“Just because we can use pan-tilt-zoom cameras doesn’t mean we should,” says Tracy Ann Kosa, PIA specialist with the Government of Ontario’s Office of the Chief Information and Privacy Officer, who spoke at the OPS Security Conference held recently in Toronto.

“Privacy allows us to grow and make mistakes in a way you can’t do in the absence of privacy, where everyone knows what everyone else is doing,” she says. “With today’s technology, you basically have a record from birth to grave ”“ you can’t erase everything and start over.”

That’s why the IPC is looking to build privacy practices into technology. There’s a lot of confusion, however, between security and privacy. Unlike security, privacy entails a sense of informational ownership, that “this information is mine,” whether it’s on Twitter or held within a Ministry of Transportation database. “But data privacy as a right and a value is highly contextual,” says Kosa.

The risk in defining privacy is that we end up treating it too narrowly or too broadly. Security and privacy overlap, and there’s usually a lot of interplay.

The Canadian Institute for Health Information, for example, collects your medical data when you go to a hospital emergency room. Previously, that form was a consent form; now it gives CIHI permission to manage your information as it sees fit. On the other hand, with electronic medical records, the IPC tried to make it mandatory to get patient consent at a field-by-field level, but was told it’s impossible to do while maintaining any degree of productivity (there can be up to 10,000 fields for one person).

Security may be able to protect privacy, but it has its limitations, since it doesn’t talk about data ownership. “Rules-based access control is not the same thing,” says Kosa. The difference comes down to informational ownership ”“ that users perceive it as their information.