Information & Ethics Committee on Feb. 8th, 2007

I would say that while there is direction provided already, as you acknowledged, we are asking, just as you've said, for a clearer direction saying specifically that it must be destroyed when it's discarded and describing what that destruction is, along with the other recommendations. The reason is that the current level of direction falls short of what has been found to be necessary throughout much of the world to actually get action to be taken. As we've pointed out, in these high-profile cases—they were rather high-profile and made headlines—the reality is that this is happening very much as standard operating procedure, unfortunately, and it's so commonplace that it's not reported. As a result, the current statute, as it is written, is largely disregarded.

We feel the number of breaches and the degree of the breaches would be limited and would decrease under better legislation.

Certainly on the personal information side, IMS has been a very strong supporter of patient privacy rights. When there was a suggestion that the information we have might be identifiable in some way, I would say to people that clearly it is illegal across the country for IMS to collect, use, or disclose any identifiable patient information without that individual's consent. We have lots of measures in place to ensure that we do not do that.

There was a previous witness, I believe it was Dr. Rosenberg, who suggested that based on some work that was done a number of years ago in the U.S., perhaps people could be identified through publicly available information. The situation down there is very different. They don't have the privacy laws that we do, the federal Privacy Act and provincial laws that prohibit the availability of databases, such as our voters lists, motor vehicles licensing databases, vital statistics, and so on. As a matter of fact, a researcher up here in Ottawa recently tried to replicate those U.S. studies and found that it was not possible to do so. If the committee likes, I can provide that reference afterwards.

As I mentioned, we've never had a breach of patient privacy. With respect to physician information, as a matter of fact, we have had a code of practice in place for a number of years that sets out explicitly how we deal with all this information. We are transparent; it is posted on our website. It has been there for a number of years, and it's based on the Canadian Standards Association's principles, which is the code that is a schedule to PIPEDA.

Also we're independently audited each year by QMI, which is an audit branch of CSA. Our most recent certification is in your packages.

As a matter of fact, on the provincial level, it's B.C., Alberta, and Quebec that have substantially similar legislation. I believe that what the committee has heard to date is that B.C. and Alberta represent what the commissioner called the second generation of privacy laws, and that perhaps we should take some direction, based on the learnings over time and how those provinces have accommodated them.

I also believe that when the commissioner was here, Vice-Chair Tilson specifically asked her if there were particular things in the Quebec legislation that she might suggest should be incorporated into or looked at for PIPEDA. I recall that her answer was that given the timing, things had sort of moved on, and it was the second generation laws in B.C. and Alberta that the committee should perhaps look to for direction.

The National Association of Pharmacy Regulatory Authorities does have a policy position, and they allow the information to be collected.

With respect to B.C., that was raised before, and its bylaw is quite old. It came into effect in 1997 and was effectively forced upon the college by the B.C. Ministry of Health against its wishes. The college board has subsequently voted to amend that bylaw, but the B.C. government has yet to approve the amendment.

To answer your first question, there are various sizes of companies. For example, my company is in the records information management business, which is magnetic media and hard copy storage business and shredding. But the majority of our members are independent, shred-only, destruction-only companies.

Do you want to answer number two, Bob?

Number two, did PIPEDA make a difference in the behaviour of organizations with regard to disposal? Is that it?

Obviously there are still legal retention requirements. Of course you want to keep it around for its useful life as well, if there's some access to it. Certainly it is prudent records management policy, and continues to be prudent, to purge records that are no longer needed, that have reached the end of their retention period, and to do that on a regular basis to avoid the appearance of suspicious destruction. If it happens there's a lawsuit a week later, and you did it offhand, it's going to be adversely interpreted. There are all of those things. But there is no requirement to get rid of them at that period of time, and there never has been. With regard to their disposal, there's very little direction at this point other than just--

Alberta's Personal Information Protection Act is a bit clearer than PIPEDA is, but not much. Across the board, even going back to 1990 with the Freedom of Information and Protection of Privacy Act, when it was passed at that time, it had a clearer definition or direction as far as what destruction is and that personal information shall be destroyed when it is discarded, but no definitions of what destruction is, and destruction could be interpreted as many things.

We have supplied such wording in both the United States and in the European Union when we were asked for it. We have not prepared that for Canada at this point, but it would be very easy to do.

Consider it done.