Study of Collection and Use of Mobility Data Issue Sheets

OPC COVID-19 Framework

Key Messages

• Early in the pandemic we developed a Framework to help government institutions assess COVID-19-related initiatives to ensure respect for privacy as a fundamental right.
• It provides guidance on key privacy principles, for example:
  • Ensure measures are science-based, necessary for a specific purpose, tailored to that purpose, and effective.
  • Set strict time limits on privacy invasive measures implemented in response to the crisis, and around how long personal information is retained after the crisis.
  • Adopt rigorous safeguards for the protection of data, and use de-identified or aggregate data wherever possible.
  • Consider the unique impacts of measures on vulnerable populations.
  • Ensure oversight, accountability, and transparency to enhance trust.

Background

• The OPC issued the framework in April 2020 in response to data-driven initiatives that were rapidly emerging globally to contain and gain insights about COVID-19, some with significant implications for privacy and civil liberties.
• The framework notes privacy protection is not merely a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances.
• It also stresses that privacy laws can be applied flexibly and contextually, but they must still apply.

Prepared by: Policy, Research and Parliamentary Affairs Directorate (PRPA)

---

OPC engagement with the Communications Research Centre and Public Health Agency of Canada

Key Messages

• On April 21, 2020 the Communications Research Centre (CRC) at Innovation, Science and Economic Development Canada (ISED) informed us that they intended to access de-identified mobility data from Telus to answer questions for the Public Health Agency of Canada (PHAC) on mobility trends, such as compliance with physical-distancing orders. They declined pursuing a formal advisory engagement with the Government Advisory Directorate (GA).
• On April 22, 2020, PHAC notified us of its intention to use mobile location data in response to COVID-19. Since the information had been de-identified and aggregated, it believed it was not collecting or using “personal information”, and that the activity did not engage the Privacy Act or trigger the Treasury Board of Canada Secretariat’s (TBS) PIA requirements. As such, our advice was not sought.
• On December 21, 2021, GA requested information from PHAC on a Request for Proposal (RFP) seeking mobile location data for a five-year period. PHAC provided a briefing on January 6, 2022 on both its past and anticipated activities, including sources of data, the parties involved, and how PHAC used or will use the data.
• We did not provide guidance or recommendations in the course of this briefing, as this would have been inappropriate once we anticipated an investigation.

Background

• GA has had regular meetings (weekly or bi-weekly) with Health Canada and PHAC’s Privacy Management Division throughout the pandemic. Discussions have included the ArriveCAN App, border measures, proof of vaccination, and other measures.
• Regarding initiatives that use de-identified personal information, GA recommends that institutions ensure it has been adequately de-identified, and explain to what standards the de-identification process will adhere.
• On initiatives involving third parties, GA recommends that contracts contain appropriate privacy safeguards to sufficiently protect personal information while outside of the institution’s custody and to comply with its Privacy Act obligations.

Prepared by: GA and PRPA

---

OPC engagement with Telus on “Data for Good”

Key Messages

• Telus informed my Office on April 8, 2020 that it intended to share de-identified, aggregate data with governments, health authorities and academic researchers in an effort to support work to respond to the COVID-19 crisis.
• Telus shared a public statement explaining the principles of its “Data for Good” program, on which it sought our comments.
• We offered a number of comments, suggested Telus consult pandemic related guidance we had recently published, and recommended that if and when Telus had concrete proposals or initiatives with third parties, they may wish to consult our Business Advisory Directorate (BA) to obtain advice. We also noted that we would welcome a technical briefing on Telus aggregation and de-identification methodology.
• Telus did not provide us with such a briefing and did not follow up with our Business Advisory Directorate.

Background

• No other telecommunications company has reached out to the OPC to discuss privacy-related matters regarding the data they hold.
• Had the offer to engage with Telus been accepted, we would have examined key privacy principles that should factor into any assessment of proposed measures to combat COVID-19 that have an impact on the privacy of Canadians, including:
  • that the legal authority to collect, use and disclose personal information is clearly identified;
  • that any new measures are necessary and proportionate;
  • that personal information collected, used or disclosed to respond to the COVID-19 pandemic is not used for other purposes; and
  • that de-identified or aggregated information is used wherever possible.
• The OPC has not received similar proposals from other telecommunications companies. However, the Business Advisory Directorate is willing to engage with other telecommunications companies should they be considering such activities.

Prepared by: BA

---

Role of Government Advisory

Key Messages

• Government Advisory provides advice to institutions on specific programs and activities through reviews of privacy impact assessments and consultations on initiatives.
• At the onset of the COVID-19 pandemic, TBS introduced interim policy measures to relax privacy risk analysis requirements for initiatives designed to respond urgently to the crisis. These measures remained in place until March 2021.
• When TBS consulted my office on these interim measures, we found that TBS relaxed existing privacy requirements without offering adequate replacements.
• TBS did not accept our recommendations to recognize privacy as a fundamental human right in its policies, or to require institutions to consult – rather than notify – the OPC on privacy-impactful COVID-19-related initiatives.
• TBS explained that it could not make these changes in response to the pandemic within the existing legislative framework, which demonstrates the pressing need for legislative reform.

Background

• The Directive on Privacy Impact Assessment requires institutions to complete PIAs when personal information is used for an administrative purpose. It also requires that institutions determine whether initiatives without administrative uses of personal information but that have an impact on privacy warrant a PIA. This requirement remained in place under the interim version of the Directive.
• The Policy on Privacy Protection requires institutions to notify our office of any planned initiatives that could be related to the Act or impact privacy, sufficiently early that we may discuss the issues involved. The interim version of the Policy reduced the notification to be “as early as possible” for urgent pandemic activities.

Prepared by: GA

---

Public-Private Partnerships and Law Reform

Key Messages

• PHAC’s mobility data initiative is but one example of a growing trend we are seeing - the public sector leveraging private sector technologies and data for policy development or to deliver digital government services.
• The use of corporate expertise to assist the functioning of the state underscores the need for more consistency across our public and private sector laws.
• Both sectors should be held to similar standards.
• Our two federal privacy laws should also be updated concurrently.

Background

• In its most recent consultation paper on modernization of the Privacy Act, Justice Canada suggested that stronger alignment between the Privacy Act and PIPEDA could simplify the personal information protection regime for everyone, enhance domestic interoperability, prevent gaps in accountability where public and private sector entities interact, and further confirm the Privacy Act’s alignment with established global standards.
• Justice Canada’s recent report summarizing its consultations confirmed that stakeholders agree with the need to align our public and private sector frameworks for the protection of personal information.
• We have seen several pandemic related initiatives and the Royal Canadian Mounted Police’s (RCMP) use of Clearview’s facial recognition technology as recent examples of the growing reliance on public-private partnerships which demonstrate the need for common requirements between our two federal privacy laws.
• The Minister of Innovation Science and Innovation’s December 2021 mandate letter instructed the Minister to “introduce legislation to advance the Digital Charter…” while the Minister of Justice was instructed to “…continue substantive review of the Privacy Act…”.

Prepared by: PRPA

---

De-identification and Law Reform

Key Messages

• Some have suggested that de-identified information is not personal information and therefore falls outside the purview of our current laws.
• De-identification can be a privacy-enhancing technique, however, de-identifying personal information does not completely eliminate the risk of re-identification. That is why it is essential to continue to treat it as personal information to ensure certain controls, safeguards, and oversight is maintained over its use.
• We are supportive of proposals put forward by the Department of Justice, and under former Bill C-11, that would grant increased flexibility to use de-identified personal information while ensuring it remains within the scope of privacy law. This strikes the right balance.
• It would also protect against such information being used in ways which have significant impacts on individuals’ rights.

Background

• C-11: Contained the following flexibilities to use or disclose de-identified information without knowledge or consent:
  • to de-identify the information (s. 20);
  • for internal research and development purposes (s. 21);
  • between parties to a prospective business transaction (s. 22); and
  • for socially beneficial purposes (to listed/prescribed entities and per the definition of socially beneficial purpose) (s. 39).
• C-11: technical/administrative measures to be applied to de-identified information that are proportionate to the purposes and sensitivity of the personal information; an offence to use de-identified information to identify an individual.
• Department of Justice: Allow flexibility to use or share de-identified information without consent when it is in the public interest, the information has been de-identified according to a process set out in regulations or policy, and where appropriate technical, administrative and/or contractual protections have been applied. Proposes creating an offence for re-identifying information.
• In our review of the COVID Alert App, we recommended that the Privacy Act should recognize that re-identification of personal information is always a possibility, depending on the context, and should define de-identified information to allow for a more targeted and nuanced application of certain rules.

Prepared by: PRPA

---

De-identification / Aggregation

Key Messages

• De-identification is the process for removing personal information from a dataset. Aggregation is grouping data with similar attributes to obtain statistical properties.
• Aggregate data is not necessarily safe for sharing or releasing because combining attributes may produce small counts that are revealing and could be used to identify an individual.
• De-identifying the data before it is aggregated can reduce the possibility of re-identifying individuals in these small counts.
• The aim should be to produce useful data for the intended purpose that is sufficiently protected, by minimizing risks of re-identification.

Background

• Several techniques, used by national statistical agencies, have been developed to protect aggregate data. International standards and guidance exist that explore more complex attacks and solutions.
• De-identification processes aim to reduce identifiability and minimize the risk of re-identification. This can be achieved by transforming the data (e.g., through generalization, suppression, noise addition, or sampling), or by restricting access.
• Measures for restricting access include only sharing or releasing data with those who need it for approved purposes and in suitably protected data environments with appropriate technical and organizational controls.
• “Small counts” refer to the number of individuals that have the same combination of attributes (similar people in the same group). If there are fewer instances (small counts) than there is a higher likelihood of someone being identified. De-identifying the data minimizes the risk of this being possible.

Prepared by: Technology Analysis Directorate

---

Mobility Data

Key Messages

• “Mobility data” describes movements of populations and is typically drawn from cellular network data and/or global positioning system (GPS) data.
• Mobile phone operators have access to vast amounts of data on their customers, including network information and real-time device data that can be leveraged for generating mobility data.
• Mobility data can also be generated from location-based services embedded in various third-party apps (e.g., weather apps, gas station finder apps) on personal devices.
• It is possible to share mobility data safely, however as this data is considered highly sensitive, precautions need to be taken by assessing privacy risks and mitigating these using methods such as de-identification and aggregation.

Background

• Mobility data is typically derived from data collected and used by mobile network operators in the normal course of operations.
• For example, mobile network operators keep Call Detail Records (CDR) for incoming or outgoing calls or text messages, which contain the approximate location information of a caller and recipient at a particular time, and can be used to generate mobility data. This only includes metadata not the actual messages exchanged.
• Privacy concerns raised over PHAC’s use of mobility data include the risk of surveillance, tracking and the lack of transparency over the repurposing of data collected by mobile network operators.
• During ETHI committee meetings, the terms ‘mobile data’, ‘cellphone data’ and ‘mobility data’ have been used interchangeably. However, the issue here is aggregate mobility data that was derived from cellular network location data.

Prepared by: TAD

---

Status of Investigations

Key Messages

• The OPC began an investigation regarding collection and use of mobility data by Public Health Agency of Canada and Health Canada based on complaints received.
• The investigation will consider whether personal information, as defined under the Privacy Act, was collected, and if so, whether its collection and use were compliant with the Privacy Act.
• Confidentiality of ongoing investigations prevents me from sharing more details.

Background

• The OPC received 5 related complaints against Public Health Agency of Canada (PHAC) and one against Health Canada since December 2021. To date, no related complaints have been received against Telus.
• The complaints relate to the reported collection and use by PHAC of mobility data relating to 33 million devices, and PHAC’s new Request for Proposal for a contractor to provide access to cellular tower/operator location data to assist in the response to the COVID-19 pandemic and for other public health applications.
• Personal information under the Privacy Act means information about an identifiable individual that is recorded in any form. We note that in their consultation paper on Privacy Act modernization, Justice Canada proposes that de-identified information be defined, and made subject to the Act.

Prepared by: Compliance Sector

---