Evidence of meeting #5 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was good.
A video is available from Parliament.
12:25 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
I was referring to the committee presentations from last week with the Minister of Health.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
All right. Thank you.
When you talk about disaggregated data or de-identified data, you are getting into some specialized jargon. What can the public understand here? We can all agree that we take privacy seriously and strive to maintain the public's trust as Canadians or as users.
So how can the public be expected to navigate a debate among experts about disaggregated or de-identified data? Customers using a cellphone to make calls or search the web don't know what that means.
12:25 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
I think the key points are that we know how to do this quite well. The methods, the technologies, existed with this quite well. We need to make sure that organizations that are reusing data for legitimate purposes and for socially beneficial purposes are using and adopting these practices. Codes of practice and standards and guidelines that are precise and that can be enforced, or that are enforceable in some manner, would be one way to ensure that these good practices are adopted whenever data is reused for secondary purposes, and that will provide the assurance to the public.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Okay.
Do these standard practices you're talking about meet the minimum requirements, or do they provide ultimate protection?
12:25 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
Ontario has de-identification standards. The Ontario privacy commissioner has published such standards, for example our guideline. These are good guidelines. They reflect good practices today. It's always necessary to update these on a regular basis, but I think having a national standard would be very helpful to ensure consistency across the country and for organizations that operate nationally.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
If national standards were established, as the Privacy Commissioner of Canada is requesting, it would have the desired consequence of increasing public confidence in the secondary use of data.
12:25 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
Yes, as long as you're also able to demonstrate that you have followed those standards, either through external audits or through some other mechanism.... Demonstrating it is important.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
I agree, transparency and demonstration are important.
We've spoken a lot about the Public Health Agency of Canada. Now, let's talk about Telus. You are in the business, so you're familiar with the company. Can Telus be trusted to protect privacy in its commitments to put data to work for the common good? Or is that just a good front?
12:25 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
I can only share with you what's known publicly. Telus's “data for good” program has won a privacy award this year from the International Association of Privacy Professionals, which is a highly respected association for privacy professionals globally. That's one indication that they have good practices in place.
12:25 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
So Telus is being recognized and it won an award this year.
Are there any risks involved in the Telus/BlueDot connection?
12:25 p.m.
Conservative
12:25 p.m.
Conservative
The Chair Conservative Pat Kelly
If the witness has a written response that he wants to provide later, he can, but we're going to have to move on to Mr. Green right now.
12:25 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you, Mr. Chair. As always, I appreciate the opportunity for expanded written results and responses.
Through you to the subject matter expert whom we have here today, Dr. El Emam, I welcome him to the committee. I certainly want to acknowledge how much of this is new to me and, I'm sure, many of our colleagues in terms of the very highly technical nature of technology and where we are at right now with big data.
I'm going to rely on you to hopefully help us unpack this and explain it to me like I'm five years old. If you've already answered this question, I'd ask that you try to simplify it even more. In last week's presentations, I'm sure you'll recall that there was very specific language used around anonymized and de-identified data...and of course, from my perspective, the ability to hopefully get to some really solid recommendations from this committee to create gold standards internationally on having some of the highest rights-based approaches to data.
First, through the chair to the good doctor, given your role with Replica Analytics, do you work with countries internationally, around the world, on the emerging technology that you have created?
12:30 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
Yes. I've been developing privacy-enhancing technologies for the better part of 20 years and deploying them through software and other mechanisms globally.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
In your opinion, which countries or regions—or which legislation, perhaps—could you point to that create some of the highest standards of a rights-based format?
I really appreciated the Privacy Commissioner talking about consumer rights-based laws and being able to provide those protections. Could you point this committee to some good examples that we might be able to include for consideration in our recommendations?
12:30 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
In general, the GDPR in Europe is considered to be one of the strictest regulations for protecting individual privacy. I think the commissioner referred to that as well in his responses.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
For the purpose of this committee, can you explain exactly what that is and how you think the general data protection regulation could be applied to a Canadian context?
12:30 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
That's a very good question. The regulation itself defines some general parameters, and the regulators have been developing opinions and guidance to operationalize the principles and the concepts around that. Also, there is the concept of codes of practice, which I think can be very helpful in terms of allowing the definition of standards and guidance that can be enforced as well. Of relevance to our current discussion, these would be two things to mention.
The GDPR has many other things that I think are beneficial, but we'd be here for a long time if we had to go through all of them.
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I appreciate that. I'm learning as I go along, as well. I see there are seven principles to the GDPR that talk about lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
I know in some of the past work that I have done around civil liberties, particularly as it relates to the way in which law enforcement uses information, we've heard stories of the private sector collecting data en masse for commercial use and then allowing that to be a back door for a surreptitious government collection of information.
Therefore, as it relates to things like storage limitation, or the purpose or use limitation, do you have any feedback that you would want to provide the committee based on the study we have before us today as it relates to mobility data?
12:30 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
Purpose limitation, I think, is an important principle, and limits on data retention are also important.
There are different ways to operationalize that. One way to achieve the limited retention is to anonymize or de-identify the data after a certain period of time so it's no longer personal information. That intersects with our current discussion.
In terms of purpose limitation, we have to distinguish between personal information and non-personal information as well. Our conversation today is around non-personal information—
12:30 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I apologize for the interruption.
I ask this because I think one of the false definitions of the scope of this in the last two meetings was this idea that we ought to limit the conversation to just the way in which the federal government manages this information.
I would put this to you, Mr. El Emam, that at some point on the commercial side of this, prior to buying it from Telus, there would have been processes for the collection of this data. I would like to ask you, in your remarks, to reflect on the way in which the collection of data at the source could be held to the same standards that we would have internally within my own government.
I'll just share with you in a very clear way my concern, which is that perhaps we have outsourced privacy breaches to a commercial sector that might not have the same kind of rigour and, quite frankly, principles around purposeful limitation.
Could you comment on that quickly, or could you put it in writing for the benefit of this committee and for future recommendations we might have?
12:35 p.m.
Canada Research Chair in Medical Artificial Intelligence, As an Individual
Yes, absolutely. I'll quickly say a couple of things.
Companies need to collect personal information to conduct their business; that's normal. When they share that information with other entities, they would create non-identifiable datasets. Ensuring that this is done properly, plus the overlay of transparency and ethics reviews, provides a good governance model so that whoever gets the data has constraints or guardrails on what they can do with it.
That model is good when it's put in place. It works well in practice. We just need to make sure that it's put in place.