Following from the commissioner's opening remarks, appropriate designs of technologies, such as tracing applications, depend on respect for some key privacy principles recommended in the OPC’s “Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19”, and in a joint statement by federal, provincial and territorial privacy commissioners on contact-tracing applications.
In the interest of time, we will focus on six of these principles.
First is purpose limitation. Personal information collected through tracing applications should be used to protect defined public health purposes, and for no other purpose.
Second, these applications should be justified as necessary and proportionate, and therefore be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective.
Third, there must be a clear legal basis for the use of these applications and use should be voluntary, as this is important to ensure citizens’ trust. Use should therefore be consent-based and consent must be meaningful.
Fourth, these exceptional measures should be time-limited. Any personal information collected during this period should be destroyed when the crisis ends, and the applications decommissioned.
Fifth is transparency. Governments should be clear about the basis and the terms applicable to these applications. Privacy impact assessments or meaningful privacy analysis should be completed, reviewed by privacy commissioners, and a plain-language summary published proactively.
Sixth is accountability. Governments and companies should be accountable for how personal information will be collected, used, disclosed and secured. Oversight by an independent third party, such as privacy commissioners, would enhance citizens’ trust.
While governments have stressed the importance of privacy in the design of tracing applications, several of the principles I have mentioned are not currently legal requirements in our two federal privacy laws. For instance, nothing currently prevents a company from proposing an app that is not evidence-based and using the information for commercial purposes unrelated to health protection, provided consent is obtained, often in incomprehensible terms. A government could partner with such a company.
The current health crisis has made clear that technologies can play a very useful role in making essential activities safe. This meeting is about contact tracing, but potential benefits are much wider. For instance, let us think about virtual medicine or e-education.
What we need, more urgently than ever, are laws that allow technologies to produce benefits in the public interest without creating risks that fundamental rights such as privacy will be violated. Because of the growing role of public-private partnerships in addressing situations such as the COVID crisis, we need common principles enshrined in public sector and private sector laws.
Thank you. That concludes our statement.