeing chief privacy officers pop up at the state level and city level across the country, but eventually through a national policy, which could be a U.S. equivalent of GDPR. Agencies today really need to be thinking about and preparing their data management practices for the inevitable rise of additional regulations as it relates to government's role in this whole process.
 
Paul: That's helpful, as always, Dustin. What are you working on?
 
Dustin: Cutting through the marketing hype cycle of the shiny objects and into how we can practically use technology data, new processes to solve real problems in government.
 
Paul: Thanks, man. We will explore those later in the season on GovTech 360. 
 
Connect with us on Twitter. Noelle is @GovTechNoelle, Dustin is @dustinhaisler. I'm @pwtaylor, and the whole shooting match is @govtechnews
 
You can help spread the word about the brand new GovTech 360 by leaving a review at Apple Podcasts. We’d appreciate that more than you know. 
 
Subscribe for free to GovTech 360 on Apple Podcasts and Google Podcasts. And it's always available at home — govtech.com. For all of us at Government Technology, thanks for listening.
 
We're out of time. Bye, bye.