Information & Ethics Committee on Feb. 7th, 2022

Mr. Chair, could I ask—

I'm afraid you're out of time, Mr. Green.

Just as a point of order, related to information that he had talked about, can we request, through you, that he provide in writing the explicit framework that he talked about?

I think you just have.

Again, Mr. Green, I know that you're a big fan of only using—

Get it in writing.

—a point of order when there is actually a deviance from the regular practice or rule of the committee. Thank you, Mr. Green.

We will go to Mr. Brassard. I understand that he will begin and then perhaps split his five minutes.

Go ahead, Mr. Brassard.

Thank you, Mr. Chair.

Mr. Green, that was a proper point of order, by the way.

Mr. Therrien, first of all, you have given us a lot to consider today. I want to thank you for your frankness.

I want to talk about data that's properly de-identified. You said it's always at risk through data matching. We know that through this process, or we've learned that through this process.... Telus collected the data. It was passed on to a secondary source called BlueDot, whose business is presumably to take that data, assess it and provide guidance to PHAC, which eventually became the customer.

What is the risk of data being de-identified by a company whose business it is to deal with this type of scenario? Just talk about the risk, if you will.

That's where I was going with this.

Right. We have heard from security experts and privacy experts publicly—we haven't heard it at the committee, at this point—that those appropriate safeguards and protocols have to be put in place at the source. If they are not, then there is a significant risk of reidentifying that information.

Excuse me. I have to stop you, Mr. Turcotte. The interpreters are unable to interpret. I understand that you don't necessarily have the ideal headset for this.

I will maybe throw the question back to Commissioner Therrien to answer.

With that, I think we're going to switch to Mr. Patzer.

You have two and a half minutes.

Thank you very much, Mr. Chair.

Mr. Therrien, I think Canadians at large were quite alarmed and surprised to learn that, as I think one article I read said, 33 million users had their data accessed by PHAC. It begs the question, how many other departments out there are accessing people's personal information within the federal government?

Yes. I think the general concern, though, is that the government is taking people's personal data, but then it could potentially use it against them. Is that a concern? Are there any safeguards to prevent that from happening?

Yes. I think that's definitely problematic.

My last question goes back to when you appeared in 2020 before the industry committee, which I was a member of at the time. You indicated that when properly designed, tracing applications could achieve both public health objectives and the protection of rights simultaneously. I remember that at the time you had some concerns about that, because the government hadn't actually consulted you at that point in time. How were those concerns addressed, and what has been done to prevent that?

Yes.