Information & Ethics Committee on Feb. 28th, 2022

Thanks for the question.

Thanks for bringing back some of the early stuff that was written at those very early stages of COVID. I think in some ways that really does highlight how essential it is to get the frameworks right to have the kind of transparency and the guardrails that we're talking about.

The last couple of years have been demonstrative of the need for both data and public active participation in different things. COVID Alert was a good example of that as well.

You can only get there if there is public trust in those collecting the data, in how it will be used and in the oversight that is in place. I think, respectfully, that we still fall short in that regard. The commissioner has raised these kinds of concerns. I don't think anyone is going to credibly try to question the commissioner when he raises these kinds of issues. That strikes me as a source of concern.

In terms of how long data is retained, that's a benchmark issue that exists within all modern privacy laws. One only retains data for as long as strictly necessary. If we're talking about specific trends data where we're trying to respond rapidly based on emerging trends, I would suggest that there is little reason to retain that data for lengthy periods of time once the value of it for that particular trend may have passed.

I am no expert in legislative drafting for the federal government, but I feel that the principle remains the same, that there should be a oversight mechanism. Earlier, we talked about improving the Privacy Act, but we already have an act and we are not complying with it. We also have an institution in place and it was ignored.

It is all very well to want to improve the act and strengthen the control and oversight mechanisms, but the challenge is to respect the institution that is already in place.

I think that the—

You could have more transparency…I don't know who that question was for.

You could have more transparency by—

Ah, okay.

Thanks for that.

I'll respond by saying that I do think.... I mean, you're highlighting a number of different things. I would say that COVID Alert does provide you with a better example of ad campaigns, of multiple ways of trying to advertise and communicate so that people are aware of what's taking place. To the extent to which we are accepting that there's some form of consent here, it is informed.

I think the COVIDTrends site could have made and still could make it clear where the mobility data is coming from, so that those Canadians who might be affected by it would know that's the case. I think the COVIDTrends website could include a link specifically to Telus's site, so that people who want to opt out of the Data for Good program would be in a position to do so. I think that they similarly could include a link to BlueDot to allow them to opt out of that.

If you have informed consent, it's about ensuring both: that people understand what is being asked of them or, more particularly, how their data is being used, and giving them the information they need to be able to opt out if they see fit. That, to me, is how you go about trying to ensure a high standard with respect to fostering public trust and complying with people's privacy expectations.

You can say, “Well, listen, we did this, this and this, and we were compliant with the law.” I thought I opened by indicating that this was, in my view, compliant with the law, but I think we'll come back to Mr. Charbonneau's point that compliance with the law doesn't always foster trust.

We want to ensure that we have trust, because this is important information, and these are the kinds of programs that can be critically important. Simply ensuring that we ticked the right boxes without necessarily going that extra mile to give people the kind of information they need to make informed choices and to be able to opt out, which are things that could be done.... To me, that would have been a better approach.