|
IPC wants to see security/privacy rift healed |
|
|
|
|
| Written by Vawn Himmelsbach, on Mon-June-2009 |
Page 1 of 2
 While computer security can restrict the use of data, it can’t decide the issue of legal ownership. And in today’s world where we can save everything forever on the Internet, privacy controls have to change.
“Just because we can use pan-tilt-zoom cameras doesn’t mean we should,”
says Tracy Ann Kosa, PIA specialist with the Government of Ontario’s
Office of the Chief Information and Privacy Officer, who spoke at the
OPS Security Conference held recently in Toronto.
“Privacy allows us to grow and make mistakes in a way you can’t do in
the absence of privacy, where everyone knows what everyone else is
doing,” she says. “With today’s technology, you basically have a record
from birth to grave – you can’t erase everything and start over.”
That’s why the IPC is looking to build privacy practices into
technology. There’s a lot of confusion, however, between security and
privacy. Unlike security, privacy entails a sense of informational
ownership, that “this information is mine,” whether it’s on Twitter or
held within a Ministry of Transportation database. “But data privacy as
a right and a value is highly contextual,” says Kosa.
The risk in defining privacy is that we end up treating it too narrowly
or too broadly. Security and privacy overlap, and there’s usually a lot
of interplay.
The Canadian Institute for Health Information, for example, collects
your medical data when you go to a hospital emergency room. Previously,
that form was a consent form; now it gives CIHI permission to manage
your information as it sees fit. On the other hand, with electronic
medical records, the IPC tried to make it mandatory to get patient
consent at a field-by-field level, but was told it’s impossible to do
while maintaining any degree of productivity (there can be up to 10,000
fields for one person).
Security may be able to protect privacy, but it has its limitations,
since it doesn’t talk about data ownership. “Rules-based access control
is not the same thing,” says Kosa. The difference comes down to
informational ownership – that users perceive it as their information.
|
