THE CONCERN FOR PERSONAL PRIVACY AND AUTOMATED INFORMATION SYSTEMS BEGAN ABOUT 1965 WHEN THE SOCIAL SCIENCE RESEARCH COUNCIL IN THE U.S. PROPOSED A CENTRAL REPOSITORY FOR ALL SOCIOECONOMIC DATA. SOME APPREHENSION AROSE THAT THIS WOULD RESULT IN DOSSIERS BEING CREATED ON EVERYONE, WITH GREAT RISK OF MISUSE AND PRIVACY VIOLATION. SOME OF THE FIRST LEGISLATIVE PROPOSALS IN THE U.S. IN THE EARLY 1970'S WERE DIRECTED TOWARD COMPUTERIZED INFORMATION BANKS, WHEREIN IT WAS BELIEVED THE GREATEST THREAT OF ABUSE LAY. TODAY, HOWEVER, THERE ARE GOOD INDICATIONS THAT PRIVACY PROTECTION COULD BE MADE EASIER IF INFORMATION WERE STORED IN A CENTRAL REPOSITORY. THIS IS SOMEWHAT OF A REVERSAL OF THE EARLIER THINKING AND IS PERHAPS AN ILLUSTRATION OF THE CHANGING AND DEVELOPING VIEWS OF THE PROTECTION OF PRIVACY. ATTEMPTS HAVE BEEN MADE TO DEFINE PERSONAL PRIVACY, AND THEN TO DRAFT LEGISLATION THAT WOULD PREVENT ANY CONDUCT THAT WOULD VIOLATE THAT DEFINITION OF PRIVACY. SUCH APPROACHES HAVE FAILED BECAUSE OF A GENERAL INABILITY TO DEFINE THE SCOPE OF PERSONAL PRIVACY. ATTEMPTS HAVE ALSO BEEN MADE TO DECIDE WHO OWNS PERSONAL INFORMATION AND FROM THIS TO DECLARE WHAT IS PRIVATE AND SHOULD NOT BE USED BY ANYONE ELSE. THERE ARE ATTRACTIVE ASPECTS OF THIS OWNERSHIP APPROACH, EXCEPT THAT INFORMATION IS INTANGIBLE, AND ITS OWNERSHIP IS NOT EFFECTIVELY CONTROLLABLE LIKE THE OWNERSHIP OF CERTAIN MATERIAL ITEMS. THE ONLY WAY IN WHICH SOME MEASURE OF ENFORCEABLE CONTROL IS POSSIBLE OVER PERSONAL INFORMATION IS TO RESTRICT ACCESS TO IT AND TO LIMIT THE USE OF INFORMATION TO AUTHORIZED PERSONS ONLY. SECURITY IN AN ELECTRONIC DATA PROCESSING ENVIRONMENT INVOLVES ALL ASPECTS OF PHYSICAL SECURITY PLUS SEVERAL OTHERS, INCLUDING: ADMINISTRATIVE AND ORGANIZATIONAL SECURITY, PERSONNEL SECURITY, PHYSICAL AND ENVIRONMENTAL SECURITY, AND COMMUNICATIONS SECURITY. THESE FIRST LAYERS OF SECURITY ARE BASIC TO A SECURE ENVIRONMENT FOR ALL TYPES OF FACILITIES AND MUST BE EFFECTIVE BEFORE IT IS PRACTICAL TO IMPLEMENT THE TECHNICAL ASPECTS OF SECURITY REQUIRED FOR THE HARDWARE, SOFTWARE, OPERATIONS, AND DATA OF AUTOMATED INFORMATION SYSTEMS. THESE PHYSICAL AND TECHNICAL SECURITY CONTROLS, HOWEVER, DO NOT NECESSARILY PROTECT INFORMATION, NOR THE PRIVACY OF INDIVIDUALS TO WHOM IT RELATES, BECAUSE SUCH MEASURES ARE ONLY EFFECTIVE UP TO THE POINT OF DISSEMINATION. THERE ARE PROBABLY TWO ASPECTS OF PROTECTING PERSONAL PRIVACY AT THAT STAGE; ONE IS THE LEGISLATIVE APPROACH, AND THE OTHER IS THE ETHICAL OR PRIVACY-PRINCIPLES APPROACH. IT IS CONCLUDED THAT A BETTER DEFINED COMMITMENT TO PROTECTING PERSONAL PRIVACY IS PROBABLY DEVELOPING, BOTH LEGISLATIVELY AND ETHICALLY, AS A RESULT OF SOCIETY'S GROWING CONCERN OVER PRIVACY ISSUES. THE ESSENTIALS OF DATA SECURITY ARE CHARTED, TWO PIECES OF CANADIAN LEGISLATION IN THE ARE ARE REPRODUCED, AND PRIVACY PRINCIPLES AND LEGISLATION ARE OUTLINED. (KBL)