Thank you for the question.
In the brief I submitted to the committee, there are a number of specific recommendations that I make throughout. I won't and can't go through all of them right now. However, the first one that I think is important for the committee to remember is that the ETHI committee a few years ago actually did a study of the Privacy Act. They saw a number of esteemed experts come. They produced a report. I would recommend starting there to see what still resonates. I believe much of what's in there still does.
More broadly as it pertains to the current PHAC situation, I think it is important and essential that the Government of Canada, when it's obtaining datasets from private organizations, whether it be identifiable or de-identified data, whether it be aggregated or not, be able to demonstrate that meaningful consent was first received before that information was collected by those private entities and then shared with the government. The Privacy Commissioner of Canada should both be apprised of and be required to approve any and all such projects. Further, within the Privacy Act itself, there should be a requirement that privacy impact assessments are performed and are made public. Currently, that's not often occurring.
Shifting slightly to PIPEDA, one of the real problems here is that a series of private organizations collected information and subsequently disclosed it. That information was largely collected without the knowledge of individuals. Privacy policies don't work. They do not constitute meaningful consent. However, the Privacy Commissioner of Canada does have guidance as to what should be done. I believe there should be a requirement that this kind of guidance should be built into PIPEDA itself.
Furthermore, there will, of course, be situations where information is disclosed to government agencies and others. One way that Industry Canada has worked with industry in the context of law enforcement has been to recommend that private companies produce what are called transparency reports. I have more on this in my brief. I would argue that while that is a step in the right direction from several years ago, these reports are not mandatory. They should be; moreover, they should be more comprehensive. They should include not just law enforcement disclosures. They should also pertain perhaps to copyright information and, in this case, the sharing of aggregated and de-identified data, and to whom that is shared.