Study on Post-Market Surveillance of Pharmaceutical Products

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Appearance before the Standing Committee on Health (HESA)

April 10, 2008
Ottawa, Ontario

Opening Statement by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

---

Introduction

Thank you for inviting me to speak with you today.

My Office is very pleased that you are looking at the privacy implications of post-market surveillance of pharmaceutical products. Although Canadians regard the state of their health and accessibility to improved health care treatments as top priorities, they also regard their personal health information as a highly sensitive form of personal information which needs to be protected with the strongest-possible safeguards. Privacy protection is clearly “part of the deal”.

I would like to begin by briefly discussing a few timely issues that may be of interest to your current study – 1) potential re-identifiability of data; 2) privacy implications of EHRs;; 3) data breach notification requirements and, 4) the concept of “work product” information.

First, I thought it would be worth spending a few moments on how my mandate maps onto the kinds of issues you are studying.

Background

My responsibilities include the administration and enforcement of two federal privacy laws.

The Personal Information Protection and Electronic Documents Act – PIPEDA– is Canada’s private-sector privacy law. PIPEDA protects personal information collected, used and disclosed in the course of commercial activity throughout Canada and across its borders. As relevant examples, PIPEDA will apply to the commercial activities of pharmaceutical and biotech companies, pharmacies, laboratories and private practitioner offices – except if such activities are carried out entirely within Quebec, British Columbia, Alberta and to some extent, Ontario’s health sector, where substantially similar laws exist.

Our public sector law, the Privacy Act, applies to federal government institutions, agencies and Crown corporations. For example, it covers personal information collected, used and disclosed in the course of providing health care services to First Nations and Inuit populations, eligible Veterans, members of Canadian Forces, RCMP, federal inmates and refugee protection claimants. It also applies to government health surveillance programs, such as, Health Canada’s Canadian Adverse Drug Reaction Information System, or CADRIS, and other government initiatives, such as the Federal Health Care Partnership’s plans to develop electronic health records.

1) Re-identification of Data

From a privacy point of view, one of the key issues we grapple with is the concept of re-identifiability – particularly in an era of increased “digitalisation” of health data and surveillance programs, proliferation of publicly available information through the internet, and sophisticated technological capacity to link up information across different databases. “Personal information” is critically defined in both our laws as “information about an identifiable individual”. What exactly is identifiable, or potentially identifiable, is, we believe, a relevant issue for your present study.

Re-identification was at the heart of a recent decision by the Federal Court in the matter of Gordon and Health Canada and the Privacy Commissioner of Canada.^{Footnote 1}

The case involved a CBC news producer (Gordon) who requested access to the CADRIS database. Health Canada agreed to release 82 of the 100 used data-fields, but refused to release the province field on the grounds that the province, when combined with other publicly available data, could possibly (re)identify individuals. Gordon applied to the Federal Court for a review of that decision.

At issue before the Court was whether the province, when combined with other publicly available data-fields, could potentially re-identify individuals affected – thereby constituting “personal information” which government institutions are, as a rule, prohibited from releasing to requesters.

Justice Gibson rendered his decision on February 27. In it, four (4) points are particularly noteworthy for this Committee. First, the judge started from the fundamental premise set out by our Supreme Court of Canada – and that is, in a situation involving personal information about an individual, the right to privacy is paramount over the right of access to information.

Second, the judge adopted the legal test proposed by our Office: “Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.” A “serious possibility” is a legal term of art which means something more than a frivolous chance, but less than a balance of probabilities.

Third, based on the evidence before him, Justice Gibson concluded that disclosure of the province would substantially increase the possibility that an individual could be identified based on the totality of data-fields already disclosed from the CADRIS database, combined with other publicly available information, such as obituary notices. This is particularly the case for unique or quasi-unique individual reports, in smaller provinces or territories. Therefore, in the circumstances, the province field does constitute personal information and was properly exempt from access.

Finally, the judge emphasized the importance of ministerial discretion in deciding whether or not to exceptionally release this personal information in the public interest. In this case, the Minister had properly considered the facts before him and decided that, here, the public interest in disclosure did not clearly outweigh the violation of privacy that could result from the disclosure.

2) Electronic Health Records

Major initiatives underway to develop electronic health records promise great things for Canada’s health care system: improved quality, efficiency and productivity of health care services, enhanced patient safety, more evidence-based decision making, facilitated knowledge transfer and greater accessibility to services and treatments. As health info-structures proliferate across the country, the traditional lines between health care, surveillance, quality assurance and research will become increasingly blurred. This is not necessarily a bad thing. However, the notion of purpose, which is such a critical concept in data protection laws, and the one individuals actively turn their minds to when they provide informed consent in any meaningful way, is increasingly being challenged.

As the concept of purpose becomes stretched, other purposes can begin to creep in. Beyond health-related purposes, are other more worrisome purposes to which personal health information may eventually be put, particularly as external pressures for such information continue to rise. Marketing, employment, insurance, law enforcement and national security are just some such purposes that loom on the horizon. These are clearly not “part of the deal” that Canadians think they are getting themselves into.

Another critical concept that is increasingly being challenged in the context of EHRs and electronic clinical trials is the central concept of accountability – particularly as more and more entities join up through interoperable systems, as public-private partnerships develop to leverage resources and achieve commercialization objectives, and as data flows across provincial and national borders in a global economy.

In order to help work through some of these challenges, our Office is participating in the recently created Canada Health Infoway Privacy Forum which brings together representatives of the health ministries and privacy oversight offices across Canada. We are pleased to be part of this critical discussion to begin to address issues of informed consent, secondary purposes and accountability as they relate to the implementation of interoperable, pan-Canadian, EHR systems.

3) Data Breach Notification Requirements

With the growing digitalisation of health data also comes increased scope and impact of potential breaches. A number of recent cases have brought this to light:

• A researcher at SickKids hospital in Toronto lost a laptop containing the sensitive health information of almost 3,000 research participants.
• In Newfoundland, a consultant working for the Provincial Public Health Laboratory brought home a laptop and inadvertently exposed confidential patient information through an open Internet connection.
• And, just a few weeks ago, we learned that a laptop containing the medical information of 2,500 patients enrolled in a US National Institutes of Health study had been stolen. This information – names, medical diagnoses and heart scan results – was not encrypted.

Industry Canada is currently looking at how to incorporate mandatory breach notification requirements into PIPEDA. This is a welcome development which we hope will serve as an incentive for organizations to put proper security safeguards in place and to be open and transparent when something goes wrong. In the meantime, our Office has issued guidelines to support organizations through critical actions steps, including assessing the risk and extent of potential harm, and deciding when, how, who and whether to notify individuals. When dealing with highly sensitive personal health information, special considerations should be taken into account, such as psychological risk of harm.

4) Work Product

Another relevant privacy issue for your consideration is the distinction between personal information and work product information. In an early finding, the former Privacy Commissioner found that physicians’ prescriptions constitute their work product information and not their personal information. As a result, third party organizations could collect this prescription information through pharmacies, analyze prescription patterns and disclose these to other third parties without physicians’ consent.

Since this finding, however, my approach has evolved to a broader, contextual one. For example, in other contexts, the sales records of telemarketers and real estate agents were found to constitute their personal information, subject to reasonable protection under PIPEDA.

Just because information is produced in the workplace does not mean it is not personal information deserving of protection. Other contextual factors, such as, how it was produced, for what purposes, how it will be used, industry practices, etc. must also inform the analysis.

In recent debates about the five-year legislative review of PIPEDA, some stakeholders have recommended a categorical work product exemption from the definition of personal information. The Commissioner has argued against such blunt distinctions, and is of the view instead that a flexible, contextual approach is the preferred and more appropriate way of achieving the ends sought by the legislation. It prevents overly broad collection of information about the specific activities of employees and professionals from proceeding unchallenged, under the guise of a work product exemption, as a round-about way of continually increasing surveillance over their every move, contrary to basic principles of human dignity.

In a recent decision^{Footnote 2}, the Federal Court of Appeal refused to read into PIPEDA a work product exemption that does not exist. In that case, it was found that physicians’ notes taken during an independent medical examination could contain both the personal information of the individual being examined as well as the physician him or herself, and were therefore protected by PIPEDA’s legislative scheme.

In sum, surveillance of treatments prescribed and/or administered by health practitioners will surely be of interest in any move towards a progressive licensing scheme in Canada. Recognizing that such information may constitute personal information of health professionals and their patients, does not mean it should never be collected or used to ensure enhanced patient safety and allow for greater access to essential prescription drugs. Rather, what it means is that relevant privacy laws should apply to ensure some measure of scrutiny over the purposes to which this information will be put, and to require accountability, openness and transparency of those entities which make use of such information.

Conclusion

I’ve covered a wide variety of topics in a short period of time. I would be pleased to elaborate on any of those points or to answer other questions you may have.