Information & Ethics Committee on Feb. 17th, 2022

Perhaps you could clarify your question. If you're looking for movement during a particular sporting event, yes, but not in real time. One of the controls that we have on the platform is not to provide any real-time data, because that increases the risk of reidentifiability to something. It would no longer be considered de-identified.

Thank you very much for those questions.

To ensure that PHAC or others on the platform do not have access to personal information, we went through a very rigorous process. It actually took years to build the Insights platform to be what we wanted it to be. We realized years ago that there could be tremendous value in this de-identified network mobility data. We're talking about the pings that devices make off of the cell towers as they move about the network. If we could de-identify those pings and just look at the movement patterns, there were a number of “social good” uses that we could immediately see, with tremendous value, and we've seen that borne out during this pandemic.

We consulted with leading de-identification experts and spent a tremendous amount of time building the technical platform and the technical rules to de-identify the data and strip the identifiers, but we went far beyond that to rules around the way the queries are made and controls on the frequency with which queries are made, as well as considerations of geography and aggregation. There were a number of different technical and statistical controls, and then on top of that we put in administrative controls.

I talked earlier about the guided and supervised access. That's another administrative control that we have in place whereby we're actually supervising what is happening on the platform and reviewing what is taken from the platform, as well as strict contractual controls prohibiting reidentification. Those are some of the ways we control and make sure that we have reduced the reidentification risk to a very small risk.

In terms of the privacy by design certification, I'm glad you asked about that. We're really proud of that certification. It is a very rigorous process. Our most recent privacy by design certification for the platform was just before COVID, so it was excellent timing for the launch of Data for Good. It took over four months to conduct. It's conducted by a fully independent external audit group.

There are seven privacy by design principles. Those turn into 30 privacy and security criteria, and then into 94 different controls that are illustrative of our meeting those criteria and principles. It took, as I say, about four months. They complete that report, and then they have to take it to an independent accreditation board to have it independently reviewed before we can be certified.

That's correct.

I'm not privy to all of the uses to which the data was put. We have a record of them, but I don't know them all personally.

We heard Dr. Tam speak earlier about how valuable it had been to have mobility data and be able to layer that in with epidemiological data, similar to what Dr. Khan was speaking about earlier as well, and to be able to map what had gone on with the contagion and to make predictions about where it might go and be proactive, Dr. Khan said, as well as reactive.

It was also possible to look at the impact of different restrictions and policies to see how effective they were. As we all know, at the outset of the pandemic, a number of different restrictions were placed on us that we hadn't experienced before. We were able to see, by looking at these large-scale movements and trends in patterns, whether or not they were effective in curbing movement.

The data that this is based off of at the point of collection is collected in the course of providing mobility services, so that consent is applied to its use for mobility services and to provide mobility services; however, when we de-identified the data, it was no longer personal information about our customers.

Rather than relying on consent there, what we relied upon was ensuring that we had de-identified it. Our focus was to ensure that we had protected our customers' privacy and that we were transparent and clear about our use of that data.

We did not obtain user consent for this specific purpose. This was not personal information; this was de-identified information, so the information was de-identified and then shared for these purposes.

Yes, it was. Before it goes through the transformation, it's personal information.

I think it's challenging to know what anyone expects.

I want to be clear that there's a very critical distinction between personal information and de-identified information. For personal information, we're very focused on consent and the privacy implications, but when it comes to de-identification, the de-identification process itself is what protects privacy. That's our focus there, and that's how we protect our customers' privacy on that front.

When it remains in personal format, our focus might be more on consent. That's generally the primary driver in our current legislation.

We have a lot of information in our privacy policy and on our website about de-identification. In terms of all of the various uses and the concept of implied consent under our legislation, although under our legislation it's not generally considered that consent is required. We're very transparent about that. We have, I would say, more information than most organizations might have. We have a lot of information about how de-identification works, why we use it, how it protects privacy, and then more information about how we use data that has been de-identified for analytics purposes.