Information & Ethics Committee on Feb. 7th, 2022

Thank you very much, Mr. Chair.

Thank you for the invitation to appear in connection with your important study.

Early in the pandemic, the Office of the Privacy Commissioner of Canada recognized that data can serve the public interest, such as protecting public health. To that end, we published a framework for how to achieve this while respecting privacy, a key point of which was to use de‑identified or aggregated data wherever possible.

Our framework cautioned that institutions should be aware there is always a risk of re‑identification. Given this risk, our framework was explicit that there needs to be technical and other means implemented to protect the information. In principle, then, the use of de‑identified or aggregated data for public health purposes is consistent with our framework, provided appropriate technical standards are used.

Since the beginning of the pandemic, we have had regular meetings with the Public Health Agency of Canada on COVID-related initiatives. We welcome these interactions.

In the case of the government's use of mobility data, we were informed of their intent to use data in a de‑identified and aggregated way. We offered to review the technical means used to de‑identify data and to provide advice, but the government relied on other experts to that end, which is its prerogative.

Now that we have received complaints, we will investigate and turn our attention to the means chosen for de‑identification and whether they were appropriate to safeguard against re‑identification. Since this is under investigation, we will not be able to provide you with advice on this aspect of your study.

I would now like to offer the following observations on how this case is only one example of much more widespread practices in the public and private sectors and why, in my view [Technical difficulty—Editor] the urgent need for law reform. I also wish to suggest issues that you may want to consider during your study.

Organizations in both the public and private sectors constantly reuse data to new ends. This practice raises legitimate concerns by consumers, particularly when their personal information is used without their knowledge for purposes other than those they expected. Is the solution to ensure meaningful consent is obtained for all such cases? I think this is neither realistic nor reasonable, as this case illustrates.

The solution, in my view, would be to authorize the use of personal data for socially beneficial purposes and legitimate commercial interests within a rights-based law that acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.

The government argues that its use of mobility data did not engage the Privacy Act: in other words, that the act does not apply. Oddly, if the data was properly anonymized and aggregated—a fact that your committee and our office will separately investigate—that conclusion is likely legally correct, so the first question you should consider is whether the data, indeed, was properly de-identified and aggregated.

Even if it was, I would suggest that the second issue is whether it is good legislative policy that de-identified information falls outside the reach of privacy laws. We think removing de-identified information from the reach of these laws would bring very significant risks and is not good policy.

There is then the question of transparency and consent. Did the government or its private-sector partners adequately inform users that their mobility data would be used for public health purposes? While there is a reference to the “data for good” program somewhere in Telus's privacy policies, and while the government does make an effort to inform citizens of its use of mobility data on its COVIDTrends web page, I do not think anyone would seriously argue that most users knew how their data would be used.

Does that matter? That, I suggest, is another question you should consider. There's no question that transparency is important to enhance trust, and the government could likely have been more proactive in informing Canadians about its program, but should programs like this require meaningful consent?

As I mentioned earlier, I believe that due to the limitations of the consent model in protecting privacy, a more appropriate policy would be to authorize the use of personal information for legitimate commercial interests and the public good within a rights-based law. That law should be enforced by the OPC, an independent regulator, to which would be conferred the requisite powers and resources to protect Canadians.

I'm happy to take questions.

On the facts of whether we were consulted or informed, and what was the tenor of these discussions, we were informed by PHAC and a group within the innovation department that the government wanted to use de-identified information for the purposes outlined: i.e., use mobility data to determine trends in mobility for public health purposes.

We were informed of this as part of regular meetings with government agencies on any number of COVID alert issues. At that time, we were heavily involved in the COVID Alert app, among other things, so we were informed of this particular project.

We offered to provide advice on the adequacy of safeguards to ensure that the data was properly de-identified, and the government decided to rely on others. That's their prerogative.

We offered to provide advice. Is it normal that we not intervene in every case? I think the reality is that we, as an office, cannot be involved in pre-authorizing or reviewing every case of data collection or disclosure that occurs in Canada. We give general advice that we hope is followed. We investigate complaints.

I think that in the new law our office should have greater powers to proactively audit the practices of governments and the private sector, but unfortunately it is just not realistic to expect that we will pre-approve every use or disclosure of data in this country. At the end of the day, it is to the benefit of Canada that data is shared, obviously for good reasons—for legitimate commercial interests, for the public good, and not for illegitimate surveillance as we've seen in certain cases.

Because these practices occur all the time, we just cannot be there all the time.

We're not the only experts. Expertise is not spread evenly among all institutions, but here, we're dealing with the Government of Canada, which has experts, and with large telecom companies that also have experts. We offered our expertise. It was declined. It is what it is.

Again, consent is not a silver bullet or a solution for all cases. There's no question here that, as I said in my statement, most Canadians whose data was used did not know their data was used. The parties, both the government and the private sector, could have done more to inform users that their data was used for these purposes.

I cannot, because that is the subject of the investigation we are going to have to conduct as a result of the formal complaints we have received under the law.

What I can say is that we have had discussions with PHAC. They informed us, again, that they intended to use de‑identified or aggregated data for public purposes, such as public health. This is consistent with our understanding of privacy principles.

As to whether the data was de‑identified properly, we don't know yet. We will investigate.

The information provided to us was, in principle, consistent with the framework we had established. We offered to go under the hood to determine if the data had indeed been de‑identified properly, but the government declined that offer. In terms of principles, we saw no problem. As what happened in practice, we will investigate. I have no reason to believe that things were done correctly or, conversely, inappropriately. That will be investigated.

That's what we will be investigating. I cannot comment on that at this time.

Yes, it was published several months ago.