Investigation into the collection and use of de-identified mobility data in the course of the COVID-19 pandemic
This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.
- Whether the mobility data collected constituted personal information under the Privacy Act.
- The adequacy of de-identification and aggregation techniques to prevent re-identification.
- Whether access to data within a provider's system constitutes collection under the Act.
- The need for transparency regarding the use of de-identified data.
Complaints not well-founded.
The OPC concluded that the combination of de-identification measures and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the threshold of a 'serious possibility'.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC made recommendations to PHAC regarding transparency and the assessment of re-identification risks, which PHAC accepted.
- Section 3 of the Privacy Act
This summary is informational only and not legal advice.