Blog

May 09, 2023

Investigation into the collection and use of de

Description Takeaways Overview Background Analysis Issue: PHAC did not collect

Description

Takeaways

Overview

Background

Analysis

Issue: PHAC did not collect personal information as defined under the Act

De-identification and residual risk of re-identification

The Privacy Act does not include specific provisions on de-identified or anonymized data

Does access to data at TELUS’ system constitute ‘collection’ under the Act?

Determining Adequate Protection Against Risk of Re-identification

Data stream 1: Mobile cell-tower/operator data

Data stream 2: Mobile geolocation data

Safeguards in both data streams that reduce the serious possibility the risk to identify individuals

Other

International benchmarking

Transparency

Conclusion

Footnotes

May 29, 2023

The investigation examined whether mobility data collected and used by PHAC in its response to the pandemic contains personal information as defined under Section 3 of the Privacy Act (the Act). Specifically, whether PHAC and its data providers have implemented de-identification techniques and safeguards against re-identification that are deemed sufficient to reduce the risk of an individual being identified below the "serious possibility" threshold.

The Office of the Privacy Commissioner of Canada received 12 complaints under the Privacy Act (the "Act") against Public Health Agency of Canada ("PHAC") and Health Canada ("HC") regarding the collection and use of Canadians’ mobility data, which is comprised of geolocation data collected over time and other associated information.

The complainants allege that PHAC secretly collected data on 33 million mobile devices during the COVID-19 pandemic, and that according to a request for proposal, published in December 2021, it planned to continue to collect Canadians’ mobility data over the ensuing five years.

PHAC reported that it has effectively relied on mobility data of just under 14 million Canadians to gain insightful information and meaningful analysis on the movement of populations in Canada, which has assisted in tracking the spread of the COVID-19 virus and for planning, assessing and adjusting the government's response to the pandemic.

PHAC claimed that it relied only on de-identified and aggregated data and that it never collected or used any personal identifiable information and thus the Privacy Act does not apply.

Through our investigation, as a necessary analytical condition, we first examined whether mobility data collected and used by PHAC in its response to the pandemic contains personal information as defined under Section 3 of the Act. More specifically, we assessed whether there was a serious possibility, in the circumstances, that an individual could be identified using the mobility data, procured by PHAC, alone or in combination with other available information. Our investigation did not assess whether or not PHAC's data providers collected and used location data in compliance with privacy laws.

Following analyses of the representations received and review of information on this topic and the concept of identification, we have concluded that the combination of the de-identification measures and the safeguards against re-identification implemented by PHAC and its data providers has reduced the risk of identifying individuals below the "serious possibility" threshold. We therefore consider the complaints in this matter to be not well-founded.

Notwithstanding our investigation's conclusion that PHAC did not contravene the Privacy Act with regard to the collection and use of mobility data in the course of the COVID-19 pandemic, we have made a number of recommendations to PHAC in particular, with instructive relevance to all organizations that produce, use or procure de-identified information in the course of their activities. We are encouraged that PHAC has accepted our recommendations.

On January 31, 2022, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) called upon the government to suspend the Request For Proposal (RFP) to procure cellular data until it reports its findings and recommendations to the House.

Return to footnote 1

PHAC extended the closing date of the Request for Proposal (RFP), until February 18, 2022, at the request of a potential bidder due to the impact of the holiday season, and of the COVID-19 pandemic on their operating capacity. Given that there is no procedural mechanism to suspend an RFP, PHAC chose instead to let the RFP close and identified that it would not select a vendor until after the Standing Committee on Access to Information, Privacy and Ethics (ETHI) submitted its findings and recommendations.

Return to footnote 2

See also the more recent case of Canada (Information Commissioner) v. Canada (Public Safety and Emergency Preparedness), 2019 FC 1279

Return to footnote 3

Arvind Narayanan and Vitaly Shmatikov. 2008. Robust De-anonymization of Large Sparse Datasets.

Return to footnote 4

AOL search log release

Return to footnote 5

de Montjoye, YA., Hidalgo, C., Verleysen, M. et al. Unique in the Crowd: The privacy bounds of human mobility. Sci Rep 3, 1376 (2013).

Return to footnote 6

Mobile Station Integrated Services Digital Network is the mobile phone number.

Return to footnote 7

International Mobile Equipment Identity is a unique mobile phones’ serial number.

Return to footnote 8

International Mobile Subscriber Identity is a number that uniquely identifies every user of a cellular network.

Return to footnote 9

K El Emam and B Malin, "Appendix B: Concepts and Methods for De-identifying Clinical Trial Data," in Sharing Clinical Trial Data: Maximizing Benefits, Minimizing Risk, Institute of Medicine of the National Academies, The National Academies Press, Washington, DC. 2015.

Return to footnote 10

NISTR 5053, De-Identification of Personal Information, P.14.

Return to footnote 11

Public Expert Report of Dr. Khaled El Emam, dated March 24, 2021 ("Expert Report"), Respondent's Public Record, Tab 3.

Return to footnote 12

In the intervening time between the provision of the preliminary report to the respondent and the publication of the final report, the Federal Court released its decision in Cain v. Canada (Minister of Health), 2023 FC 55. The Court found the expert report to be persuasive (paras. 136-137), and endorsed the minimum threshold of 11 (para. 152).

Return to footnote 13

Processed personal data by replacing identifiers with artificial ones in such a manner that personal data can no longer be attributed to a specific individual without the use of additional information.

Return to footnote 14

"Support for BlueDot, a Toronto-based digital health firm, with a first-of-its-kind global early warning technology for infectious diseases. The company was one of the first in the world to identify the spread of COVID-19. The Government of Canada, through the Public Health Agency of Canada, will use its disease analytics platform to support modelling and monitoring of the spread of COVID-19, and to inform government decision-making as the situation evolves".

Return to footnote 15

Description

Takeaways

Overview

Background

Analysis

Issue: PHAC did not collect personal information as defined under the Act

De-identification and residual risk of re-identification

The Privacy Act does not include specific provisions on de-identified or anonymized data

Does access to data at TELUS’ system constitute ‘collection’ under the Act?

Determining Adequate Protection Against Risk of Re-identification

Data stream 1: Mobile cell-tower/operator data

Data stream 2: Mobile geolocation data

Safeguards in both data streams that reduce the serious possibility the risk to identify individuals

Other

International benchmarking

Transparency

Conclusion

Footnotes