Pharmacy's privacy policy and practices considered exemplary

PIPEDA Case Summary #2005-302

(Principles 4.3 and 4.3.3 of Schedule 1)

Complaint

The Office received complaints that a particular pharmacy was requiring its customers, as a condition of service, to consent to overly broad collection, use and disclosure practices.

Summary of Investigation

In response to the full implementation of the Personal Information Protection and Electronic Documents Act (the Act) on January 1, 2004, the pharmacy developed a privacy policy and privacy-related materials. The company decided to seek the written consent of its customers, and provided a consent form, which contained some information on the company's collection, use and disclosure practices.

The consent form was to be accompanied by a brochure setting out detailed information regarding the company's purposes for collecting and using personal information. The brochure stated, for example, that the pharmacy collects and uses personal information:

• To dispense prescription and other medication to you in a way that meets profession, legal and regulatory requirements
• To ensure accuracy of medication, dosage and instructions
• To prevent medication errors, including dosing errors
• To alert you if a drug you have been dispensed has been recalled or withdrawn

The brochure provided details about the types of information held by the pharmacy, the security of the pharmacy's records, the legal obligations of pharmacists, the persons to whom information might be disclosed and the circumstances under which such disclosure might occur, and the procedures whereby a patient can access his or her personal information or request corrections.

In response to complaints from some of its customers who did not want to sign a form or read the brochure, the company implemented the following three changes:

1. It revised and simplified the language of the consent form.
2. It offered pharmacy patients who were uncomfortable with reading the brochure the option of having a pharmacy employee explain the privacy practices. To this end, the company developed a comprehensive training program for its staff, including a standard script that the employee can read to the pharmacy patient. The script explains the purposes for the collection, use and disclosure of information, and in very straightforward language, outlines with whom the pharmacy shares information, how information is stored, and how the customer can obtain additional information.
3. It offered pharmacy patients the option of providing verbal consent. In such circumstances, the pharmacy employee reads a standard script, asks if the pharmacy has the patient's consent for its practices, and records the person's consent on file.

The company's privacy policy uses straightforward language. The policy describes why certain types of information are needed, how they are used, how personal information is protected, and the circumstances under which it is disclosed. The policy also indicates that it has never and will not share, sell or in any other way provide customer personal information to third parties not associated with the provision of its services. This policy is readily available to patients in pharmacy locations.

The Office also reviewed the pharmacy's operational standards. These set out the obligations of staff regarding the implementation of its privacy policy. The standards require pharmacists and pharmacy employees, for example, to use private and semi-private areas in which to communicate with patients, to use appropriate tone and volume of voice, to restrict access to patient information, and to use security mechanisms to protect personal information.

Findings

Issued May 31, 2005

Application: Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate; and Principle 4.3.3, which stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• Based on her examination of the pharmacy's privacy policy, training materials, operational standards, and privacy brochure, the Assistant Commissioner was satisfied that these were comprehensive and fully addressed the company's obligations under Schedule 1 of the Act.
• The resource material shared with customers in writing or verbally was easy to understand, straightforward, and client focused, and in her opinion, constituted a more than reasonable effort on the part of the company to meet the expectations of most individuals. Such information, she opined, met the knowledge requirement under the Act, as stipulated in Principle 4.3.
• While noting that the complainants' objected to the company's requirement that they know about and consent to, either verbally or in writing, the company's privacy practices, the Assistant Commissioner indicated that such a requirement was consistent with the company's obligations under the Act. She was satisfied that the complainants were not being asked to consent to overly broad practices, but rather were being asked to consent to practices that were being detailed for their benefit and in accordance with the Act. She therefore found that the company did not contravene Principle 4.3.3.

The Assistant Commissioner concluded that the complaints were not well-founded.

Further Considerations

The Assistant Commissioner commended the pharmacy on the high quality of its privacy documents and practices, and the effort it has made to provide customers with adequate information to form the basis for meaningful consent. She noted that the Office considered this approach to be exemplary and a model for best practice.