Letter to the Standing Committee on Access to Information, Privacy and Ethics on their Study of the Collection and Use of Mobility Data by the Government of Canada

On March 14, 2022, the Privacy Commissioner of Canada, Daniel Therrien, sent the following letter to the Standing Committee on Access to Information, Privacy and Ethics to provide information requested during his appearance before the Committee on February 7, 2022. It is a revised version of a letter originally sent on March 1, 2022.

March 14, 2022

Mr. Pat Kelly, M.P.
Chair
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
Sixth Floor, 131 Queen Street
Ottawa, Ontario, K1A 0A6

Dear Chair:

I would like to thank you and the Members of the Committee for the invitation to provide our views on your study, Collection and Use of Mobility Data by the Government of Canada. The discussion of transparency and appropriate safeguards for protecting de-identified information is a timely one. Before addressing Members’ questions, I should note that the views expressed during my appearance and in this submission are general OPC positions and recommendations, and should not be interpreted as answering the specific questions raised in complaints currently under investigation by my Office.

Legal requirements for transparency and use of de-identified information

I was asked to elaborate on the question of legal requirements for transparency and use of de-identified information. Many data protection laws around the world contain specific provisions for openness and transparency, while the approach to de-identified information varies by jurisdiction. As noted during my testimony, I believe there are legislative solutions to consider beyond solely requiring obtaining individual consent, given the wide range of uses contemplated for de-identified personal information. In today’s digital era, privacy protection cannot hinge on consent alone and in many cases securing individual consent is neither reasonable nor realistic. In fact, consent can be used to legitimize uses that, objectively, are completely unreasonable and contrary to our rights and values. And refusal to provide consent can sometimes be a disservice to the public interest.

However, even when consent is not effective, transparency remains important. To cite one often-discussed example, the European Union’s General Data Protection Regulation (GDPR), contains extensive transparency-related requirements that apply broadly.^{Footnote 1} Under the GDPR, transparency is required regardless of the legal grounds for processing, and it is required at all stages of processing. This means that the GDPR’s transparency requirements apply at not only the time of collection, but also when there is a material change in the purpose of processing.^{Footnote 2} Recital 39 of the GDPR describes the principle of transparency as “requir[ing] that any information and communication relating to the processing of […] personal data be easily accessible and easy to understand, and that clear plain language be used.”^{Footnote 3}

As for regulating the use of de-identified information, the GDPR also clearly distinguishes between “pseudonymized” data and “anonymized” data.^{Footnote 4} The GDPR recognizes pseudonymization as a technique for both reducing identification risks, and promoting compliance with data protection obligations. Importantly, pseudonymized personal data is still subject to the GDPR.^{Footnote 5} Personal data that has been anonymised is not subject to the GDPR.^{Footnote 6}

Within Canada, transparency requirements in both our federal privacy laws remain, at present, inadequate. For example, Principle 8 on Openness in Schedule 1 of Canada’s federal private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA), provides that an organization must make readily available “specific information about its policies and practices relating to the management of personal information”. In many cases, we have seen this translate into lengthy and complex privacy policies that do not meaningfully inform consumers of how their data is being used. Legislative solutions are required to ensure individuals are adequately informed about what information is being collected about them, the intended uses of their information, and with whom it is being shared.

Neither of our federal privacy laws specifically address de-identified information, which demonstrates the urgency of legislative modernization to keep pace with the digital era. We are supportive of proposals put forward by the Government in both the former Bill C-11 (Digital Charter Implementation Act, 2020) and the Department of Justice consultation paper on Privacy Act Modernization, both of which included increased flexibility to use de-identified personal information while ensuring it remains within the scope of privacy law. Both proposed to include a definition of de-identification in the law, add flexibility to the law to allow its use and disclosure in certain circumstances, and introduce an offence for re-identifying de-identified information.

Several provincial privacy laws have already been modernized to provide enhanced transparency requirements as well as to provide protections for and certain flexibilities in the use of de-identified information. For example, Quebec updated its personal information protection laws in 2021^{Footnote 7} to include definitions for the terms “de-identified” and “anonymized” and put in place penalties for identifying or attempting to identify a natural person using de-identified or anonymized information.^{Footnote 8} Quebec law provides for an exception to consent for the use of de-identified information, as long as the use is necessary for study or research purposes, or for the production of statistics. De-identified information is still considered to be personal information and public bodies and private sector enterprises using de-identified information are obligated to take reasonable measures to reduce the risk of identifying a natural person using de-identified information. Once the purposes for which the personal information was collected or used have been achieved, Quebec law provides that the personal information must be destroyed or it can alternatively be anonymized for use for public interest purposes by public bodies, or for serious and legitimate purposes by private sector enterprises (subject to applicable legislative preservation requirements).

In 2020, amendments to Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA), came into force to generally prohibit any person from using or attempting to use de-identified information, either alone or with other information, to identify an individual except as permitted by law and to make willful contraventions of this prohibition an offence under PHIPA. This prohibition does not prevent health information custodians or other prescribed persons or entities from using information they have de-identified, either alone or with other information, to identify an individual. While the law provides that regulations may be made governing the de-identification of personal health information and the collection, use and disclosure of de-identified information by health information custodians and any other persons, to date no such regulations have been passed.

Also, PHIPA authorizes a prescribed entity under s. 45 of PHIPA that also is, or has located within it, an “extra-ministerial data integration unit” (as defined in the Freedom of Information and Protection of Privacy Act (FIPPA)) to use personal health information.^{Footnote 9} However, such use must be consistent with the purposes, requirements and safeguards set out in FIPPA. One such safeguard is that personal information be de-identified as soon as reasonably possible in the circumstances upon collection. The required de-identification process is set-out in the applicable Data Standards. More generally, under FIPPA, data integration units (which include ministry data integration units, inter-ministerial data integration units, and extra-ministerial data integration units) are authorized to collect personal information for the purpose of compiling information to enable analysis in relation to the management or allocation of resources, planning for the delivery of programs and services provided or funded by the Government of Ontario, and for the evaluation of those programs and services. FIPPA contains transparency measures applicable to data integration units, such as public reports, notice requirements and an explicit review role for the Information and Privacy Commissioner of Ontario. As part of the Commissioner’s review, if the Commissioner determines that a practice or procedure contravenes the data integration requirements in FIPPA, they have the authority to order the unit to discontinue or change the practice or procedure, to destroy personal information that was collected or retained under the practice or procedure, and to implement a new practice or procedure.^{Footnote 10}

There are also international examples of laws outside of Europe with specific provisions for treatment of de-identified personal information and its use. However, it is worth emphasizing that each jurisdiction defines their own separate terms for this type of data, which, depending on the country, may be labelled as de-identified, anonymized, or pseudonymous. The lack of common terms for these distinctions has already been a subject of discussion in your current study. For example:

Japan’s Act on the Protection of Personal Information sets out specific rules for “pseudonymously processed information” and “anonymously processed information” respectively;^{Footnote 11}
In contrast, Australia’s legislation has specific rules about de-identified information, and a definition^{Footnote 12} which is similar to recent amendments in QC and ON detailed above; and,
South Korea’s legislation contains greater latitude for the processing of pseudonymous information, which can be processed without consent for statistical, scientific research and archiving purposes in the public interest, and contains other limitations, such as penalties for re-identification.^{Footnote 13}

There is no doubt that modern society will increasingly depend on the value of data. The pandemic has shown that digital technologies can serve the public interest. As I stated in my most recent Annual Report to Parliament, I believe that there should be greater flexibility to use personal information if it is done for legitimate business or public interest purposes.^{Footnote 14} But this should be done within a rights-based framework that recognizes the fundamental right to privacy and prohibits uses of personal information that are incompatible with our rights and values. This increased flexibility should also come with greater accountability. We do not need more “self- regulation” but instead true regulation, supported by objective, knowable standards, adopted in law, and enforced by independent institutions that can ensure organizations are truly accountable.

The Committee expressed interest in receiving specific recommendations on changes that should be made to federal data protection laws. Our Office has been very active on this issue in recent years. We refer you to the following texts, among others:

2020-2021 Annual Report to Parliament, chapter on legislative reform: for effective privacy protection, responsible innovation and strengthened consumer trust (December 2021)^{Footnote 15};
Submission of the Office of the Privacy Commissioner of Canada on Bill C-11, the Digital Charter Implementation Act, 2020 (May 2021)^{Footnote 16};
Submission of the Office of the Privacy Commissioner of Canada, Public Consultation on Modernization of the Privacy Act (March 2021)^{Footnote 17}; and
2018-2019 Annual Report to Parliament, chapter on Privacy Law Reform: A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy (December 2019).^{Footnote 18}

I would be pleased to answer any questions you may have concerning these recommendations.

Technical safeguards and mitigating re-identification risks

The Committee inquired about the actual risk of re-identification of the mobility data the Public Health Agency of Canada (PHAC) received as well as the role of the specific entities and service providers in the de-identification process, including any risks they may pose. I cannot provide any specifics at this time, since the matter is under investigation by my office. However, I can make some general remarks about the application of safeguards and technical measures to contain the risk of re-identification.

De-identification is a process that consists of using techniques against a source dataset in such a way as to remove any serious possibility^{Footnote 19} that the individual can be identified. There are different techniques for transforming the data so it is no longer identifiable, in practice (e.g., through generalization, suppression, noise addition, or sampling).^{Footnote 20} When applying de-identification techniques such as these, the context matters. De-identification processes must be adapted and consideration should be given to the nature, scope, context and purposes of the processing in each instance de-identified data is released.

As to the Committee’s questions concerning the possibility of re-identification, it is important to note that de-identified datasets must protect against different types of re-identification risk, such as individualization (i.e. it must be impossible to isolate an individual from a dataset), correlation (i.e. it must be impossible to link two sets of data concerning the same individual) and inference (i.e. it must be impossible to infer new information about a data subject from a set of data).^{Footnote 21} Therefore, any robust de-identification process must assess and demonstrate the risk of re-identification, and monitor it over time. Appropriate safeguards should be in place to limit the risk of re-identification, and security measures must also address how de-identified data will be transmitted and used by organizations. Measures for restricting access include only sharing or releasing the de-identified dataset with those who need it for approved purposes, and ensuring data is stored in suitably protected data environments with appropriate technical and organizational controls.

OPC Guidance on privacy and pandemic responses

A Committee member expressed interest in my Office’s A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 (published in April 2020). Throughout the pandemic, the OPC has acknowledged that the health crisis requires a flexible, contextual application of privacy laws to ensure responsible data collection, use and sharing that supports public health. However, given privacy is a fundamental right, it is very important in our democratic country based on the rule of law that key principles continue to operate, even if some of the more detailed requirements are not applied as strictly as they normally would be.

With a view to achieving both greater flexibility and ensuring respect for privacy as a fundamental right, my Office released a framework to assess privacy-impactful initiatives in response to the pandemic. The purpose of the document is to guide development of privacy-impactful initiatives meant to alleviate the effects of the pandemic. It sets out key privacy principles that should factor into any assessment of measures proposed to combat COVID-19. To be clear, this is a framework of privacy principles, not a framework of technical safeguards for how to properly de-identify personal information.

The framework encourages use of de-identified or aggregate data (whenever possible), while also being attentive to the context and risks. In this regard it specifically calls for organizations to:

Be aware that there is always a real risk of re-identification, although it is generally less for aggregate data. It is important to be attentive to the risks, which are highly case-specific - dependent on what data is used, in what form, and with what other data it is combined, and with whom it will be shared;
Be especially mindful about the unique challenges with location data. Location data points themselves can lead to re-identification as they can reveal personal details, such as the location of an individual’s home, routine behaviours, and associations, and;
Take administrative, technical and physical means to protect the personal information collected. Ensure safeguards are enhanced for sensitive information.

The framework also contains requirements for transparency, accountability and oversight, calling on the government to provide clear and detailed information to Canadians about new and emerging measures, on an ongoing basis, and to be accountable for its decisions. A full version of the framework document, enclosed for the reference of the Committee, is available on our website.^{Footnote 22}

OPC Engagement on Mobility Data Use

Finally, the Committee solicited details about my Office’s engagement with federal agencies involved in the activity with which the study is seized. To clarify, we were first informed of the Telus Data for Good initiative directly by Telus. Telus contacted my Office on April 8, 2020 to inform us that it intended to share de-identified, aggregate data with governments, health authorities and academic researchers in an effort to support work to respond to the COVID-19 crisis.

Telus shared a public statement it intended to issue, on which it sought our comments. The statement explained the principles of its Data for Good program. We offered a number of comments, suggested Telus consult pandemic related guidance we had recently published at the time, and recommended that if and when Telus had concrete proposals or initiatives with governments, researchers or third parties, they may wish to consult our Business Advisory Directorate to obtain advice. We also noted that we would welcome a technical briefing on Telus aggregation and de-identification methodology. Telus did not provide the OPC with such a briefing and did not follow up with our Business Advisory Directorate.

On April 21, 2020, the Communications Research Centre (CRC), which is housed in the Department of Innovation, Science and Economic Development (ISED), informed us that they intended to access de-identified mobility data from Telus to answer questions for PHAC on mobility trends, such as compliance with physical-distancing guidelines. We wrote to the CRC in the days following our meeting and explained to officials that in order to determine if adequate safeguards had been adopted and whether our framework was being adhered to, we would need to enter into a formal advisory engagement with them. They opted not to pursue that process. We were contacted separately by PHAC on April 22, 2020 and were notified of their intention to use mobile location data in response to COVID-19. PHAC advised that since the information had been de-identified and aggregated, it believed the activity did not engage the Privacy Act as it was not collecting or using “personal information”.

Conclusion

Thank you once again for the opportunity to share my views and I hope these points are helpful to Committee Members as you continue your study.

Sincerely,

(Original signed by)

Daniel Therrien
Commissioner

Encl. A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 (April 2020)

c.c.: Nancy Vohl
Clerk of the Committee

Footnotes

Footnote 1

Article 5 of the GDPR identifies transparency as an overarching principle.

Return to footnote 1

Footnote 2

Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, Adopted on 29 November 2017, para. 5. (revised and adopted 11 April 2018).

Return to footnote 2

Footnote 3

General Data Protection Regulation, European Union Regulation 2016/679, Article 5; Recital 39.

Return to footnote 3

Footnote 4

Article 4(5) of the GDPR defines “pseudonymisation” as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”. Recital 26 of the GDPR refers to “anonymous information” as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

Return to footnote 4

Footnote 5

General Data Protection Regulation, European Union Regulation 2016/679, Recital 26; 28.

Return to footnote 5

Footnote 6

Ibid, Recital 26.

Return to footnote 6

Footnote 7

Provisions will come into force gradually until 2024.

Return to footnote 7

Footnote 8

An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25, ss. 20, 28, 69, 110, 119 and 160.

Return to footnote 8

Footnote 9

Personal Health Information Protection Act, S.O. 2004, c. 3, ss. 11.2, 45(7), 72(1)(b.1) and 73(1)(o.2).

Return to footnote 9

Footnote 10

Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31, Part III.1.

Return to footnote 10

Footnote 11

Act on the Protection of Personal Information.

Return to footnote 11

Footnote 12

Privacy Act (1988), s. 6.

Return to footnote 12

Footnote 13

Personal Information Protection Act, Articles 2, 28 and 71.

Return to footnote 13

Footnote 14

Statement: Remarks by Privacy Commissioner of Canada regarding his 2020-2021 Annual Report to Parliament, (December 2021).

Return to footnote 14

Footnote 15

2020-2021 Annual Report to Parliament, chapter on legislative reform: for effective privacy protection, responsible innovation and strengthened consumer trust (December 2021).

Return to footnote 15

Footnote 16

Submission of the Office of the Privacy Commissioner of Canada on Bill C-11, the Digital Charter Implementation Act, 2020 (May 2021).

Return to footnote 16

Footnote 17

Submission of the Office of the Privacy Commissioner of Canada, Public Consultation on Modernization of the Privacy Act (March 2021).

Return to footnote 17

Footnote 18

2018-2019 Annual Report to Parliament, chapter on Privacy Law Reform: A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy (December 2019).

Return to footnote 18

Footnote 19

Information must pose a “serious possibility” of identifying an individual to qualify as “personal information”, (see for instance, Gordon v. Canada (Health), 2008 FC 258 (CanLII), aff’d in Canada (Information Commissioner) v. Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).

Return to footnote 19

Footnote 20