Information & Ethics Committee on Feb. 8th, 2007

Mr. Chairman, may I answer?

Generally speaking, in a hospital environment, the situation is relatively simple. If a person suffers an injury during an accident or some kind of incident and the company asks for a medical report in order to study the situation, it is in the interest of the person who was injured, who was wounded or was in an accident to give his authorization. That is how things happen 99.9% of the time.

This poses a problem when the opposing party asks for information and the injured party refuses to disclose it. Normally, this is settled by both parties' attorneys. Generally speaking, this does not pose a problem.

It is difficult to respond to each of the aspects you have raised. We have not studied this issue and we have not heard the industry's comments. Personally, I cannot answer you.

All I can tell you is that we, at IMS Health Canada, do not have access to patient files and we do not want to have access to them. We cannot talk about 100% because there are always exceptions, which by the way are covered by the act, but in 99.999% of the cases, we use the information generated by what we call the work product in the doctor-patient relationship in order to improve services to the population without knowing the identity of the patient.

I'll let my colleague Gary Fabian answer that one.

One of the fundamentals of our database, because it's so comprehensive and spans the country, is that we're able to provide the research community, the pharmaceutical sector, and governments as well, with comparative data. Exactly the kind of analysis that you're talking about can be done fairly readily. It can be done by province or even by areas within a province, to allow for that kind of comparison in order to see if there are differences in a certain area versus another area.

For the pharmaceutical sector, it's also important. They want to know where their drugs are being dispensed, for what reasons if possible, and whether there are differences in different parts of the country. That's all information that's important for them as they try to evaluate the efficacy of their own performance or their own drugs.

Which ones would—

I'll let Robert take that.

Thank you for the question.

First of all, on notification, from our comments, NAID Canada's position would clearly be that notification is not only important as a protection for the individual whose information may have been breached, but I think we all know that as much as teeth or enforcement can be put into this, it may be one of the most serious deterrents to casually treating the information as well. If notification is hanging out there as an obligation, I think you're going to see organizations that handle personal information be much more concerned about that real thing happening.

As far as the transborder issue is concerned, it has cropped up. It originally cropped up when the European Union adopted data protection directives and then directives about sharing that data with the U.S., which was lagging behind at that time. It has also arisen between Canada and the U.S. with regard to the Patriot Act being passed in the U.S., and various things like that.

I would just say that it is fairly common-sense. As far as NAID Canada is concerned, the common-sense approach would certainly be that personal information belonging to a jurisdiction's citizens should not be allowed to be shared or to enter into an environment where those same protections aren't allowed for in the other jurisdiction.

If I may, it has generally been approached through safe harbour mechanisms that are negotiated even within...perhaps not the U.S., but within the organization. Obviously if the U.S. were to have a law that trumped that or exempted that safe harbour agreement, that would be an issue as well.

Let me explain what I mean by safe harbour. For instance, with the flow of information from Europe into North America, after the data protection directives passed, the Federal Trade Commission, along with the EU panel working on that, developed a process by which companies could ascribe and self-certify to meet certain standards that made them, in particular, compliant with the data protection directives.

Exactly.