TORONTO — Although the new federal law governing the commercial use of consumer data in the country has been in full effect since January, Ontario’s privacy commissioner said many businesses still fail to understand the differences between
security and privacy.
Speaking at the Infosecurity Canada conference in Toronto Wednesday, Ann Cavoukian said it was important to distinguish privacy, which relates to personal control of the use and disclosure of information, from security, which controls access to information that’s used in a business context.
“”They sort of have an idea about what security means, but I don’t think that most businesses . . . still comprehend what privacy really means,”” added Constantine Karbaliotis, an executive consultant in the privacy practice of CGI in Toronto.
“”Security’s an important part of privacy. Without security, you can’t have privacy. But you can certainly have security without privacy.””
In a security-centric world, “”the biggest challenge is limiting the use of information for the purposes stated,”” Cavoukian said. She said people are not only concerned about the growth of a huge database of their personal information, but this private information may be subverted by attackers.
If privacy of health-related data is affected online by hackers, for instance, “”you’re talking about life and death consequences.””
After Sept. 11, 2001, individuals grew more trusting of government and tolerant of a spate of new security measures that arguably contravened privacy, but more insistent that businesses protect their online privacy, she said. “”Therefore there was a clear distinction between public safety and business issues.””
Going forward, Cavoukian said it’s up to Canadian business to “”create a culture of privacy”” by ensuring solution developers introduce privacy into the concept, design and implementation of technology products.
This, however, adds costs to creating technologies, cautioned Karbaliotis. If companies are looking only for the cheapest solution rather than the best investment, solution providers will continue not to address these privacy concerns from the start, he explained.
He said good solution providers, though, will recognize the need to promote technologies that satisfy today’s privacy regulations because ulitmately it “”keeps their clients out of trouble.””
Cavoukian added the technology community should also recognize and promote security and privacy mechanisms in the same technologies. For example, she noted a 3-D holographic scanner that respects physical privacy while enhancing security by looking only for concealed weapons that people may be carrying.
As North America witnesses the rise of chief privacy officers, one of the fastest growing designations, companies must decide who within an organization will be responsible for this job, Cavoukian said. Ideally, the function should rest with a “”customer-friendly”” department like marketing or business development, she said.
Karbaliotis predicted chief privacy officers will grow in importance because these will be individuals “”willing to stand for the company and say ‘We’re doing this right.’
“”Maybe it shouldn’t be the security officer. Maybe it shouldn’t be the chief technology officer.””
Instead the right candidate should understand technology, business processes, the legislative environment and be involved in business planning, he said.
The 9/11 crisis allowed an increasing degree of security to marginalize privacy, but now “”we need a new paradigm,”” urged Cavoukian, and added security and privacy are necessary for freedom to prevail.
InfoSecurity Canada wraps up Thursday.