Evidence of meeting #8 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was consent.
A recording is available from Parliament.
5:10 p.m.
Liberal
Greg Fergus Liberal Hull—Aylmer, QC
On what criteria are you basing your statement that your system is pretty seamless and that you can be reasonably certain that the data you share is de‑identified?
5:10 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
As I mentioned earlier, we worked very closely with leading de-identification experts, and we have continued our work—because we saw this as so important—to try to develop standards in this space. We work with leading de-identification experts on CANON, the Canadian Anonymization Network, which we co-founded, to continue to push forward the technology around de-identification and arrive at standards. As you heard from Dr. Khaled El Emam, there are standardized industry techniques. There are certain approaches that experts will take, and one of the ways we can test those is to subject the datasets to re-identification attacks and consider the types of re-identification attacks that could be executed.
5:10 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
I'm not sure what “very often” would be, but we have definitely done rigorous re-identification tests and attacks, and we've commissioned them. Part of our work with experts was to do that very thing to make sure it was bulletproof.
5:10 p.m.
Conservative
The Chair Conservative Pat Kelly
That's all the time we have, Mr. Fergus.
Mr. Villemure, you have two and a half minutes.
5:15 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you very much, Mr. Chair.
Ms. Snively, I understand that consent is not always obtained at the source itself, and this idea made the Privacy Commissioner rather uneasy.
What do you think must be done in the future to improve that situation?
5:15 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
In the context of de-identified information, the focus should be on the actual core privacy protections. I think Bill C-11 started down this path that we can do more things with de-identified data, and perhaps the space it had for codes of practice would be a great place to put some of the standards we were just talking about. How can we get comfortable that we're all talking about the same thing around de-identification and raise that standard?
I think the most important thing, as I said earlier, is not to rely on consent, because we're talking about de-identified information, but to rely on absolutely substantial privacy controls that are in place regardless of the choices or selections. We know that choices and selections are challenging, so let's just get it right.
5:15 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Okay. Thank you.
Were you inspired by the new European regulation, the General Data Protection Regulation, or GDPR?
5:15 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
There are some great aspects to the GDPR, and certainly we see in it that they have embraced privacy by design, and that's part of what we believe in as well. We've been embracing the privacy by design concept for a long time at Telus.
I think there are some terrific aspects of the GDPR. I also think there are some terrific aspects to our existing legislation. It's been very principle-based. Although old, it has served us quite well, because it is principle-based. It has not been technology-specific and has allowed us to be nimble and agile in the way we've assessed privacy.
5:15 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
Do I think there could be tweaks? Yes.
5:15 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
In the spirit of my colleague's comment, do you think Telus could have adopted a more proactive approach, for example by sending a text message, instead of a passive approach, which consisted in telling users to visit a website?
5:15 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
Before we start looking at something like a text message, I think there are a lot of considerations that would go into that type of thing. What we tell our customers all the time is to please not respond to a text message from us that you are not expecting, because it could very well be phishing. There are a lot of different considerations that go into texting customers. A lot of customers do not want to be texted, so it's not a simple decision to simply actively reach out to customers. If we were to do that, I'm not sure how it would play out. Our focus is on protecting their privacy.
5:15 p.m.
Conservative
The Chair Conservative Pat Kelly
I did actually allow a fair bit of extra time there in recognition of Monsieur Villemure's earlier round, but we really must go now to Mr. Green.
Go ahead, Mr. Green, for two and a half minutes.
5:15 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
There's certainly been a lot of discussion about what meaningful consent looks like throughout the course of this study. We've heard today the witness talk about drivers in their current policies as a corporation under current legislation.
I want to state that it's my hope that we extend this investigation into what I consider to be the underlying deficits in Canadian privacy, transparency and accountability laws, deficits that have enabled this kind of collection in what I consider to be a surreptitious way and, as has been identified, the capitalization and commodification of data, big data in particular.
My question is that if this session of government was able to effectively modernize our privacy acts and legislation to bring big data under the purview of privacy, as I believe big data technology has certainly surpassed its current use, how would Telus adapt to include all data in their frameworks of meaningful consent?
5:15 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
That's a challenging question without knowing what the changes would be.
I do want to make one thing clear, and it is that we have gone above and beyond the law. A lot of the things that we have been doing in our strong de-identification methodology, including our rigorous reviews of the purposes for which this data is used, the transparency on our website and the transparency specifically around Data for Good, are the types of things that would likely be in the new legislation.
5:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Mr. Chair, I'm going to ask one specific question, and hopefully the witness can provide the response back in writing.
We heard time and again about de-identified versus personal data. If we were to treat de-identified data as we did personal data and given its source, could the witness provide us, in writing, how they would go about providing meaningful consent to their clients when they're using data this way?
5:20 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
I can take that away.
5:20 p.m.
Conservative
The Chair Conservative Pat Kelly
All right. If that's sufficient, we'll look for a written response to that question.
We'll go now to Mr. Kurek for five minutes and we'll finish off with Ms. Saks.
5:20 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Mr. Chair, and again thank you to the witness for your testimony here today.
I hope we can get some more information about both the portal and the information that was provided to PHAC. In addition, as I've been considering your testimony, it would be very helpful and important for Canadians to be able to understand what the query-based system looks like and what types of queries could be asked.
Could I ask that this information be provided to the committee so that we can consider it as we are writing our report?
5:20 p.m.
Vice-President, Chief Data and Trust Officer, Telus Communications Inc.
Absolutely. I can take that back and discuss how to present that to you with my team.