Transport Committee on Feb. 14th, 2017

It's a good question. If I were able to answer it in a nutshell, then we'd all be in great shape. Unfortunately, it's one of those very complicated problems.

I think there are a number of issues that I see coming up in this context repeatedly and that need to be addressed. Obviously, one of them is the whole private sector data protection puzzle. I think the standing committee on access to information is going to be looking at the Personal Information Protection and Electronic Documents Act. I think there are some significant issues with the capacity of that statute to deal with the collection of personal information by private sector actors in the big data era. One piece of the policy puzzle would be to look at that as something that really needs to be modernized and updated to address some of those challenges.

In the smart cities context, what I've seen now for quite a number of years is a growing conflict between the ways in which we've structured data protection: we have public sector legislation and we have private sector legislation, and then of course at the public sector level, you have provincial and you have federal.

I think this is increasingly challenging when you have projects that blend together both the public and the private, so that you have governments that are contracting with the private sector for services that are going to involve the collection and processing of this data. I gave you the example of the public transit smart card data, where perhaps you have a cash-strapped municipality interested in a lucrative offer they're receiving for their smart card data and so on. You have more and more issues in which the lines between public and private are not as clear as the legislation would make it seem and the norms that are established under the different statutes are not necessarily compatible, so they can be quite different. I think that's one area that requires some attention. How do you create a framework for this blended data protection context?

We have to try nonetheless. I think it is essential that we try.

There are, however, other measures that governments can adopt. For instance, as I said earlier, governments buy information from the private sector. I am seeing this more and more. This is essentially big data from the private sector that can be used for analysis purposes. It is easier and less expensive to get this data from the private sector. It is often collected by companies that offer consumer applications. Consumers use those application. The data is then collected and purchased and used by government.

That leads me to the following question. Should governments that wish to collect personal data and information from the private sector have minimum standards as to the privacy policies of those companies? Is it enough to simply buy personal data from any company? Does the government have standards regarding the purchase of that data? We can demand certain conditions to protect citizens.

This is essentially the challenge. This is the challenge under private-sector data protection legislation as well. There have to be certain norms for the collection of personal information and for compliance with those norms.

In the smart cities context?

If you mean an example of how a city or a government should go about ensuring.... I have already given the example of contracting for data in the hands of private sector companies. I do think it's important that governments set basic standards for any personal information they'll be acquiring from private sector companies or aggregated information that requires citizens to use apps. If you'll be collecting app data from certain types of apps, then maybe you should say that you will only purchase data from companies that set these basic standards in their policies.

I think there are a couple of questions there. Often where data is provided by app companies to governments for planning or other purposes, they retain ownership of the data. I think that's an interesting and significant issue for municipalities, for a number of reasons. Often they'll say that this is aggregate data that's been provided and it's not specific to individuals, so the impact on the individual comes in terms of what's happening to their personal information in relation to the private sector context.

In terms of ownership, that becomes interesting. Of course, if the app company retains ownership, then the government is restricted in terms of what it can do with that data, who it can share that data with, and in what circumstances.

Where the government is collecting personal information directly, or where the government is collecting it through the private sector, I suppose, there needs to be a level of transparency in terms of the practices that are taking place so that people can understand what data is being collected and what purposes it's being put to. That principle is already there in the legislation, but I think its application certainly needs to be improved. I think we all feel that there isn't sufficient transparency. We don't know what's happening to our personal information. Greater transparency would be pretty high on my list. Obviously that's easy to say and much harder to do, in terms of just listing things, but I would say greater transparency.

I'm also extremely concerned about a porousness in the link between private sector data and government surveillance and monitoring of citizens. This is something that is becoming an increasing problem, that all of these masses of data collected by private sector companies are relatively easily accessible, under our current laws, by government agencies. I think that raises transparency issues and also raises surveillance issues.

Yes.

Purpose limitation is already in the legislation, but I agree that it's something that has become problematic in terms of its monitoring and enforcement. It is an important principle.

Certainly in the U.K., the national government is taking a significant interest in this. My centre looks at things more from the position of the physical infrastructure rather than the sorts of personal private data the previous speaker was talking about, but even so, there are security implications in this. Some of the data we want could potentially come from people's mobile phones, such as travel data and that sort of thing. There's definitely a role for the federal government, and there's definitely role for the standards organizations as well.

In the U.K., we are currently developing some standards around cybersecurity for smart cities. One of the reason for this is that you really have to assume that someone will hack you at some point, and if you're using digital infrastructure to manage your critical physical infrastructure, that includes your water supply, your power supply, your transport systems, etc. A malicious hack into that could potentially derail very important and critical national infrastructure. You need to have systems that are appropriately secure from each other such that they can't interfere with each other but at the same time will allow the healthy and useful sharing of data. I think there's definitely a role for the federal government in making sure that is happening.