Title: Getting to the Truth about Privacy
1Getting to the Truth about Privacy Security
- Ann Cavoukian Ph.D.
- Information and Privacy Commissioner/Ontario
- Privacy Security Totally Committed
- November 7, 2002
- Toronto
2The Privacy/Security Relationship
- Privacy relates to personal control over ones
personal information - Security relates to organizational control over
information - These represent two overlapping, but distinct
activities
3What Privacy is Not
Security ? Privacy
4The Foundation for Information Security
- The rights of data users or their surrogates
- Functions
- Authentication
- Authorization
- Confidentiality
- Data Integrity
- Non-repudiation
- Availability
5The Foundation Fair Information Practices
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
6Privacy Security A Visual
7The Security/Privacy Dilemma
8Privacy is more than Policy
- The misconception
- Privacy is essentially a policy issue while
security is a technology issue - PIAs can avoid the technology design and
implementation components as long as they
identify the risks and privacy issues
9Privacy/Policy, Security/Technology
- Privacy is essentially a policy issue
- Security is a technology issue
- Oh yeah? What about
10Most Individuals Dont Care About Privacy
- The misconception
- What's the point of regulating Internet privacy?
Consumers sure don't care. - The Privacy Hoax Eric Goldman,
- Forbes10.14.02
11Wrong They do Care
- It doesnt take much for people to get really
concerned about a companysprivacy practices. - Johnathan Gaw, IDC Corp. March 29, 2001
12Well, maybe they care, but its not my
responsibility.
- Whos responsibility is it?
- CEO?
- IM/IT?
- Line managers?
- 3rd Party Contractors?
- Front-line staff?
- Vendors/Consultants?
13Privacy Brand Valuation
Privacy Value vs. Overall Value Privacy accounts
for an estimated 14 of overall Brand Value, and
7 of overall Shareholder Value,
14Its not me, its the other guy
- The misconception
- It is up to the application suppliers to provide
appropriate safeguards as part of their products
and services
15We Dont Need a CPO
- The misconception
- Things are just fine, we dont need a CPO
- OK, things could be better, so give the job to
the Chief Security Officer
16Privacy is Primarily a Public Relations Exercise
- The misconception
- If we have a privacy policy we are home free.
- We have a privacy policy now well get to the
details next quarter.
17Conclusion
- In order to address privacy effectively, you need
to clear your mind of the misconceptions - Privacy and security are both essential, theyre
just not the same.
18How to Contact Us
Ann Cavoukian Ph.D. Information Privacy
Commissioner/Ontario 80 Bloor Street West, Suite
1700 Toronto, Ontario M5S 2V1 Phone (416)
326-3333 E-mail commissioner_at_ipc.on.ca Web www.
ipc.on.ca