Information & Ethics Committee on Nov. 22nd, 2006

Of course, there's a federal institution, which I think is the Canada Health Infoway, which has been providing money and advice, and they've taken the benefits of work in different parts of the country.

It's clearly an area that should have a uniform system so they can talk to each other. Obviously, one of the benefits of an electronic health record is that it could be accessible anywhere. If your record is sitting in B.C., but you're injured in Ontario or something happens and you need the record, it's really important that it's accessible. That would be one of the major benefits.

If you're trying to understand how well certain kinds of medications are working, what the costs really are, and where there are areas of higher cost, there are an enormous number of questions you can answer with an electronic medical record.

The questions that are still of concern have to do with rules of access. In a lot of cases, the simple rules of access will be straightforward. If you're a doctor and you are of a certain category, you can access things at a certain level.

It means information will have to be structured in terms of different levels of sensitivity. It will therefore require different levels of access by physicians, government bureaucrats, ministers, associate ministers, and deputy ministers of health on the kind of information they can get and the permission level they will be at.

As I said, these things are currently being discussed.

I think this is really important. It will obviously affect PIPEDA, because it will regulate these things for the provinces without any other privacy legislation.

I think it goes back to the question on whether we should wait. I don't think we're going to wait. There is such urgency with medical records that we're not going to wait.

For whatever measures are taken in the provinces, I assume provinces that don't have their own legislation will look very carefully at what's going on elsewhere in Canada as they formulate policies of use.

Very briefly, I come back to the very first point I made, which is that it's obvious the rules need to be harmonized in this area and in other areas. The way our laws have been developed has been to a large extent with a view to harmonization and understanding the principles.

I've demonstrated it in my writing and I can certainly give further evidence to this committee that those principles are in fact extremely uniform. Therefore, what looks like an enormous practical problem of implementation is sometimes less difficult when you actually work through it.

The parallel of that is the opt-in or opt-out boxes. When you sign on to something, and you don't look carefully, they have already filled in what they would like you to agree to. There are x's appearing in boxes, and I've always objected. This is really something that does require a lot of energy to change. It's clearly an advantage to companies that people don't know this, that they're giving implied consent to various things because the option that the company wants you to choose is filled out already. And I think it has to be mandatory that if they want to use information, you have to give consent explicitly; it's not implicit, for their point of view, that they get it.

Yes. It's not only consent, it's knowledge--knowledge and consent--and often, I think, the problem is with the first one, actually knowing and giving individuals clear, unambiguous information, not in legalistic language, about how their information is going to be used.

I actually think that the consent rules in the CSA standard are relatively clear, but I've been around this business for a long time, and the problem is really with education and implementation, and as I say, getting some clear jurisprudence on all these issues. But I'll certainly give your ideas some careful reflection.

Professor Emeritus, actually.

That's both an important and difficult question. First of all, most people don't know that a lot of information is going off to the States. We got some publicity when the Office of the Privacy Commissioner pointed out that some of this was happening, and as I mentioned, in the B.C. context, there was lots of discussion on this when the possibilities existed that Americans could get access to the health records of British Columbians because we were outsourcing them to a subsidiary.

So they tried to put in the B.C. legislation dealing with this something to try to control to some degree the outflow. That is, if they contract out to a company, the company has to keep its records in British Columbia. At the end of the day, it wasn't clear, from either the Office of the Privacy Commissioner or the legislators, whether or not that was a foolproof way of preventing the U.S. parent company from getting access. The company within B.C., if they were going to do this thing, would have to sign agreements that they would not allow access to the Americans, they would not do this and they would not do that.

It's not clear, when you have control over information sitting in a database, whether or not it's been restricted so that the parent company can't get access. But that's the best you can do, unless you don't allow any outsourcing and it's all maintained by the government in Canada, assuming that the government doesn't outsource to companies for that purpose.

But it is a difficult process, and it will be one that's increasingly difficult, because more and more information by Canadians will go to the States by default. You'll have a credit card company; you'll make purchases. Who knows where they keep it?

That also happens, yes.