This is part of our Humans of Cyber initiative, a series of in-depth interviews with key figures and leaders of the Canadian cybersecurity ecosystem.
This month, we feature Jane Dargie, a lawyer and IT professional with over 20 years of compliance assurance, governance, and risk management experience with a specialty in privacy protection. She supports organizations and multi-stakeholder projects by designing, implementing, operating, and assessing privacy solutions.
Jane has worked with private and public sector companies – large and small – often on IT innovation and change management initiatives. She sheds light on the upcoming Canadian privacy legislation and her expertise on data privacy and compliance programs.
Interview Highlights
ISA Cybersecurity: So how do you see the relationship between data privacy and data security?
JD: Good question. I think sometimes we use these terms interchangeably. It’s important to be able to kind of differentiate, but also think about the overlaps between them. If we’re thinking about security and a kind of traditional definition, we’re looking at the confidentiality and the integrity and the availability of information. And that could be information, let’s say, sensitive for many reasons, and not just because it’s about identifiable individuals.
Privacy is about individuals and their rights. It’s about personally-identifiable information: so
information about either an identified individual or that you may be able to identify the individual
using the information. And so privacy concepts get into things like consent, an individual’s right to consent to the collection, use, and disclosure of their personal information. It’s not just about being authorized to access information, it goes beyond to the right to be able to say “no” to the
collection, use or disclosure of your information.
Privacy addresses these rights also like being able to see your information and understand how it’s being used and how to correct it in some cases, if it’s inaccurate, so there if you think about the protection of information as being a common component to dealing with privacy and security, there’s these additional rights and obligations from a privacy perspective that go beyond.
To give you an example of that in practice, a few years ago, everyone became aware of going
through an airport and you, suddenly, had to deal with not just a human kind of patdown, but also going through a system where your body would be scanned to identify any kind of suspicious things that you were hiding. If you think about that from a security perspective, you’re not necessarily considering that people may have medical devices or, you know, the shapes and contours of their body and what you might display in a body scanner. When some of these body scanners were initially implemented, people could actually see an awful lot about the person’s body, and the person who’s being scanned. Whereas if that been implemented in the privacy protective way, it would have been more like your kind of chalk outline of a body with maybe X’s marking the spot where a human could go and do a patdown or follow-up to investigate further. So that’s an example of “privacy by design”, and just a reminder of how you can have great security but not good privacy. And that you really need to think beyond to deal with privacy effectively.
ISA Cybersecurity: Yes, the “privacy by design” principles are really important – to bake it in instead of bolting on privacy considerations after the fact. Now, it was Data Privacy Day just recently, back on January 28. What are Canadians doing today that puts their privacy at risk that they should be aware of?
JD: Well, one thing that people do is give out a lot of information without necessarily thinking
about how it could be misused or get passed on to other people. And I’m going to use myself as
an example here: I was out and about a couple of years ago, and a chocolate company was giving out free samples – which was fantastic for me, because I love chocolate. But what they wanted in return was a photo of you holding the bar of chocolate, with a big grin on your face, or whatever the case may be. In that situation, it was a quid pro quo, like, do I really want my photo to be out there? And you may say, “Well, what’s the harm with that?”’
When we look recently, just even in the last couple of weeks about an organization that has been scraping photos online and then making them available to law enforcement, basically putting members of the public into, effectively, a lineup without their knowledge. And our privacy
commissioners came out and said that that was actually contrary to our Canadian privacy
legislation. There you have a private sector organization that has done this, without people’s
knowledge, likely without their expectation, so it’s just a good reminder to all of us to be mindful
about what we’re doing. And certainly things like photos and voice prints, and a lot of these kind of biometric pieces to be particularly careful of, and anything around identity documents, a lot of the time we get asked to show them where people are recording information from them.
Ask them! Ask them why they need it, do they really need it, or do they just need to see it. These are some basic things that we may do without thinking about it, and as a result, we’re exposing ourselves to identity theft and exposure and a surveillance capacity.
Download the full interview transcript here.