I was invited to appear before the Standing Committee on Access to Information, Privacy and Ethics (ETHIC) on February 10, 2022. The Committee was conducting hearings into the use of de-identified, aggregate mobility data by the Public Health Agency of Canada. My opening statement to the committee is below. The recording of this meeting (as well as all of the other meetings on this topic) can be found here: https://www.ourcommons.ca/Committees/en/ETHI/Meetings
Thank you for the invitation to address this Committee on this important issue.
The matter under study by this Committee involves a decision by the Public Health Agency of Canada (PHAC) to use de-identified aggregate mobility data sourced from the private sector to inform public health decision-making during a pandemic.
This use of mobility data – and the reaction to it – highlight some of the particular challenges of our digital and data society:
· It confirms that people are genuinely concerned about how their data are used. It also shows that they struggle to keep abreast of the volume of collection, the multiple actors engaged in collection and processing, and the ways in which their data are shared with and used by others. In this context, consent alone is insufficient to protect individuals.
· The situation also makes clear that data are collected and curated for purposes that go well beyond maintaining customer relationships. Data are the fuel of analytics, profiling, and AI. Some of these uses are desirable and socially beneficial; others are harmful or deeply exploitative. The challenge is to facilitate the positive uses and to stop the harmful and exploitative ones.
· The situation also illustrates how easily data now flow from the private sector to the public sector in Canada. Our current legal framework governs public and private sector uses of personal data separately. Our laws need to be better adapted to address the flow of data across sectors.
Governments have always collected data and used it to inform decision-making. Today they have access to some of the same tools for big data analytics and AI as the private sector, and they have access to vast quantities of data to feed those analytics.
We want governments to make informed decisions based on the best available data, but we want to prevent excessive intrusions upon privacy.
Both PIPEDA and the Privacy Act must be modernized so that they can provide appropriate rules and principles to govern the use of data in a transformed and transforming digital environment. The work of this Committee on the mobility data issue could inform this modernization process.
As you have heard already from other witnesses, PIPEDA and the Privacy Act currently apply only to data about identifiable individuals. This creates an uncomfortable grey zone for de-identified data. The Privacy Commissioner must have some capacity to oversee the use of de-identified data, at the very least to ensure that re-identification does not take place. For example, the province of Ontario addressed this issue in 2019 amendments to its public sector data protection law. Amendments defined de-identified information for the purposes of use by government, required the development of data standards for de-identified data, and provided specific penalties for the re-identification of de-identified personal data.
The Discussion Paper on the Modernization of the Privacy Act speaks of the need for a new framework to facilitate the use of de-identified personal information by government, but we await a Bill to know what form that might take.
The former Bill C-11 – the bill to amend the Personal Information Protection and Electronic Documents Act that died on the Order Paper last fall, specifically defined de-identified personal information. It also created exceptions to the requirements of knowledge and consent to enable organizations to de-identify personal information in their possession; and to use or disclose it in some circumstances – also without knowledge and consent. It would have required de-identification measures proportional to the sensitivity of the information, and would have prohibited the re-identification of de-identified personal information – with stiff penalties.
The former Bill C-11 would also have allowed private sector organizations to share de-identified data without knowledge or consent, with certain entities (particularly government actors), for socially beneficial purposes. This provision would have applied to the specific situation before this committee right now – it would have permitted this kind of data sharing – and without the knowledge or consent of the individuals whose data were de-identified and shared.
This same provision or a revised version of it will likely be in the next bill to reform PIPEDA that is introduced into Parliament. When this happens, important questions to consider will be the scope of this provision (how should socially beneficial purposes be defined?); what degree of transparency should be required on the part of organizations who share our de-identified information?; and how will the sharing of information for socially beneficial purposes by private sector organizations with the government dovetail with any new obligations for the public sector -- including whether there should be any prior review or approval of plans to acquire and/or use the data, and what degree of transparency is required. I hope that the work of this Committee on the mobility data issue will help to inform these important discussions.