Information & Ethics Committee on Feb. 8th, 2007

I'll be speaking with Gary Fabian.

Certainly. As you mentioned, I'm Anita Fineberg. I'm the chief privacy officer and corporate counsel of IMS Health for Canada and Latin America.

With me this morning is Gary Fabian, the company's vice-president, public affairs and government relations.

Also with me is Dr. Léo-Paul Landry, a member of our national medical advisory board and a past CEO and secretary general of the Canadian Medical Association. Dr. Landry brings the physician's perspective to the issue we'll discuss today and has particular experience and expertise in the province of Quebec.

I'd like to first thank the committee for providing IMS the opportunity to appear before you today. With the committee's permission, Gary will first provide you with some information on our IMS business, what we do, the data we collect, and our contribution to the advancement of health; and then I'll explain the impact that PIPEDA has had on our business and why we're here today.

Good morning. My name is Gary Fabian. I've been associated with IMS Health for over 20 years in a variety of roles. As vice-president of public affairs, I work closely with the medical, pharmacy, and research communities across Canada, primarily in a collaborative fashion, around the optimal utilization of medications.

IMS Health is the world's principal provider of information, statistical research, and consulting services to the pharmaceutical and health care sectors. We track over one million products globally, helping health care stakeholders to implement evidence-based decision-making.

We've been operating our business in Canada since 1960. Our Canadian head office is in Montreal, where we have over 850 employees. We have another office in Toronto with over 85 people, and a small office in Edmonton, Alberta.

We collect data from over 6,500 sources in Canada, including hospitals, pharmacies, pharmaceutical manufacturers, wholesalers, and physicians, to yield extensive information on diagnoses and disease treatments, including prescribing patterns and pharmaceutical utilization trends.

We maintain the most comprehensive national prescription database in Canada. Essentially, we have any and all information related to pharmaceutical distribution, consumption, and use in Canada, with one very important exception: we do not collect, use, or disclose any identifiable patient information; therefore, patient privacy is never at risk. We go to great lengths to ensure that patient privacy is always protected.

The facts are that since our Canadian operation began in 1960, we have never experienced a breach of patient privacy. We have never received a complaint from a patient that their privacy has been compromised. We have never received a complaint from a patient that their relationship with a physician has been jeopardized or compromised in any way. We have never received a complaint from a physician that their relationship with a patient has been compromised or jeopardized. This is the reality as opposed to unsubstantiated speculation.

We provide information products and services to governments, researchers, health providers, regulators and the private sector—pharmaceutical and biotech companies—to support the safe and effective use of medications, evaluation of drug policies, implementation of best practices and economic analyses. Physician-led research has used IMS data to measure the impact of continuing medical education initiatives on prescribing practices. Quality improvement initiatives for the use of antibiotics in Alberta and B.C., the development of new prescribing guidelines for Ritalin to children in Quebec and a long-term study examining the use of psychotherapies for depressive disorders associated with multiple sclerosis currently being conducted in western Canada have all benefited from the use of IMS data. It is our paying commercial clients that have enabled us to develop and invest in the production of the timely, up-to-date information available and to provide it gratis to help researchers.

On the government side, we provide data to the Patent Medicine Prices Review Board to assist with their previous setting of prices for brand drugs, and currently for the monitoring of the prices of generic drugs in Canada. Health Canada is also an important client of IMS and uses our information to assess current drug legalization trends and to develop health policies. Other government departments, federally and provincially, frequently use IMS expertise for similar reasons.

We are counselled by a medical adviser board comprised of three prominent physicians: Dr. Léo-Paul Landry, who is here with us and represents Quebec, Dr. Bill Orovan, representing Ontario, and Dr. Larry Olhauser, representing the western region. We interact with numerous physician-researchers in several academic settings, such as universities and other health research centres of excellence.

Our data is neutral—that is, we do not make judgments on whether the use of a particular therapy is good or bad—it is used by others to support evidence-based medicine and to make policy decisions in critical areas such as controlling drug costs, assessing utilization trends and the development of prescribing guidelines. Our objective is to ensure that we have the most comprehensive, valid and timely data available to support evidence-based decisions.

I've been IMS's chief privacy officer since 2000. We were one of the first companies in Canada to have such a position. I joined the company from the Ontario Ministry of Health, where I provided legal advice to the ministry on all privacy-related issues under the provincial public sector privacy and access law. I previously worked at the Information and Privacy Commissioner's office in Ontario for a number of years. So my experience in privacy and access issues spans the government, the regulator, and now the private sector.

You'll recall that Gary referred to one of IMS's key databases, information we receive from pharmacies that identifies drugs that have been prescribed by identified physicians. I again emphasize that we receive no patient identifiable information. We do not have access to the actual prescription record. Information that we receive about physician prescribing practices is disclosed in groups of at least 30 physicians. Generally, the groups are much larger. So that the actual prescribing pattern of an individual physician is never disclosed, rather a client sees a report that indicates one number for all the named physicians in the group.

Physicians may have access to their individual prescribing information upon request to IMS. It's free. IMS only discloses the information on an individual basis to the physician or as required by law.

Why are we here today? We're here to request that the committee consider a narrow technical amendment to PIPEDA to clarify, codify, and provide certainty that work product information be excluded from the definition of personal information and therefore from the scope of the act.

As the committee knows, the definition of personal information in PIPEDA is information about an identifiable individual. The definition then goes on to exclude the name, title, or business address, or telephone number of an employee of an organization. The question is whether the information IMS receives from pharmacies related to a physician's prescribing is subject to PIPEDA.

When the legislation was being drafted and debated, we had questions as to whether the apparently very broad scope of the definition would capture the prescribing information, which did not appear to be intended. Even before the act came into force, our data suppliers and our clients expressed concerns about the information because of the lack of clarity in PIPEDA. As soon as the act came into effect in 2001, we were advised by the commissioner's office that they had received two complaints about our practices, alleging that we were contravening PIPEDA, as we were collecting personal information without the consent of physicians.

In the fall of 2001, the commissioner issued his findings on both complaints together, concluding that the prescribing information is not personal information, but rather work product information, and thus not subject to PIPEDA.

One of the complainants, a former business competitor, took the matter to the Federal Court, where it was dismissed, on consent of all parties, in the spring of 2004.

Working with Industry Canada, we proposed that a clarifying regulation be promulgated under PIPEDA to ensure the legislative intent that such information was not subject to the act was clear. However, the Department of Justice provided the opinion that such clarity had to be provided through a legislative amendment as opposed to a regulation. We followed their advice, so we're here today asking for such an amendment.

Why is it necessary? We, and others that you've heard from, still operate under a cloud of business uncertainty. Despite the commissioner's finding, another complaint against IMS on the same question could be filed with the commissioner's office tomorrow. As you've heard, the commissioner could make a different finding. She has no obligation to follow the previous one. As you can appreciate, this is a very difficult and uncertain environment in which to conduct business and to make decisions about ongoing investments in technology, infrastructure, and human resources in our Canadian operation in Quebec, Ontario, and Alberta.

Just as importantly, in the Canadian privacy environment, we've seen over the years an explicit recognition of the commissioner's finding on work product. You've heard from Department of Industry representatives that B.C. has substantially similar provincial private sector legislation, PIPA. This came into effect in January 2004 and, in effect, codifies the commissioner's finding. It has a definition of work product information that's explicitly excluded from the definition of personal information.

Certainly.

You've heard from many witnesses who have appeared before you today who support a specific exclusion for the definition of work product information: David Loukidelis, the Privacy Commissioner of B.C., who indicated that the definition in B.C. has not created any concerns; Edith Cody-Rice and Don Brazier, on behalf of FETCO; the Canadian Bar Association and its summary of proposed amendments, submitted to Industry Canada; and the Insurance Bureau of Canada and CLHIA.

A work product exclusion, which we have proposed as an amendment on the last page of our submissions, builds on that in the B.C. legislation. It addresses potential concerns, identified by the federal commissioner and Professor Bennett, with respect to the interpretation that might put employee surveillance activities outside the scope of the act. It's broad enough to capture many types of work product information identified by witnesses before the committee, and it's narrow enough just to exclude the type of work product information that witnesses have agreed is qualitatively different from personal information, which should be afforded privacy protection under the act.

Thank you. I'm Dave Carey, vice-president of Iron Mountain Secure Shredding, and the elected volunteer chair of NAID Canada. With me is Robert Johnson, the executive director of NAID and NAID Canada.

On behalf of the National Association for Information Destruction, NAID Canada, I would like to thank the committee for the opportunity to speak here today.

NAID Canada is a non-profit trade association for the secure information destruction industry. NAID Canada's members, like those of its sister organizations in the U.S. and Europe, provide commercial services ranging from the secure shredding of discarded paper records to the destruction of information contained on end-of-life electronics.

We take the invitation to address you here this morning as a sign of a growing understanding among policy-makers around the world that protecting personal information at the end of its life cycle is every bit as important as protecting it during its useful life. We will offer recommendations to reflect that in the legislation.

NAID Canada and its sister associations in the other countries have earned a reputation as a vigilant consumer advocate and as a trusted and credible resource for policy-makers. Our association has been asked to provide counsel in matters of proper information destruction to the Canadian Privacy Commissioner's office; the Ontario Information and Privacy Commissioner; the governments of Ontario, Alberta, and British Columbia; the U.S. Federal Trade Commission; the U.S. House of Representatives financial services committee, and the British Standards Institute.

With that said, we did not travel here today simply to remind you that discarded personal information should be destroyed first. That is a basic and well accepted principle of information protection. However, we would like to share with you our observation that governments need to provide a higher level of direction to ensure compliance with this principle and thereby real protection for its citizens. We maintain that you have that opportunity by amending PIPEDA.

Even with PIPEDA and other applicable provincial regulations in place, personal information is routinely abandoned or discarded without benefit of proper destruction. Here are a few examples.

In September 2005, a film company obtained several hundred boxes of office paper from a recycling centre to be used to replicate the scene of the World Trade Centre tragedy. As it turned out, the recycling company had delivered confidential medical records to fulfill that request. These most personal records were then summarily strewn about the windy city streets of Toronto's business district.

Most recently it was widely reported that bank employees had deposited confidential information in publicly accessible waste bins. The resulting investigation found the bank had inadequate policies and procedures to ensure proper information destruction.

In March 2006, a B.C. government official sold magnetic tapes at public auction that contained 77,000 medical files, including those of patients with many sensitive diagnoses. A month later, in Winnipeg, the dental records of hundreds of citizens were reported to have been found in a dumpster.

The truth is that these incidents are unique only in that they made the headlines. On any given day, it would not take long to find personal information being discarded, intact and accessible to the public. Careless disposal in dumpsters or garbage bins is the obvious example. Keep in mind as well, however, that recycling alone is not safe information destruction. Documents may still remain intact and vulnerable to privacy breaches for extended periods of time before being recycled.

Privacy protection is no longer simply a human rights issue. Violating the rights of others by casually discarding their personal information provides much of the feedstock for what has become a global epidemic of identity fraud. According to a study conducted in the United States, the vast majority of identity theft results from low-tech access to personal information such as dumpster diving. Indeed, law enforcement officials in the U.S. recently exposed elaborate rings of organized criminals capitalizing on this ready source of personal information. These rings were found to have divisions of labour, where lower ranks start by harvesting the information from dumpsters, which is then handed over to others of higher rank who have been trained to exploit it.

Only in the United States has a new generation of legislation begun to appear, exemplified by FACTA and a host of state laws. It is designed not only to protect privacy rights, but also to stem the tide of identity fraud. As a result, there is a marked difference in the regulatory language regarding information disposal.

Where in the past a regulatory reference to information disposal would require limiting unauthorized access, improved regulations now require that steps be taken to destroy personal information prior to its disposal. Further to the point, the newer generation of legislation requires that such security measures be documented in the organization's policies. We are here to respectfully urge this committee to enhance the effectiveness of PIPEDA in protecting the citizens of Canada by adopting a similar approach. Information destruction requirements must be clearly spelled out in legislation. That is the only way to put an end to these unnecessary breaches.

A number of specific recommendations must be noted to ensure that such protections are effective. We will focus on the most important here.

To ensure the full impact of a requirement to destroy discarded personal information, NAID Canada recommends that information destruction be clearly defined as “the physical obliteration of records in order to render them useless or ineffective and to ensure reconstruction of the information, or parts thereof, is not practical”. Enshrining such a definition is critical. It cannot be left to interpretation, as it is currently.

Further, we recommend that any organization that collects or stores personal information must have an information and document destruction policy. That forces organizations to think about the issues and implement a policy that fits the definition just provided.

We also support stronger contracting requirements between information custodians and third parties to whom processing is outsourced. That contract should clearly delineate the third party's responsibilities, policies, and procedures. The contract should also clearly indicate the third party's acknowledgement that they are bound by the same obligations as primary custodians to protect the personal information under PIPEDA.

We also recommend requiring information custodians to provide notification to individuals put at risk by breaches of security. Historically, such notifications have been reserved for incidents involving sensational electronic data breaches. However, just over a year ago there was an incident where millions of citizens of Los Angeles were put at risk by irresponsible disposal of paper records. In that case, L.A. County determined that the incident warranted a formal notification event. It is our recommendation that PIPEDA not only be amended to include a notification requirement for electronic data put at risk, but also casual disposal of paper records.

In closing, everything we have recommended this morning is already included in current information protection regulations elsewhere in the world. Identity theft is a growing scourge with no borders. When governments strengthen information protection in one jurisdiction, the criminals will move to where the laws are weaker and less well defined. Also, keep in mind that as processors of personal information ourselves, we fully understand that we are subject to the same regulations and consequences of violation.

Finally, I will leave you with a story that best demonstrates the value of increased government direction in the area of disposal. In May 2002, the State of Georgia passed the first serious shredding law in the United States. About two weeks afterwards, our executive director received a call from the VP of operations of a very large insurance company, well known to everyone in this room. The gentleman asked if NAID could send him a list of our NAID members in Georgia so that their multiple claims offices could comply to that new law. Of course, we were more than happy to accommodate the caller, but our director added that he could also send a list of NAID members across the country for their other offices. Without a second thought, the customer said, no thanks, the other states don't have a shredding law.

I wish I could tell you that your good counsel and prodding would be enough to prevent the casual disposal of personal information. But history has proven that more deliberate direction is required. Most importantly, the legislation must define the term “information destruction”.

Thank you for the opportunity to appear here today. We remain at your service at any time to provide further input or support for this committee's efforts to better protect the privacy of Canadians. Thank you.

Thank you.

I think the difficulty with the case-by-case approach proposed by the commissioner is that it really doesn't give any legislative policy direction, as determined by Parliament, to the commissioner to interpret any individual case. In that situation, policy would effectively be left up to the commissioner, as opposed to the commissioner being required to apply the policy that government and Parliament had determined. I think it's particularly important in this case, when we're talking about the definition of personal information versus work product, because of course that definition determines whether the information is subject to the rules of the act--whether you're in scope or without scope.

As for how that would impact our company particularly, the case-by-case approach doesn't provide any long-term certainty for anybody. As we've mentioned, a complaint tomorrow could be decided differently. The Federal Court could ultimately decide differently as well.

On our data that's used for long-term research projects, you want to look at trends over time precisely because they're long-term projects. Again those projects require certainty that you're going to be able to continue collecting data from your population at issue.

The commissioner appeared to indicate she has accepted that there's a qualitative distinction between personal information and work product, so it's kind of difficult to understand why that policy direction should not be clearly provided in the legislation itself, as it has in the B.C. legislation, for example.

We try to make a distinction between the two. The work product, in our view, has no information about the patient. That is the distinction that we make. The information available is what is contained in the prescription, that is, what the doctor has prescribed. However, the federal commissioner has ruled that this information is not personal information.

If the prescription contains personal information about the patient, that would obviously be different. But since we have no access to the prescription as such, we cannot get any information about the patient. That is the distinction that we are trying to make by talking about the work product.

In the example you provided, the medical record would not include any information about the patient, or the individual in your example who was in the accident, suffering back pain. We would not know—nor would the definition we propose for work product cover anything that would identify the patient, or the accident victim in that particular case.

What we are talking about, to use an example that many witnesses have provided to the committee, are things like documents, memoranda, opinions, and correspondence that are authored by people as they function as employees or professionals in an organization. It wouldn't include personal information about somebody, like their medical condition, religious beliefs, or something removed from that, reflecting, “I went on a call report to try to sell my company's clients a widget. I came back and wrote a report for my manager about that encounter and how many widgets they wanted to buy, and how many they didn't want to buy.” We're talking about that report as a work product of the salesperson who wrote it. That's the type of information we are proposing should be explicitly excluded as a work product in PIPEDA.

The information we have about a doctor would not be personal either, because it is truly a work product. The person's religion, salary, preferences, habits or the kind of car they drive would not be information we would have access to, because that is personal information.