Language selection

Search

Health practitioner ratings site ceases charging for rating takedowns, a PIPEDA “no-go-zone”

PIPEDA Findings #2020-002

June 30, 2020


Complaint under the Personal Information Protection and Electronic Documents Act (PIPEDA or the Act)

Description

The operator of RateMDs.com (“RateMDs”), a website which allows users to rate and review health professionals, was alleged by a complainant to have placed personal information on its site for lucrative purposes without her consent, contravening Principle 4.3 of Schedule 1 of PIPEDA.

Takeaways

  • Ratings and reviews can represent the personal information of both the individual who posted the information as well as the subject of the post.
  • When considering how the principle of consent applies to such ratings and reviews, consideration must be given to the interests of the individuals concerned, as well as the public interest.
  • Organizations that use the personal information of individuals must make clear that individuals may request a correction or amendment to information about themselves, where they believe that information to be inaccurate, incomplete or out-of-date.
  • Organizations must ensure that their subscriber models do not contain inappropriate practices such as ‘pay-for-takedown’ services or other features that a reasonable person would not consider appropriate.

Overview

This Report of Findings concerns a complaint made by a dentist practicing in British Columbia against the operator of the website RateMDs.com (“RateMDs”). The Complainant claimed that RateMDs is using her personal information without her consent, by featuring her name and allowing anonymous users to post reviews and ratings concerning her work as a dentist. RateMDs refused to remove the Complainant’s information from its website, citing the interest that patients have in reviewing health professionals and looking at reviews already posted.

The personal information of the Complainant found on RateMDs’ website falls into two categories: her business contact information (name and certain contact details for her practice), and the reviews and ratings RateMDs’ users have posted about her.

With respect to the Complainant’s business contact information, it is not exempt from the Act since it is not being used solely for the purpose of facilitating communication with the Complainant in relation to her profession. However, we are satisfied that the information is publicly available within the meaning of the regulations under the Act and therefore, could be collected, used and disclosed by RateMDs without consent.

With respect to the reviews and ratings of the Complainant, they represent the personal information of both the Complainant and the individuals who posted them. This is a feature of many rating sites offered on the Internet for goods and services. Although we make a number of findings below, these are imperfect, as PIPEDA is ill-suited to regulate these types of services, which place privacy rights and other interests of different individuals in opposition to one another. We note that our findings would not apply in the same way to sites that rate the services of companies, to the extent that these sites do not involve personal information.

Regarding consent, because the reviews and ratings of the Complainant represent the personal information of both the Complainant and the individuals who posted them, PIPEDA would seem to require the consent of both parties to authorize RateMDs to publish these reviews and ratings. However, where the interests of individuals conflict, this will rarely be possible.

Federal Court jurisprudence holds that in these circumstances, PIPEDA requires a balancing of interests, which involves the consideration of the interests of both individuals as well as the public interest. In this case, giving effect to the Complainant’s lack of consent would mean that the interests of patients who are consenting to the publication of their opinion of the Complainant would not be respected. We also find there is a public interest in the publication of reviews that serve the public by informing their decisions about whether or not to engage the services of certain health professionals.

However, the Complainant also has a reasonable expectation of privacy in the circumstances, including an interest in protecting her reputation and capacity to earn a livelihood. Were the reviews about her to contain inaccurate or incomplete information about her, they would violate the protection of these interests. In our view, this means that the operators of RateMDs should provide to the Complainant and other health professionals on its site a fair and accessible process to challenge the accuracy and completeness of the information published about them.

A specific difficulty in this context arises from the fact the reviews posted by patients are anonymous. This can make it difficult, sometimes impossible, to challenge the accuracy of the information. In Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration), the Federal Court of Appeal held that the interest of the person expressing views about another to hide their identity was minimal, while both the private interest of the person who was the subject of the views and the public interest in fairness were significant.

We agree that this can also be the case in the context of reviews on RateMDs, but note that s. 9(1) of PIPEDA provides that “an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party.” Although fairness and the protection of a health professional’s reputation could require that the identity of patients posting negative views be disclosed to them, PIPEDA would generally prohibit this disclosure. As such, we note that application of the law as enacted can result in an unfair process.

Ultimately, we note RateMDs’ representations that it has a process in place for reviewing and removing inaccurate information. However, given that accuracy was not raised as a concern in this matter, and in the absence of evidence from the Complainant regarding the accuracy of the information posted about her, we do not opine further on the fairness of the process.

In any event, RateMDs did not adequately explain the process by which health professionals could challenge the accuracy or completeness of information about them on its site, which contravenes the Openness Principle. RateMDs agreed to, and did change, its Terms of Use and FAQs to resolve this issue to our satisfaction.

Our Office also had serious concerns with RateMDs’ practice of charging a subscription fee, in part, to be able to hide certain reviews. This was clearly inappropriate in that RateMDs was charging for the removal of personal information that it was responsible for having made public in the first place. This “pay for takedown” practice represented a “no go zone” identified in the OPC’s guidance on inappropriate practices, and thus contravened s. 5(3) of the Act. RateMDs agreed to cease offering this feature.

We therefore found this complaint to be not well founded with respect to consent under PIPEDA’s current and, in our view, inadequate provisions, but well-founded and resolved with respect to openness and well-founded and conditionally resolved for appropriate purposes.

Our Office remains concerned with challenges related to the potential for posting of inaccurate information on RateMDs’ website, and we strongly encourage RateMDs to explore and implement alternative mechanisms to ensure that the information on health professionals’ web pages is accurate.

Complaint

  1. The Complainant, a dentist practising in British Columbia (“BC”), claims that RateMDs Inc. (“RateMDs”) placed her personal information on its website for lucrative purposes without her consent, contravening Principle 4.3 of Schedule 1 of PIPEDA.
  2. During the course of the investigation, we also considered whether RateMDs was complying with its obligations with respect to:
    1. collecting, using and disclosing personal information for a purpose that a reasonable person would consider appropriate in the circumstances; and
    2. communicating how a health professional may correct their personal information in order for it to be accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Background

Complaint Details

  1. The Complainant found that a profile of her had been created on the website www.ratemds.com (the “website”). RateMDs is based in the United States and operates the website, which publishes reviews and ratings of health professionals, including in Canada, posted by the website’s users.
  2. The RateMDs page for the Complainant lists her name, her area of practice, the name and address of her clinic, and several anonymous reviews and ratings, both positive and negative, regarding her practice.
  3. The reviews of the Complainant on the RateMDs site contain not only commentary about the Complainant’s business (e.g. the state of her office) and her staff, but also views about her character and patients’ experiences with her.
  4. The Complainant contacted RateMDs through its support email address and asked that her name be removed from the website, explaining that she had not given consent “to the use of her name for the purpose” of it being published on its website. RateMDs responded by saying that her account would remain on the website as patients “have [an] interest in reviewing doctors and looking at reviews already posted for that doctor.”
  5. The Complainant then filed a complaint with our Office. She alleged that RateMDs had not obtained her consent before using her name on its website. Furthermore, she claimed that RateMDs was using her personal information for “lucrative purposes.” She asked that RateMDs “permanently” remove her name from its website.

RateMDs.com

  1. RateMDs described the primary purpose of its website as “among other things, a health professional ratings website intended for patients to rate and review their treating health professionals so that other patients can make more informed decisions concerning their health care. … It is a forum […] to facilitate individuals’ decisions about their health provider options.”
  2. RateMDs stated that its website allows users to create profiles for health professionals. Users may create a profile by filling out four required fields: the health professional’s name, their gender, their specialty and their primary practice. They may also include contact information such as the health professional’s address or business phone number.
  3. According to RateMDs, the above information is generally already publicly available through health professionals’ governing bodies. In the Complainant’s case, the College of Dental Surgeons of British Columbia (CDSBC) is responsible for regulating the practice of dentistry in BC and publicly provides a dentist’s name and business contact information, including the Complainant’s, through an online registry in order for patients to contact dentists as well as confirm their work history and status.Footnote 1
  4. We also noted other sources which published the Complainant’s name and/or her business contact information as a dentist, including the website for her dentistry practice, the yellow pages,Footnote 2 and online directories for dentists.Footnote 3
  5. RateMDs stated that a health professional can claim their public profile for free at any time. After the health professional has been verified by the organization, he or she can add additional information to their profile such as whether they are accepting new patients, biography, languages spoken, etc.
  6. Once a profile has been created, patients may publish their own personal experiences on the health professional’s profile. RateMDs allows users to post reviews about their experiences with health professionals and to rate them, on a scale of 1-5, on various criteria such as staff, punctuality, helpfulness, and knowledge. According to RateMDs, reviews and ratings are meant to assist individuals to look for a health professional in their area.
  7. Reviews and ratings are made anonymously on RateMDs’ website. While RateMDs does not collect the name or contact information of users who post reviews, it does record the IP address and user agentFootnote 4 of the device from which a review was posted for all reviews made on the website. According to RateMDs, this information is stored in order to enforce certain Terms of Use (e.g., prevention of astroturfingFootnote 5). It is also being retained to enable RateMDs to provide information pursuant to subpoenas if required.
  8. RateMDs emphasized that its website is not intended to be used by patients to publish information unrelated to a health professional’s work. The organization further stated that if such personal information is brought to its attention, RateMDs will promptly remove it (e.g., if a doctor’s home telephone number has been included in a post).

Amending/Removing Information from RateMDs.com

  1. RateMDs indicated that business contact information may be removed or amended if proof is provided that a health professional is deceased or the information is incorrect. In the case of incorrect information, a health professional may claim their profile in order to correct any inaccuracies found within their business contact information. Health professionals who have claimed their profile can also add a response to any review.
  2. RateMDs provides three avenues for an individual to remove information from its website: 1) by emailing RateMDs’ support team; 2) by flagging a review for RateMDs via a flag icon found next to the review in question; and 3) by contacting an account executive, who arranges for RateMDs’ support team to review the post. The third option, which may result in a quicker review, is only available to users who purchase the website’s paid subscription services.
  3. RateMDs explained how a health professional can “flag” a review, by clicking the “flag” icon next to a rating. This causes a box to appear, which asks the user to explain why the review should be removed. Once a review is flagged, RateMDs’ staff examine the issue and take down any reviews that are deemed “inappropriate”. This would include accusations of unlawful activity, profanities or vulgarity, privacy violations, spam, or details that are not relevant or related to a patient’s visit.
  4. RateMDs stated that it attempts to process all flags within three business days and email complaints within five business days. RateMDs notes that many requests are processed on the same day. While removing a review is relatively simple, deciding whether a flagged review is worthy of removal may require longer to assess, particularly if legal advice is needed.
  5. RateMDs further represented that the moderation process for reviews is necessarily “case-specific.” RateMDs will investigate obvious inconsistencies between a health professional’s profile and a review after receiving relevant supporting information or evidence by a user flagging a review. One example of a scenario where it would amend or take down a review is if it references a female health professional on a male professional’s profile page. In such a situation, the moderation team may consult publicly available records for regulatory/governing bodies to determine if the flagged review contains incorrect information.
  6. RateMDs maintained that it will not remove a rating or a review solely on the basis of a claim from the health professional (or other user) that – in that individual’s opinion – a particular rating or review is unfair.
  7. Moreover, while RateMDs will remove the personal information of a health professional that is not business contact information or is not relevant to the purposes of the site, RateMDs claimed that user reviews are an exercise of a patient’s choice to share personal experiences and opinions on the website to assist other prospective patients. RateMDs indicated that removing an individual’s reviews would contravene their right to freedom of speech as well as violate their own autonomy with respect to their personal information.

Revenue Generation – Ratings Manager Service

  1. RateMDs explained that it generates revenue through display advertisements on its website and paid member subscriptions for health professionals.
  2. With respect to the latter, when a health professional signs up to the website to claim their profile for free, they are offered the option of purchasing a paid subscription. There are various subscription plans, which provide access to certain features on the website. Figure 1 below depicts RateMDs subscription plans at the time our investigation commenced. Examples of these features include receiving new ratings notifications via email, as well as the ability to place banner advertising for the subscriber on the website and remove a competitor’s banner from a subscriber’s profile page.
Figure 1: RateMDs Subscription Service Plan at the beginning of our investigation
Figure 1. RateMDs Subscription Service Plan at the beginning of our investigation

Most Popular

Free – $0 Monthly
  • Verified check mark
  • Badges
  • Profile Control
  • Rating Response
    • Engage your patients by responding to reviews

Stand out as a verified doctor

Promoted – Limited Time Offer - $119 Monthly
  • Verified check mark
  • Badges
  • Profile Control
  • Ratings Response
    • Engage your patients by responding to reviews
  • Image Gallery
    • Showcase your clinic and work with up to 10 images
  • Rating Monitor
    • Receive new rating notifications via email
  • Ratings Manager
    • Hide up to 3 ratings deemed to be suspicious
    • Feature a rating
  • Appointment Manager
    • Receive and manage appointment requests from new patients
  • Banner Removal
    • Remove competitor’s banners from your profile
  • Banner and Ads
    • Your banner on competitor’s profile pages
    • Primary city
    • Primary specialty
    • 1 additional city

Be seen by thousands more patients

Promoted Plus – Limited Time Offer - $239 Monthly
  • Verified check mark
  • Badges
  • Profile Control
  • Ratings Response
    • Engage your patients by responding to reviews
  • Image Gallery
    • Showcase your clinic and work with up to 10 images
  • Rating Monitor
    • Receive new rating notifications via email
  • Ratings Manager
    • Hide up to 3 ratings deemed to be suspicious
    • Feature a rating
  • Appointment Manager
    • Receive and manage appointment requests from new patients
  • Banner Removal
    • Remove competitor’s banners from your profile
  • Banner and Ads
    • Your banner on competitor’s profile pages
    • Primary city
    • Primary specialty
    • 2 additional cities
    • 1 additional specialty
    • Purchase additional cities and specialties

Three times the placements of the promotional plan


  1. One of the features included in paid subscription packages was the Ratings Manager service (as indicated by the arrow we added in Figure 1, above). With this service, a subscriber was allowed to select one review to feature at the top of their profile. Additionally, a subscriber was allowed to hide up to three reviews and ratings deemed to be suspicious on their profile page. While the reviews themselves were hidden, the numerical ratings that accompanied the reviews were kept within the aggregated rating on the profile page.
  2. RateMDs represented it charged for such removals since it is a for-profit entity that generates revenue in part through paid member subscriptions. It further represented that since the numerical ratings assigned by all reviewers continue to be accounted for in the calculation of the health professional’s overall rating, hiding up to three reviews:

    “strikes a balance between RateMDs’ objective of enabling patients to make more informed decisions concerning their health care, while also offering healthcare professionals a means to deal with reviews that they do not consider to accurately disclose a real patient’s actual experience.”

  3. RateMDs represented that, when a health professional ceased to subscribe to the Ratings Manager service, the posts that were previously hidden reappeared on the health professional’s page. RateMDs justified this practice by stating that subscription fees reflect, in part, the costs of managing those subscriptions, including the cost associated with hiding certain posts from a user profile (e.g. employee time, technological resources). Thus, when a health professional unsubscribed from the Ratings Manager service, he or she would no longer receive the benefits associated with that subscription.
  4. RateMDs asserted that this Ratings Manager feature did not equate to removing a health professional’s personal information in exchange for payment.

ISSUE 1: Consent regarding Personal Information

  1. In this complaint, it is necessary to consider two kinds of information found on the Complainant’s profile on RateMDs’ website: her business contact information and the reviews and ratings of RateMDs’ users about their experiences with her work as a dentist.

Business Contact Information - Consent

  1. The Complainant’s business contact information, including her name and her area of speciality, is clearly her personal information within the meaning of the Act.Footnote 6 Although this information is initially posted by users of RateMDs’ website, we are satisfied that RateMDs collects, uses and discloses it within the meaning of the Act by hosting and publishing the information on its website for its own purposes. We note in this regard that RateMDs exercises control over a health professional’s profile on the website and will amend or remove information contained therein in certain circumstances, as detailed above.
  2. Principle 4.3 of Schedule 1 of the Act provides that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
  3. RateMDs claimed, however, that its use of the Complainant’s business contact information is exempt from the application of PIPEDA, per section 4.01.
  4. RateMDs asserted that, in the alternative, it did not require consent to collect, use and disclose the information pursuant to paragraphs 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of the Act.Footnote 7 It claimed in this respect that the business contact information included on its website is publicly available since it is already made available through a health professional’s governing body.

Business Contact Information Exemption

  1. Section 4.01 of PIPEDA provides that Part 1 of the Act does not apply to “business contact information” that an organization collects, uses or discloses “solely for the purposes of communicating or facilitating the communication with the individual in relation to their employment, business or profession.” [Emphasis added]
  2. Subsection 2(1) of the Act defines “business contact information” as information that is used for the purposes of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position or title, work address, work telephone number, work fax number or work electronic address.
  3. The business contact information featured on the Complainant’s profile page (e.g. her name, business telephone number, business address) fits within this definition.
  4. However, it cannot be said that RateMDs is collecting, using and disclosing this information “solely for” the purpose of facilitating communication with the Complainant in relation to her profession. RateMDs uses the business contact information to create a profile of a health professional that allows users to post reviews and ratings of the professional. The stated purpose of these profiles is to allow potential patients to make “informed decisions” about which health professionals to select, not to merely facilitate communication with them. In fact, a potential outcome of consulting a RateMDs’ profile is that an individual chooses not to contact a health professional based on the ratings and reviews contained therein.
  5. RateMDs collection, use and disclosure of the Complainant’s business contact information is therefore not exempt from PIPEDA pursuant to section 4.01 in the circumstances.

Publicly Available Information

  1. Nevertheless, we are of the view that the Complainant’s business contact information found on RateMDs’ website is publicly available within the meaning of the Regulations Specifying Publicly Available Information (“Regulations”) and therefore RateMDs does not require the Complainant’s consent to collect, use and disclose it pursuant to paragraphs 7(1)(d), 7(2)(c.1), 7(3)(h.1) of PIPEDA.
  2. Those provisions provide that an organization may collect, use and disclose personal information without the knowledge or consent of an individual if the information is publicly available and is specified by the Regulations.
  3. Subsection 1(a) of the Regulations specifies that publicly available personal information consists of the name, address and telephone number that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory.
  4. Subsections 1(b) and 1(c) of the Regulations specifies as publicly available personal information appearing in a professional or business directory, listing or notice that is available to the public, or in a registry collected under a statutory authority to which there is a right of public access. The collection, use or disclosure must relate directly to the purpose for which the information appears in the directory, listing, notice or registry.
  5. In the Complainant’s case, her name, area of specialty, and business contact information, as is included in her RateMDs profile, is publicly available via multiple sources, including: (i) the CDSBC registry, which the CDSBC is required by law to maintain and to which there is a right of public accessFootnote 8; (ii) the yellow pages; and (iii) online professional or business directories. We note further that the purpose for this information being made available on RateMDs’ website is, at least in part, so that individuals can find and contact her if they so choose.
  6. We are therefore satisfied that the Complainant’s business contact information, including her name in connection with her profession, is publicly available within the meaning of s. 1(a), (b) and (c) of the Regulations. RateMDs’ collection, use and disclosure of this information found in professional directories and the CDSBC’s registry relates directly to the purpose of its publication. As a result, RateMDs did not require consent to collect, use or disclose it. It follows that RateMDs does not, in our view, need to comply with the Complainant’s request to take that information down from its website.

Ratings and Reviews – Consent

  1. As a preliminary matter, although reviews and ratings are “user-generated”, RateMDs collects, uses and discloses them for its own purposes of offering its rating service, through which it generates advertising and subscription revenues. We are therefore of the view that RateMDs is also responsible for the personal information contained in the reviews and ratings under the Act.
  2. We must now evaluate whether the ratings and reviews appearing on the RateMDs profile of the Complainant constitute her personal information and, if so, whether she can object to the fact that they were posted without her consent.
  3. Subsection 2(1) of PIPEDA defines personal information broadly to mean information about an identifiable individual. The OPC has found that personal information includes views or opinions that are expressed by others about an individual.Footnote 9
  4. The OPC has also found that the definition of “personal information” under PIPEDA is broad enough to include information about an individual in relation to their employment or profession. The OPC’s Interpretation Bulletin for “personal information” provides several examples of cases where the OPC has found that information relating to the performance of an employee or individual in relation to their business constitutes their personal information.Footnote 10 Even where information appears to be about a business, the OPC has stated that “an individual’s personal information may be so inextricably linked to information about his or her company (e.g., for an owner/operator of a small business) that information about that company can constitute personal information about the individual.”Footnote 11
  5. The provision of reviews is a feature of many ratings sites offered on the Internet for goods and services. In this case, reviews and ratings that are posted by users on a health professional’s profile page often contain information that is reflective of the character or professional competency of the health professional. In the Complainant’s case, comments referring to her personality or her conduct directly relate to her reputation, character and proficiency at her profession. We are therefore satisfied that the reviews and ratings of her constitute the Complainant’s personal information.
  6. However, the matter is complicated in this case by the fact that the ratings and reviews of the Complainant were posted by other individuals. In our Interpretation Bulletin for “personal information”, the OPC notes that “the same information can be personal to more than one individual, where, for example, it contains the views of one individual about another individual, or where the same information reveals something about two identifiable individuals.”Footnote 12
  7. In our view, the reviews and ratings of the Complainant are also the personal information of the users who posted them to her profile page, in that these reviews reflect the users’ views and opinions with respect to the Complainant and their experiences with her.
  8. Our Office makes several findings below according to our interpretation of PIPEDA. However, we acknowledge that PIPEDA is ill-suited to regulate these types of services, which pit the privacy rights of individual(s) against the rights and interests of other individuals. We also note that our findings would not apply in the same way to sites that rate the services of companies, to the extent that these sites do not involve personal information.
  9. Because the reviews and ratings of the Complainant represent the personal information of both the Complainant and the individuals who posted them, Principle 4.3 of PIPEDA would seem to require the consent of both parties to authorize RateMDs to publish these reviews and ratings. However, where the interests of the individuals conflict, this will rarely be possible.
  10. RateMDs explained that it has obtained consent for the collection, use, and disclosure of a review or rating from the user who uploaded it to the Complainant’s profile page. However, the Complainant did not, in contrast, provide her consent for the reviews and ratings that have been posted about her. As a result, the issue is whether she is entitled to request that they be taken down, even though they were posted with the consent of the individuals who made them.
  11. On its face, the Act does not provide a ready-made solution for this type of conflict. We must therefore be guided by the purpose of the Act, past jurisprudence, and the need to approach the interpretation of the Act with “common sense, pragmatism and flexibility”.Footnote 13
  12. In the past, the Federal Court of Appeal has stated, including with respect to PIPEDA, that where the rights of two individuals over the same personal information conflict, a balancing exercise must be performed and must consider the interests of both individuals as well as the public interest.Footnote 14
  13. Adapting this framework to the present case, we must consider the consent of patients who have decided to post their personal experiences on RateMDs and the extent to which the posting of that information serves the public interest, as well as the interests of the Complainant, who did not consent to the publication of views about her and whose reputation can be negatively (or positively) affected by the reviews and ratings on the website.
  14. Ultimately, the ratings and reviews, to the extent they represent the opinions and views of patients, generally serve a legitimate public interest. On the RateMDs website, comments relate to health professionals who provide services to the public. Having these reviews and ratings available serves the public by informing their decisions about whether or not to engage with certain health professionals.Footnote 15
  15. Giving effect to the Complainant’s lack of consent would mean the interests of the patients who are consenting to the publication of their reviews and ratings would not be respected, and the benefits to the public more broadly would be negated. We are therefore of the view, based on a balancing of interests of the Complainant with those of the reviewers and the public more generally, that this aspect of the complaint is not well-founded.

ISSUE 2: Accuracy and Correction

  1. While we have found the Consent matter to be not well-founded, the Complainant still has a reasonable expectation of privacy in these circumstances, including an interest in protecting her reputation and capacity to earn a livelihood. If a RateMDs review was to contain inaccurate or incomplete information about her, it may result in reputational damage that would violate the protection of these interests.
  2. With this in mind, we note that PIPEDA requires that RateMDs ensure the accuracy of information about health professionals on its website, and allow those health professionals to challenge, and have corrected, inaccurate information about them. While the Complainant did not allege that the reviews or ratings concerning her contain inaccurate, incomplete or outdated information, we will briefly speak to this issue, which poses challenges in the context of the current law.
  3. Principle 4.6 of Schedule 1 of the Act stipulates that personal information shall be accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used. Principle 4.6.1 states that the extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
  4. Principle 4.9.5 maintains that when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
  5. In our view, these provisions mean that RateMDs should provide to the Complainant and other health professionals on its site a fair and accessible process to challenge the accuracy and completeness of the information published about them.
  6. A specific difficulty in this context arises from the fact that reviews posted by patients are anonymous. It may be difficult in some circumstances for a health professional to demonstrate that information is inaccurate in practice if the health professional does not know the identity of the user making the comment. This could make it challenging, and at times impossible, for a health practitioner to challenge the accuracy of the information being presented.
  7. In Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration),Footnote 16 the Federal Court of Appeal held that the interest of the person expressing views about another to hide their identity was minimal, while both the private interest of the person who was the subject of the views and the public interest in fairness were significant.
  8. Our Office is of the view that this could also be the case in the context of reviews on RateMDs and that a health professional may indeed be justified in wanting to know who has posted a review about them, for the purposes of correcting or amending it.
  9. However, we note that section 9(1) of PIPEDA states that “an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party.” Therefore, although fairness and the protection of a health professional’s reputation could require that the identity of users posting negative reviews be disclosed to a health practitioner, PIPEDA would generally prohibit this disclosure. As such, we note that application of the law as enacted can result in an unfair process.
  10. RateMDs represented that it does allow users to flag any review, regardless of whether or not the user is a subscriber. When a review is flagged, RateMDs assesses it and removes those that are deemed to be inappropriate or to contain inaccurate information. Concerning inaccurate information, RateMDs stated that reviews would be changed or altered “upon being provided relevant supporting information or evidence by the user.” In addition, health professionals who claim their profile can add a response to any review, including to record a challenge to the accuracy, completeness or currency of the content of that review. These options are free of charge.
  11. In the absence of evidence suggesting that the Complainant’s RateMDs page contained inaccurate, incomplete or out-of-date information or that RateMDs’ practices are a barrier to correcting inaccurate information in accordance with PIPEDA, we will not opine further on the fairness of this process.

ISSUE 3: Openness

  1. This said, after reviewing RateMDs’ website, our Office found RateMDs’ explanation of its practices to be lacking in clarity. Principle 4.8 states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  2. While RateMDs highlighted that it would amend or take down “inappropriate information”, this is not, in our view, sufficient to meet the Openness requirements under the Act, in that it does not make clear to health professionals that they may request a correction or amendment to information about themselves, where they believe that information to be inaccurate, incomplete or out-of-date.
  3. RateMDs agreed to implement certain language changes in its ‘Terms of Use’ and FAQs to address the lack of transparency with respect to its review removal and correction policy. Those changes now clarify that personal information will be removed or amended where it is demonstrated to be inaccurate or not up-to-date. They also now indicate that a health professional can claim their profile to correct or update business information about themselves, or to post a response to any review.
  4. Our Office has reviewed RateMDs’ updated privacy communications. We are now satisfied that these are sufficiently clear to meet Openness requirements, such that we find this aspect of our investigation to be well-founded and resolved.

ISSUE 4: Appropriate Purposes

  1. Subsection 5(3) of the Act states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
  2. In applying subsection 5(3), consideration must generally be given to whether: “1) the collection, use or disclosure of personal information is directed to a bona fide business interest, and 2) whether the loss of privacy is proportional to any benefit gained.”Footnote 17
  3. In our view, subject to the concern identified below, a reasonable person would not generally consider the collection, use and disclosure of review and rating information of health professionals by RateMDs to represent an inappropriate purpose in the circumstances. Consistent with our analysis of the consent issue above, the interests of patients posting to the website, and particularly the public interest of prospective patients who may benefit from such reviews and ratings in selecting a health professional, suggest that RateMDs’ purposes are generally appropriate.
  4. That being said, in examining RateMDs’ business model, our Office was concerned with the specific feature of the paid Ratings Manager service that allowed subscribers to hide up to three negative reviews from their user profile, and where the negative reviews reappear if a user unsubscribes from the service.
  5. According to our Office’s Guidance on inappropriate data practices: interpretation and application of subsection 5(3), there are several ‘no-go zones’ that have been identified in relation to subsection 5(3), where the purpose for the collection, use and disclosure of personal information would be considered inappropriate by a reasonable person.Footnote 18 One of the identified ‘no-go zones’ is publishing personal information with the intended purpose of charging individuals for its removal.
  6. In this case, RateMDs has created a platform that allows users to post reviews and ratings, including negative ones, of health professionals. Having created the conditions for negative reviews to be posted, RateMDs cannot generate revenue from them by charging for their takedown. Requiring health professionals to pay in order to remove reviews, and then requiring continued monthly payments to maintain their suppression, is a clear example of an inappropriate ‘pay-for-takedown’ practice, in contravention of subsection 5(3).
  7. RateMDs initially disagreed with our Office’s position but ultimately agreed to implement our Office’s recommendation to cease offering this service. In August 2019, RateMDs replaced its Ratings Manager service plan with a new plan called ‘Ratings Concierge’. This service eliminates the ability of subscribers to hide any reviews from the website.
  8. Current annual subscribers of RateMDs will have a “sunset period” of up to one year (depending on when their annual subscription was purchased), after which they will no longer be able to access the Ratings Manager feature and will have the option to transition to the Ratings Concierge service. Additionally, monthly subscribers were required to transition to the Ratings Concierge service at the end of the first paid month after the Ratings Concierge service was introduced.
  9. In summary, our Office found that the “hide reviews” feature of the RateMDs’ Ratings Manager service constituted an inappropriate practice and contravened subsection 5(3) of PIPEDA. Due to RateMDs’ agreement to remove this feature from its service moving forward, our Office finds this aspect of our investigation to be well-founded and conditionally resolved.

Conclusion

  1. Regarding the issues of consent, our Office found this aspect of the complaint to be not well-founded.
  2. Regarding openness, our Office found this aspect of the investigation to be well-founded and resolved.
  3. Regarding inappropriate purposes, our Office found this aspect of the investigation to be well-founded and conditionally resolved.

Other

  1. Our Office remains concerned with the challenges outlined in this report related to the potential for posting inaccurate information about a health professional on a RateMDs web page. We therefore strongly encourage RateMDs to explore and implement alternative mechanisms to ensure that information on a health professional’s web page is accurate.
Date modified: