The requirements for consent in the regime apply to personal information. It could be de-identified data, which is just the removal of direct identifiers. They don't apply to personal information where, as the statute is currently drafted, it's “reasonably foreseeable”.
The Office of the Privacy Commissioner of Canada did an excellent job in that investigation. I know it well; I acted in that investigation. In their careful analysis, they determined that the data that was received by the Public Health Agency of Canada was not identifiable in the context of the disclosures that took place. Therefore, if the data was not identifiable, it's not personal information. If it's not personal information, it wouldn't be subject to the consent requirements or to the statutory regime.
Our surgical amendments make no difference to that. In fact, it reflects the current law, etc.
Again, I can't overstate the exceptionally high standard for what is personal information right now. You have to look contextually at the circumstances and you have to look at the technical methods for de-identifying, which are wrapped in administrative controls, security controls and physical controls. That suite of controls was implemented on top of some very sophisticated methods to ensure that the Public Health Agency of Canada, as determined by the Office of the Privacy Commissioner of Canada, did not receive any identifiable data.