Evidence of meeting #49 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was things.
A recording is available from Parliament.
4:20 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
That wasn't my question.
Can you explain to us, from your expertise, how to ensure the integrity and safety of the data that people provide?
4:20 p.m.
Partner, Digital Public
I'm sorry. I didn't make a clear enough connection.
The first step is data minimization. You don't collect it if you don't need it.
This becomes the question in terms of what was collected and how it was used by the Public Health Agency of Canada. I don't know, but, if it was necessary to have that information, then you get into all your basics in terms of storage and who has access, as Matt has mentioned. We have good policies for how to design secure architecture.
I'll keep going back to the first point, which is that you don't want to hold data unless you really have to.
4:20 p.m.
Conservative
4:20 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you, Mr. Chair.
Ms. Wylie, do you think the general public understands the issues associated with the use of an app like ArriveCAN?
4:20 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Do you think it's appropriate to teach people about digital literacy, since these kinds of issues can be hard to understand?
4:20 p.m.
Partner, Digital Public
Absolutely, and when I say that, that includes me, because I don't even know where this information goes once it moves into government infrastructure and architecture.
I want to say that this government had people uploading their passport information on airport Wi-Fi. It's not just what the app is and what the code is; it's what the habits are and what the use protocols are that you're encouraging people to follow when you develop and implement an application such as this. If this government is following these approaches and is also in charge of digital literacy, I would still be concerned.
4:20 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
It's definitely concerning. It certainly does not inspire confidence.
You posted that “the extension of the administrative state through modernization and digital transformation is made to seem mundane but its current and future impacts are anything but.”
Can you elaborate on that? I have about a minute left.
4:20 p.m.
Partner, Digital Public
What I'd like people in this room to know is that modernizing government is still fairly novel. There's a lot of excitement about things that are novel. We have not reckoned with the consequences about redress, how we have access to justice when things go wrong with digital public service delivery. A lot of people seem to get caught up in this enthusiasm for modernization, but we still have a whole bunch of stuff we haven't even reckoned with in terms of issues and access to justice.
I would really like us to think about reducing the inherent enthusiasm for putting technology on top of and through everything in ways that are not thoughtful.
4:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you.
In a few seconds, Mr. Malone, can you tell me whether you think the public understands what using an app like ArriveCAN means?
4:25 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
I don't think they know, but I think they can feel concern around it, and I think that is what's palpable in the public discourse.
4:25 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
Absolutely. I think the fact that the app delivered erroneous orders to people who used it correctly is detrimental to building trust.
4:25 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Villemure.
Mr. Green, you have two and a half minutes, please.
4:25 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Professor Malone, do you also agree that we should have an audit of the ArriveCAN app through the Privacy Commissioner?
4:25 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
Yes. The Office of the Privacy Commissioner, to my understanding, currently has at least two complaints before it regarding ArriveCAN. One of them is my complaint.
The Privacy Commissioner has also stated quite clearly that there are no data-sharing agreements in place for how the data is being transmitted by the subcontractors that are hidden behind those contracts.
4:25 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
What's the impact of not having data-sharing agreements in place? It doesn't govern how the data will be used. Essentially, it obviates the consent that users would be able to give as to how their data would be used, which is a very important provision within the Privacy Act itself.
We have problems here with whether the data was being kept accurately in a manner that was complete but also up to date. When I requested my own data, saw my data, and saw how the algorithms were interpreting my passport, reading my name, spelling my name and scrambling my phone number incorrectly, it was very clear to me that this app was shoddily constructed.
Not only do we have a problem with the accuracy of the data but also in terms of how the data is being shared by these entities whose names are all we know about them. That is a big problem when it comes to informed consent as required in the Privacy Act.
4:25 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Carrying on from that, in “Lessons from ArriveCAN: Access to Information and Justice during a Glitch”, you wrote that the government “failed to place the data collected from ArriveCAN into a Personal Information Bank, despite the requirements of the Privacy Act.”
Can you describe the potential consequences of this failure?
4:25 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
I essentially asked the CBSA's media arm for information about what personal information bank, as required in the Privacy Act, they'd been placed into. The CBSA media arm refused to provide any answer whatsoever, which led me to believe that they simply had not done it.
As for this data, which had been collected and retained for a minimum of two years with no expiry, as the privacy notice for ArriveCAN itself stated, who knew where it was going? Who knows where it is now?
4:25 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Lastly, I just want to ask both witnesses who are present here today if they would consider providing in written remarks any recommendations that they might have relating to changes that should be made in the Privacy Act to perhaps prevent this from happening again.
Thank you.
4:25 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Green. We'll take that as a request from Mr. Green for both of our witnesses.
We have Mr. Barrett for two and a half minutes, followed by Ms. Khalid, and that will be the end of the panel.
Thank you.
4:25 p.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Thanks, Chair.
I just want to be really clear. This is an app that erroneously caused 10,000 people to have their civil liberties suspended and be ordered under house arrest, and a breach of that order was warned against with threat of jail time or fine.
There's been a characterization that this is a small number in the context of the total number of users of the app. This is offensive. This is 10,000 people who followed all of the rules. They broke no laws, and they were ordered not to leave their homes or they would be put in jail. They were ordered by an app that they downloaded in the app store.
There was no way for them to redress that grievance. There was nothing for them to do. When they called my office, as they called many other folks, we tried to intervene for them, and it was about day 16 or 17 of their 14-day quarantine before they were able to have demonstration that they were, in fact, still free.
It's so important that we highlight that.
Mr. Malone, you mentioned GC Strategies a couple of times. This is a company that has two employees. It took in $9 million. It did no tech work on this app that was entirely technological in nature, handling sensitive data. To be clear, this two-person company, when they did appear at a parliamentary committee, couldn't even say which of the two of them answered the telephone when the government called to award them a $9-million contract that they wouldn't have to do any tech work on. We don't know who their subcontractors are. There is a lack of transparency.
I've used a lot of time here.
You talked about securing access to information laws and potentially lobbying rules. Are you able to expand on that a bit with the remaining time?