I personally am a very strong believer in exercising control and allowing individuals to exercise control over the uses of their data. Traditionally, this has been linked with identifiable data. It has your name, address and other identifiers linked to it. Then, of course, you should be able to exercise total control.
There are means by which the data can be strongly de-identified, as has taken place here. Then our laws, the way they exist right now, no longer apply, because if data is considered to be de-identified, they no longer fall under privacy laws. That's one of the reasons I believe we need to upgrade our laws and reflect that in this day and age, even if you have strongly de-identified data—there are very strong ways of de-identifying data, and I'm not going to suggest otherwise—the risk of reidentification still exists.
I would like us also to explore other means of de-identification. For example, there are now new forms of de-identification that tend to have an extremely low risk of reidentification. This is called “synthetic” data, and this is now growing and being used.
What I'm urging is that people need to be able to retain control of their data, and especially with mobility data, which is so sensitive. I think if anyone had been asked...which PHAC did not do. If anyone had asked or given notice to the 33 million Canadians whose information and mobility data they gained access to whether they would have consented to that—no way, in my view. I think it would have been highly unlikely.
So I think we need to upgrade.