Industry Committee on March 24th, 2015

Yes.

They can. That case that was recently in the media actually did come through our office in a very preliminary way early on. The circumstances could be reported as abuse, but when it's a commercial operator, the chances are the report would go to the police rather than the Public Guardian and Trustee to see whether the transaction was legitimate, and whatever. It's unlikely that we would be involved from the perspective of pursuing the vendor of the vehicle, the commercial operator, but rather protecting the adult.

What we might do in those circumstances is examine the affairs of the adult to determine whether there are supports in place and ways to protect the adult. Does the Public Guardian and Trustee need to become involved on an ongoing basis as a committee, for example, to manage the affairs of the adult?

There are certain types of situations that simply can't be avoided. People who have legal representatives but are incapable may still enter into transactions without the vendor knowing that the person is incapable, and presumably, they've entered into a situation that may not be in their best interests. There are provisions under British Columbian law that would perhaps negate that transaction to protect the vulnerable adult, but there are some things that are really difficult to protect. Our office would be involved only from the perspective of protecting the adult, not necessarily undoing the transaction or pursuing a vendor.

I'm not aware of that information being disclosed. I think there have been some extremely isolated incidents—you know, a member of the pharmacy staff might have looked up a patient record—but there are really good processes in place to identify that. In provinces like British Columbia, there is a province-wide information system of all the medications that every pharmacy can get. The same as breaches within a hospital, or any provider, some of that is being detected. How much it's reported, I don't know.

But in terms of prescription information being breached, I can't recall that having happened in spite of having electronic records of prescription data for about three and a half decades.

In the provinces that have a province-wide drug information system, it's a government system, so they are auditing that. They can identify the people who are accessing when they shouldn't be. That's not unique to pharmacy, either.

It's all part of post-marketing surveillance to look at a lot of safety information. Before drugs come on the market, they're tested in a fairly narrow, often homogeneous group. When they come out on the market and you're using them in pediatrics or the elderly or people with kidney dysfunction, they probably haven't been tested in some of those populations, so it's really important to get that information.

Most drug plans, in particular the government drug plans, have formularies and they have restricted access. They want to know that these drugs that are restricted because of either cost or safety concerns are being used appropriately and for the right patients. Without collecting that information, you wouldn't be able to research any of that.

In terms of the clinical outcomes for that particular individual?

You start to get more of that with better integration of adverse drug reaction reporting and clinical outcomes. British Columbia has a pretty impressive integrated.... They can look at cardiac outcomes based on utilization of cardiac medicines, that type of thing. These are all very highly educated researchers. Most of them who are doing a lot of this research are on faculties of medicine or pharmacy.

That's right. When you look at clinical research, it's the number who have been treated and what their outcomes are compared to a control group that's not on medications or on a different medication, that type of thing.

If I understand the question correctly—and thank you for the question—it was asking what we need beyond the compliance agreements that are currently in the bill.

I think what we need is the power, at the end, for the commissioner to make an order and instruct those companies to comply with whatever it is that the commissioner has found. You have a process of discussion and you have findings and you have a compliance agreement, but what we have right now is that at the end of the day the commissioner can then go to court and request an order.

We have seen an excellent example with the research that was done by the commissioner with respect to Facebook a few years ago—very thorough research by the assistant privacy commissioner, currently the privacy commissioner of British Columbia, into Facebook—with lots of media attention, lots of findings, lots of recommendations. Then Facebook says that's wonderful and moves on and keeps doing business as usual. They disregard Canada and they disregard the regulator, because the regulator doesn't have the power to order them to comply with any of those, and the only option is maybe to take them to court.

In order for big businesses to take the Canadian environment seriously, the commissioner has to be able to tell them at the end of the day that they have to comply with a certain finding or a certain request. What is baffling to me is that this is very common in data protection regimes. You see that they treat Europe differently as a result, because the commissioners there have the ability to regulate and make orders. You can see how they treat even provincial commissioners differently, because they have within their provinces the ability. The only outlier is the Privacy Commissioner of Canada.

I don't understand what the compelling reasons are to make an exception in this case, so that the Privacy Commissioner of Canada cannot be given the powers of making orders that all the others have.