Privacy: PHAC Snooping On Cell Phone Records

(1) https://www.ourcommons.ca/Committees/en/ETHI/StudyActivity?studyActivityId=11471238
(2) https://www.ourcommons.ca/DocumentViewer/en/44-1/ETHI/report-4/
(3) https://www.ourcommons.ca/Content/Committee/441/ETHI/Reports/RP11736929/ethirp04/ethirp04-e.pdf

Recommendation 1
That the Government of Canada stipulate in all future requests for proposals for collecting data of Canadians that Canadians have the option to opt out of the data collection and that instructions for the method for opting out be easily understood, widely communicated and remain publicly available.

Recommendation 2
That the Government of Canada fully and meaningfully consult with the Privacy Commissioner of Canada before engaging in a data collection program and continue to do so on an ongoing basis for the duration of the program.

Recommendation 3
That the Government of Canada include explicit transparency obligations in the Privacy Act.

Recommendation 4
That the Government of Canada immediately update the COVIDTrends webpage to indicate where the data originates from, what data provider(s) are providing the government with information, and details on where Canadians can opt out of the data collection and surveillance program.

Recommendation 5
That the Government of Canada undertake measures that will inform Canadians of mobility data collection programs on an ongoing basis and that it does so in a manner that clearly outlines the nature and purpose of the data collection.

Recommendation 6
That the Government of Canada ensure that use of the information collected through mobility data collection programs is limited to the requesting department or agency and any other department or agency specifically mentioned in the tender only if rationale is provided for the inclusion of multiple departments or agencies.

Recommendation 7
That the Government of Canada amend the Privacy Act and the Personal Information Protection and Electronic Documents Act to define what constitutes a ‘legitimate commercial interest’ and ‘public good’ in the collection, storage, use, transfer, and sale of private data, such as mobility data, and that the Office of the Privacy Commissioner of Canada be given the power to investigate breaches of the ethical guidelines defining those criteria.

Recommendation 8
That the Government of Canada amend federal privacy legislation to render these laws applicable to the collection, use, and disclosure of de-identified and aggregated data.

Recommendation 9
That the Government of Canada include in federal privacy legislation a standard for de-identification of data or the ability for the Privacy Commissioner to certify a code of practice in this regard.

Recommendation 10
That the Government of Canada include in federal privacy legislation a prohibition on re-identification of de-identified data and a corresponding penalty.

Recommendation 11
That the Privacy Commissioner of Canada be given the authority to proactively audit the practices of all third-party mobile data providers to ensure compliance with the Personal Information Protection and Electronic Documents Act when the data collected is used by any federal institution.

Recommendation 12
That the Government of Canada amend the Privacy Act and the Personal Information Protection and Electronic Documents Act to regulate the activities of private companies in the collection, use, sharing, storage, and destruction of Canadian mobility data and that the government ensure private companies have obtained meaningful consent from their customers for the collection of such data.

Recommendation 13
That the Government of Canada strengthen the powers of the Office of the Privacy Commissioner of Canada to oversee the privacy rights of Canadians, with the power to investigate and enforce a strengthened Privacy Act and Personal Information Protection and Electronic Documents Act, including order-making powers and the ability to impose penalties.

Recommendation 14
That the Government of Canada amend the Personal Information Protection and Electronic Documents Act to require service providers that collect data to display a message offering the user the option to opt-out of the data collection, to continue using the service without accepting the terms and conditions, or to decline all terms and conditions and cookies.

Recommendation 15
That the Government of Canada require companies that generate, manage, sell or use data to comply with a framework additional to self-regulation

Recommendation 16
That the Government of Canada be required to conduct its own audits of the source of the data as well as the meaningful consent, collection, transmission, and use of data.

Recommendation 17
That the Government of Canada include a public education and research mandate in the Privacy Act similar to the one found in the Personal Information Protection and Electronic Documents Act.

Recommendation 18
That the Government of Canada amend the Privacy Act to include necessity and proportionality criteria for the use, collection, and disclosure of personal information.

Recommendation 19
That the Government of Canada include the privacy by design standard in federal privacy legislation.

Recommendation 20
That the Government of Canada increase its investment in digital literacy initiatives, including initiatives aimed at informing Canadians of the risks associated with the collection and use of big data.

Recommendation 21
That the government of Canada increase its public awareness and education work surrounding mobility tracking and disease surveillance initiatives.

Recommendation 22
That the Government of Canada develop clear guidelines regarding the use of mobility data by federal institutions and that it consult with the Office of the Privacy Commissioner, stakeholders and community groups that may be disproportionately affected by such initiative in that process.

Just a thought: but the recommendations, and the overall report doesn’t appear to see this broad data grab as all that important.