TORONTO — though the new FEDERAL law governing the commercial use of consumer data in the country has been in full effect since January, Ontario’s privacy commissioner said many businesses still fail to understand the differences between security and privacy.
Speaking at the Infosecurity Canada
conference earlier this month, Ann Cavoukian said it is important to distinguish privacy, which relates to personal control of the use and disclosure of information, from security, which controls access to information that’s used in a business context.
“”They sort of have an idea about what security means, but I don’t think most businesses…still comprehend what privacy really means,”” added Constantine Karbaliotis, an executive consultant in the privacy practice of CGI in Toronto. “”Security’s an important part of privacy. Without security, you can’t have privacy. But you can have security without privacy.””
In a security-centric world, “”the biggest challenge is limiting the use of information to the purposes stated,”” Cavoukian said. People are not only concerned about the growth of a huge database of their personal information, but that this information may be subverted, she said.
If privacy of health-related data is affected online by hackers, for instance, “”you’re talking about life and death consequences.””
After 9/11, people became more tolerant of a spate of new security measures that arguably contravened privacy, and more insistent that businesses protect their online privacy, Cavoukian said. “”Therefore there was a clear distinction between public safety and business issues.””
Going forward, she said it’s up to Canadian business to “”create a culture of privacy”” by ensuring solution developers introduce privacy into the concept and design of technology products.
But Karbaliotis cautioned this would add costs to creating technologies. If companies are looking only for the cheapest solution rather than the best investment, solution providers will not address these privacy concerns from the start, he explained.
He said good solution providers will recognize the need to promote technologies that satisfy today’s privacy regulations because ultimately it “”keeps their clients out of trouble.””
Cavoukian added the technology community should also recognize and promote security and privacy mechanisms in the same technologies. For example, she noted a 3-D holographic scanner that respects physical privacy while enhancing security by looking only for concealed weapons that people may be carrying.
As North America witnesses the rise of chief privacy officers, one of the fastest growing designations, companies must decide who within an organization will be responsible for this job, Cavoukian said. Ideally, the function should rest with a “”customer-friendly”” department like marketing or business development, she said.