Getting to the Truth about Privacy & Security Ann Cavoukian Ph.D. Information and Privacy Commissioner/Ontario Privacy & Security: Totally Committed November 7, 2002 Toronto

The Privacy/Security Relationship  Privacy relates to personal control over one’s personal information  Security relates to organizational control over information  These represent two overlapping, but distinct activities

Security  Privacy Security  Privacy What Privacy is Not

The Foundation for Information Security  The rights of data users or their surrogates  Functions: –Authentication –Authorization –Confidentiality –Data Integrity –Non-repudiation –Availability

The Foundation: Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance

Privacy & Security: A Visual

The Security/Privacy Dilemma

Privacy is more than Policy  The misconception: –Privacy is essentially a policy issue while security is a technology issue –PIA’s can avoid the technology design and implementation components as long as they identify the risks and privacy issues

Privacy/Policy, Security/Technology  Privacy is essentially a policy issue  Security is a technology issue  Oh yeah? What about:

Most Individuals Don’t Care About Privacy  The misconception: “What's the point of regulating Internet privacy? Consumers sure don't care.” The Privacy Hoax Eric Goldman The Privacy Hoax Eric Goldman, Forbes

Wrong: They do Care  It doesn’t take much for people to get really concerned about a company’s…privacy practices. Johnathan Gaw, IDC Corp. March 29, 2001

Well, maybe they care, but it’s not my responsibility.  Who’s responsibility is it? –CEO? –IM/IT? –Line managers? –3 rd Party Contractors? –Front-line staff? –Vendors/Consultants?

PRIVACY VS. BRAND VALUE CAN $679 M PRIVACY VS. SHAREHOLDER VALUE CAN $979 M Privacy Brand Valuation Privacy Value vs. Overall Value Privacy accounts for an estimated 14% of overall Brand Value, and 7% of overall Shareholder Value,

It’s not me, it’s the other guy  The misconception: –It is up to the application suppliers to provide appropriate safeguards as part of their products and services

We Don’t Need a CPO  The misconception: –Things are just fine, we don’t need a CPO –OK, things could be better, so give the job to the Chief Security Officer

Privacy is Primarily a Public Relations Exercise  The misconception: –If we have a privacy policy we are home free. –We have a privacy policy now – we’ll get to the details next quarter.

Conclusion  In order to address privacy effectively, you need to clear your mind of the misconceptions  Privacy and security are both essential, they’re just not the same.

How to Contact Us Ann Cavoukian Ph.D. Information & Privacy Commissioner/Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario M5S 2V1 Phone: (416) Web: