Ethics committee says government must tell Canadians it’s tracking their movements

Those are some of the recommendations made by the ethics committee, which started looking into the issue back in January after public outcry about the federal health agency’s secret collection of data from cell providers during the COVID-19 pandemic.

The Public Health Agency of Canada used data from cell towers to track 33 million mobile devices as a way to assess “population mobility patterns” during pandemic lockdowns, and issued a tender in December to continue tracking location data until May 31, 2023.

The committee said the government should notify people about these programs “in a manner that clearly outlines the nature and purpose of the data collection.”

It’s also calling for changes to privacy laws so that de-identified information and aggregate data are considered personal information, subject to privacy protections.

In a response late Wednesday, PHAC said it maintains the information it received “did not meet the definition of personal information” and that it is co-operating with the office of the privacy commissioner’s investigation.

“PHAC will take into account the recommendations from the standing committee on access to information, privacy and ethics’ review of its use of mobility data and its future use in the public health response,” the agency’s spokesperson said in an e-mail.

For his part, privacy commissioner Daniel Therrien said in a statement Wednesday that he welcomes the report, and that the government failed to reassure people that this data collection would respect their privacy.

He said the country’s privacy laws are in urgent need of modernization, and that “even socially beneficial uses of data are seen as suspect because Canadians have no confidence that our laws will protect them.”

The proposed changes go beyond just government. The committee says Canada needs to regulate the private sector’s activities when it comes to collecting, using, sharing, storing and destroying mobility data, and that companies need to obtain “meaningful consent” from customers.

Therrien said it’s unrealistic for people to have to give consent for all uses of their data, and there should be greater flexibility for organizations to use personal information without consent “for responsible innovation and socially beneficial purposes.”

“However, this should be done within a legal framework that recognizes privacy as a human right, and as an essential element for the exercise of other fundamental rights,” Therrien said, adding that the office of the privacy commissioner should have independent oversight of such data collection to ensure transparency and accountability.

“In this instance, while the government informed my office of its intention to use mobility data, it ultimately declined our offer to review how the data was de-identified and how privacy principles were implemented. The regulator should be able to insist on a pro-active audit, where required, to ensure public trust.”

The ethics committee’s recommendations include a number of public education and transparency measures, and ask the government to define what constitutes “legitimate commercial interest” and “public good” in the collection, storage, use, transfer and sale of private data. It also wants the commissioner to be empowered to investigate breaches and enforce the law.

The federal government did not immediately respond to questions about whether it accepts the recommendations and whether it plans to strengthen the powers of the privacy commissioner’s office.