Thank you very much for the invitation to appear.
My name is Christopher Parsons, and I'm a senior research associate at the Citizen Lab, Munk School of Global Affairs and Public Policy. I appear before this committee in a professional capacity to represent my views, and my comments are based on research that I've conducted at the University of Toronto Citizen Lab.
The earliest days of the pandemic were chaotic in terms of information that was communicated by all levels of government. One area of confusion arose surrounding the extent to which these governments used mobility data and for what purposes.
Here are a few examples. On March 24, 2020, the Prime Minister and Dr. Tam asserted that telecommunications mobility data was not being used by government agencies. In the March 23, 2020 announcement that the government was partnering with BlueDot, the Prime Minister's official comments did not refer to mobility information. This information was only available by reading press statements, such as from U of T. It was only in December 2020 that information that mobility information was being used appeared on the COVIDTrends website. There is still no indication of where precisely that information comes from.
I raise these points not to indicate that the government misled Canadians per se, but that the information environment was chaotic and is yet to be adequately corrected. To begin this correction, I suggest that the committee recommend that the COVIDTrends website be updated to make clear the specific sources of mobility data the government is using, as well as including an opt-out from Telus's “data for good” program and enabling individuals to opt out of BlueDot's collection of information. Further, the committee should recommend that Telus incorporate the opt-out mechanism into all of its customer portals, for both Telus and Koodo, in obvious ways so individuals know they have this option.
I now turn to the issue of using telecom and data analytics information for health surveillance.
A key issue before this committee is Telus's and BlueDot's collection of information and the disclosure of it to the Government of Canada. In the case of Telus, they transform the qualitative nature of the data upon repurposing information that might be used to technically service their network into a sellable data asset. In the case of BlueDot, it remains unclear just how and under what terms they obtained the data that was provided to the government. Together, the activities of these companies speak to the government's seeming willingness to receive mobility data without first confirming that individuals have meaningfully consented to such disclosures.
As such, I recommend that the committee propose a series of Privacy Act reforms.
First, the private vendors that provide anonymized, aggregated or identifiable information to government agencies should be mandated to prove that they have obtained meaningful consent from individuals to whom the information relates before it is disclosed.
Second, the Privacy Act should be updated to capture anonymous or aggregated information that is collected or received by government agencies. Aggregated and anonymous information can drive policies affecting individuals and communities, and these individuals and communities do not lose an interest in the data simply because it is anonymous. Programs using such information should be required to receive approval from the Privacy Commissioner before they launch.
Third, the Government of Canada, whenever it is receiving either identifiable or aggregated and anonymized information derived from individuals from private organizations, should be required to demonstrate that such information was collected by those organizations after the individuals meaningfully consented to the collection and disclosure.
The Privacy Act presently empowers the government to collect significant volumes of information without the explicit knowledge or consent of individuals. PHAC has not indicated a desire, need or intention to subsequently reidentify those datasets; however, it could change that policy tomorrow, given the current status of the Privacy Act. This is a problem.
I recommend the following.
First, that the committee propose updating the legislation to include necessity and proportionality requirements, which would compel government organizations to demonstrate that identifiable or anonymized information is required to fulfill a specific activity and ensure that the sensitivity of the data is proportional to the activity in question.
Second, that government agencies be restricted from reusing information that they have acquired, absent reacquiring an individual's meaningful consent for reuse where appropriate.