Hey Commish, Who is the Individual in Privacy Impact Assessments?

Almost a year ago, the Government of Canada released its privacy impact assessment of the COVID Alert App and the Commissioners responded with their assessment of the PIA. What was striking to me was that nowhere in the PIA or the Commissioners’ assessment of it was there any description of who the individuals were whose privacy was being analyzed. This is wasn’t a unique problem in government PIAs. The “individual” in most PIAs are devoid of any characteristics – whether gender, income, language, ethnicity, education, etc. The “impact” is most commonly assessed without the slightest concern for socio-economic-cultural context, except when the population is obviously vulnerable.

So, I wrote a blog post the missing individuals in PIAs. However, I didn’t publish it. I didn’t want to be misinterpreted as criticizing the COVID Alert App itself or the good people who worked on the App or the PIA.

Now that we are coming out of the latest wave and vaccinations on a sharp uptick, maybe there is enough distance between those early days of summer a year ago that we can look at the COVID Alert App PIA to see how the federal government’s privacy impact assessment framed the context; how the Commissioners had no tools ready to guide a deeper analysis for themselves or government institutions; and why all that matters.

There isn’t anything particularly unique about the COVID Alert App PIA (except that it is a PIA about something that didn’t at the time collect any personal information – notwithstanding the Office of the Privacy Commissioner’s protestations to the contrary). However, the COVID Alert App serves to illustrate my point about institutional blindness to the composition of characteristics of the individuals and groups whose privacy impacts they are assessing.

What’s a PIA for?

In Ontario’s now rather elderly Planning for Success: Privacy Impact Assessment Guide, Ontario’s Information and Privacy Commissioner (IPC) states:

A PIA is a risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology, program, process or other activity may have on an individual’s privacy. By completing a PIA, you will be able to guide your institution through a process that will identify the privacy impact and the means to address them.

Similarly, the Office of the Privacy Commissioner of Canada (OPC) states in its more recent Expectations: OPC’s guide to the Privacy Impact Assessment Process that “[a] PIA is a risk management process that helps institutions ensure they meet legislative requirements and identify the impacts their programs and activities will have on individuals’ privacy.”

If a PIA is to help identify “impacts” on an “individuals’ privacy”, you might expect to a PIA to spend considerable time identifying who those individuals are.

However, if you look at the Ontario IPC’s sample PIA worksheet included in the “Planning for Success” guide, you will find that there is not a single question about the individuals who will be affected.

The situation is slightly better at the federal level. The OPC directs institutions to consider “whether the affected population is a vulnerable population” when analyzing risk factors and more emphasis on “context” generally. The template for federal government institution in the Treasury Board Secretariat’s Directive on Privacy Impact Assessment asks whether the personal information may be “sensitive” in context but not much else about the characteristics of the individuals or groups who will be affected.

It seems that for the IPC and OPC, we are all pretty much the same for the purposes of privacy. Is that really an assumption that is safe to make about Canadian society at this point in 2021?

Commissioners, it is time for you to update your guidance.

The COVID Alert App PIA

The COVID Alert App launched on July 31, 2020, and was billed as an exposure notification app that would support public health measures by alerting an individual if they may have been exposed to an individual who tested positive for COVID-19. The federal government’s privacy impact assessment was published in the lead up to launching the app and Privacy Commissioners in Canada weighed in, including the OPC and the IPC.

The authors of the PIA conducted their analysis in two parts. The first part debated whether there was even any personal information being collected. This was meant to answer generalized apprehension regarding government monitoring of individuals. However, the misplaced emphasis was also the direct result of the OPC’s obsession in finding scrap of data that could possibly be related to an individual to be personal information.

The second part of the PIA analyzed the COVID Alert App through the lens of the privacy principles that federal, provincial territorial privacy commissioners and ombudspersons published pre-emptively on contact tracing and similar apps.

By this point in this post, you won’t be surprised for me to tell you that none of those principles involved identifying the target population who would use the App even though there was considerable emphasis on necessity, proportionality and transparency in these principles.

The COVID Alert App PIA has been updated since launch. To see the original, you can use the versioning feature on the website.

On the issue of necessity and proportionality, the PIA framed necessity this way in July 2020 (emphasis added):

Given our inability to prevent (vaccine) or treat the disease, the approach we have been taking for about three months includes asking Canadians to avoid all non-essential trips outside of their home and to close all but essential businesses.

This is a hard reality to sustain until either a vaccine/treatment is developed, or the disease dies out of the population because nobody leaves their house.

The public goal of the notification app was to “safely ease restrictions on freedom of movement and allow the economy to begin to re-open while protecting the lives, health and well-being of everyone in Canada in the face of the COVID-19 pandemic”. The effectiveness of achieving that need was “highly contingent on [the] level of adoption”.

Let’s pause here for a moment. Freedom of movement for who? Protect whose lives? Adopted by whom?

What we knew in July 2020

By July 2020, when the COVID Alert App PIA was being developed and the Privacy Commissioners were conducting their review, we knew a lot about who COVID-19 was affecting, about who the “nobody leaves their house” population were that the government was so worried about, and about who the workers in those “essential businesses” were.

So what did we know?

We knew that mobile phone service was markedly lower in low income groups

Leaving aside the well-known issue of the COVID Alert App working only with later model mobile phones, we knew back in July 2020 that mobile phone services was not equal across income groups. According to the CRTC, 73.1% of households in the lowest income quintile had mobile phone service in 2017 compared with over 96% in the top two income quintiles. Remember that is per household. It doesn’t tell us whether couples or everyone in multi-generational households had their own phone. These statistics also do not break out age. However, the CRTC noted that landlines were still very important to older Canadians. Mobile penetration in 2017 for Canadians 65 years of age or older was 70%. Of course, these statistics don’t account for urban/rural or regional variations. Nor do they account for differences by gender or racialized groups.

We knew that COVID-19 was disproportionately impacting lower income groups

Back in July 2020, the City of Toronto was publishing data showing that more than half of reported COVID-19 cases were living in households with incomes of less than $50,000, despite those households being approximately 30% of the population. This held true across all age ranges. That data has remained true throughout the pandemic in the City of Toronto. The City of Toronto reports that infection rates for lower income households are 1.9 times greater than non-lower income groups as of April 30, 2021.

We knew that COVID-19 was disproportionately affecting certain racialized groups

The City of Toronto was also reporting back in July 2020 that 71% percent of people who were hospitalized due to COVID-19 identified as coming from a racialized group. The more current data shows that trend holding with 74% of reported COVID-19 cases belong to racialized group and 74% of hospitalizations (after age-standardization) were individuals identifying in a racialized group.

We knew that higher income earners were the ones more likely to work from home

We knew back in June 2020 that households with lower levels of earnings were the ones least likely to have jobs where they could work from home.

We knew that many essential workers were in industries with lower pay and without sick benefits

Although it didn’t become a political flashpoint in Ontario until six months later, we knew back in June 2020 that the lack of paid sick leave was leaving some Canadians vulnerable, with the Ontario NDP and healthcare workers calling for a solution.

We knew that racialized workers were overrepresented in certain essential businesses

We knew back in March 2020 that certain populations were overly represented in work that had been deemed essential. In June 2020, Stats Can said that “one of the issues immigrants and visible minority groups have been facing since the start of the pandemic is that many of them are essential workers, which puts them at higher risk of contracting COVID-19.”

We knew that we have a high population of individuals who lack functional literacy

Although the data is somewhat old, we knew back in July 2020 that we had disturbingly high numbers of individuals without functional literacy. Seventeen percent of Canadians functioned at a score of Level 1 or below in 2012 meaning only minimal facility in English or French.

We knew that we have a high population in some cities, like Toronto, with individuals whose English and French skills are limited

We also knew that we have a high population with limited English and French skills in some urban areas. According to a Social Planning Toronto analysis of 2016 census data, 4.9% of the population in Toronto were not able to converse in English or French. And, of that group, 59.9% were women and girls and 44.6% were 65 years and older. Of course, these are statistics for being able to converse in English or French. The ability to read English or French might vary.

What does the COVID Alert App PIA say?

So how does the COVID Alert App PIA describe the target population that would use this App and whose privacy might be affected?

Well, the PIA says nothing at all. To read the COVID Alert App PIA, you would think that all Canadians have exactly the same characteristics, would have the same opportunity to use the COVID Alert App and would experience the use of the COVID Alert App in exactly the same way.

But of course we knew that could not possibly be true. Based on what we knew in July 2020, the most urgent target population for the COVID Alert App would have one or more of the following characteristics: lower income, racialized, essential workers who may not be able to keep their phones with them at work, may not have their own mobile phone, may have challenges in English and/or French, and may not be able to take miss work even if exposed. However, the population who was most likely to have access and use the App was going to be high income, non-racialized, work-from-home workers.

How would defining the target population affect the PIA and the Commissioners’ assessments? I’m just going to just pick on two points.

Necessity and Proportionality

With no analysis of who the App was actually for, there was, of course, nothing but empty supposition on the likely effectiveness of the App. Here’s the best the OPC could do:

While the technology is untested, many have commented that low adoption rates abroad and other factors mean the effectiveness of the approach is uncertain. This may well be true, but we (like the World Health Organization and a number of data protection authorities around the world) believe that an exposure notification app such as the one proposed by the Government of Canada could, as part of a wider set of measures including manual contact tracing, play a useful role in reducing the spread of the virus. This is in part by alerting individuals of the possibility they may have been in proximity to a person diagnosed with COVID-19 and encouraging them to be tested.

Okay, sure, I guess. Total speculation. But is that really the best we can do? Yes, it is the best you can do when you don’t describe the target user of the technology and the problem you are trying to solve for that target user.

The IPC and OPC each recommended monitoring the effectiveness of the App. For example, the IPC recommended that Ontario “[c]ontinually monitor and assess the effectiveness of COVID Alert in light of evolving scientific evidence to ensure that its use continues to be necessary and proportionate in helping curtail the spread of COVID-19 in the province of Ontario and elsewhere.”

Hey, IPC, effectiveness for whom? Necessary and proportionate in the context of what alternatives for whom? Monitor and assess with what data exactly? The App went out of its way to collect very little – so little that the effectiveness could not be measured, and changes were later necessary to collect some analytics data.

Whether data collection was necessary and proportional in the context of solving a problem of “isolation” for the triple projected job class working from home is one thing. Data collection to address a pressing need for individuals who have one ore more of the characteristics that put them in populations that were (and continue to be) disproportionately affected by COVID-19 and who must get to work is a project that is entirely different. The balancing exercise is very different.

Consent

The OPC stated that the language upon which consent will be sought consists of a Privacy Notice and notifications during the sign up process. The OPC commended the App for having information “written in clear and accessible language”. Hmmm. Accessible for whom? Would you come to the same conclusion, OPC, if the target audience’s first language was neither English nor French?

My point

My point is not that the COVID Alert App PIA is or was a waste of time and money or that the intentions of the drafters of the PIA or the Commissioners were anything but honourable.

My point is that somehow in the PIA process, we have failed to carve out a place where PIAs are required to describe the individuals and groups that are the very subject of the PIA. Or, at least supposed to be the subject of the PIA!

The result is that PIAs can be very shallow and this shallowness allows us to glide over important differential impacts on communities. We can do better.

Hey, Commish, update your guidance so that government institutions have to take into account actual population characteristics instead of the assumption-laden hypothetical ones they’ve been using.



Categories: Privacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: