It’s no secret carriers track and sell information on users’ movements to various buyers.
However, what isn’t as standard is a government body being one of the buyers. Over the holiday season, it emerged the Public Health Agency of Canada was buying such de-identified data to track COVID-19 patterns.
De-identified data means it contains no information on a person’s identity, and users can’t trace information back to specific individuals.
The revelation led to outrage from some members of parliament and a recently passed motion to suspend the further collection of mobile location data until the Committee of Access to Information, Privacy and Ethics completes a study examining privacy concerns.
Minister of Health Jean-Yves Duclos, and Canada’s Chief Public Health Officer, Theresa Tam, have already appeared in front of the committee to answer questions.
The Privacy Commissioner’s comments
On February 7th, it was Daniel Therrien’s turn. The Privacy Commissioner of Canada told the committee there’s always a risk that de-identified data can be re-identified.
Therrien said his office had regular meetings with Canada’s Public Health Agency and was informed data would be used in this manner.
The Office of the Privacy Commissioner (OPC) offered to “review the technical means used to de-identify data and provide advice.” They were declined. Institutions are free to accept or reject such offerings, he said.
The government has argued the Privacy Act does not apply to this case. Therrien agrees that if “the data was properly anonymized and aggregated,” the government would be legally correct.
But Therrien suggests the committee should further examine the matter. Just because de-identified information might fall outside of the law, it doesn’t make it “good legislative policy.”
“We think removing de-identified information from the reach of privacy laws would bring very significant risks and is not good policy.”
The OPC is also conducting a separate investigation on the matter.
Therrien went on to say his office has received complaints on alleged violations of privacy, which are currently under review.
The PHAC obtained some of the data through Telus’ Data for Good program. According to its website, it uses data to solve social issues “in ways that preserve privacy and build trust.”
Therrien said questions exist if the government or their private partners informed users their data would be used to form responses on public health.
“While there is a reference to the Data for Good program somewhere in Telus’ privacy policies and while the government does make an effort to inform citizens of its use of mobility data on its COVID Trends webpage, I do not think anyone would seriously argue that most users knew how their data was being used.”
The committee should address the matter in its study, Therrien suggests, given it raises questions on government transparency. He said Canada’s consent model is limited when protecting privacy.
“A more appropriate policy would be to authorize the use of personal information for legitimate commercial interests and the public good, within a rights-based law,” and enforced by the OPC.
You can read Therrien’s full speech here.
Image credit: Office of the Privacy Commissioner of Canada