Speaking at the Infosecurity Canada conference in Toronto Wednesday, Ann Cavoukian said it was important to distinguish privacy, which relates to personal control of the use and disclosure of information, from security, which controls access to information that's used in a business context.

"Security's an important part of privacy. Without security, you can't have privacy. But you can certainly have security without privacy."

In a security-centric world, "the biggest challenge is limiting the use of information for the purposes stated," Cavoukian said. She said people are not only concerned about the growth of a huge database of their personal information, but this private information may be subverted by attackers.

If privacy of health-related data is affected online by hackers, for instance, "you're talking about life and death consequences."

[...]

As North America witnesses the rise of chief privacy officers, one of the fastest growing designations, companies must decide who within an organization will be responsible for this job, Cavoukian said. Ideally, the function should rest with a "customer-friendly" department like marketing or business development, she said.

Karbaliotis predicted chief privacy officers will grow in importance because these will be individuals "willing to stand for the company and say 'We're doing this right.'

"Maybe it shouldn't be the security officer. Maybe it shouldn't be the chief technology officer."

Instead the right candidate should understand technology, business processes, the legislative environment and be involved in business planning, he said.

The 9/11 crisis allowed an increasing degree of security to marginalize privacy, but now "we need a new paradigm," urged Cavoukian, and added security and privacy are necessary for freedom to prevail.

[JW] They have an idea about what security means, but I don't think that most businesses . . . still comprehend what privacy really means.