:
Good morning. My name is Gary Fabian. I've been associated with IMS Health for over 20 years in a variety of roles. As vice-president of public affairs, I work closely with the medical, pharmacy, and research communities across Canada, primarily in a collaborative fashion, around the optimal utilization of medications.
IMS Health is the world's principal provider of information, statistical research, and consulting services to the pharmaceutical and health care sectors. We track over one million products globally, helping health care stakeholders to implement evidence-based decision-making.
We've been operating our business in Canada since 1960. Our Canadian head office is in Montreal, where we have over 850 employees. We have another office in Toronto with over 85 people, and a small office in Edmonton, Alberta.
We collect data from over 6,500 sources in Canada, including hospitals, pharmacies, pharmaceutical manufacturers, wholesalers, and physicians, to yield extensive information on diagnoses and disease treatments, including prescribing patterns and pharmaceutical utilization trends.
We maintain the most comprehensive national prescription database in Canada. Essentially, we have any and all information related to pharmaceutical distribution, consumption, and use in Canada, with one very important exception: we do not collect, use, or disclose any identifiable patient information; therefore, patient privacy is never at risk. We go to great lengths to ensure that patient privacy is always protected.
The facts are that since our Canadian operation began in 1960, we have never experienced a breach of patient privacy. We have never received a complaint from a patient that their privacy has been compromised. We have never received a complaint from a patient that their relationship with a physician has been jeopardized or compromised in any way. We have never received a complaint from a physician that their relationship with a patient has been compromised or jeopardized. This is the reality as opposed to unsubstantiated speculation.
[Translation]
We provide information products and services to governments, researchers, health providers, regulators and the private sector—pharmaceutical and biotech companies—to support the safe and effective use of medications, evaluation of drug policies, implementation of best practices and economic analyses. Physician-led research has used IMS data to measure the impact of continuing medical education initiatives on prescribing practices. Quality improvement initiatives for the use of antibiotics in Alberta and B.C., the development of new prescribing guidelines for Ritalin to children in Quebec and a long-term study examining the use of psychotherapies for depressive disorders associated with multiple sclerosis currently being conducted in western Canada have all benefited from the use of IMS data. It is our paying commercial clients that have enabled us to develop and invest in the production of the timely, up-to-date information available and to provide it gratis to help researchers.
On the government side, we provide data to the Patent Medicine Prices Review Board to assist with their previous setting of prices for brand drugs, and currently for the monitoring of the prices of generic drugs in Canada. Health Canada is also an important client of IMS and uses our information to assess current drug legalization trends and to develop health policies. Other government departments, federally and provincially, frequently use IMS expertise for similar reasons.
We are counselled by a medical adviser board comprised of three prominent physicians: Dr. Léo-Paul Landry, who is here with us and represents Quebec, Dr. Bill Orovan, representing Ontario, and Dr. Larry Olhauser, representing the western region. We interact with numerous physician-researchers in several academic settings, such as universities and other health research centres of excellence.
Our data is neutral—that is, we do not make judgments on whether the use of a particular therapy is good or bad—it is used by others to support evidence-based medicine and to make policy decisions in critical areas such as controlling drug costs, assessing utilization trends and the development of prescribing guidelines. Our objective is to ensure that we have the most comprehensive, valid and timely data available to support evidence-based decisions.
:
I've been IMS's chief privacy officer since 2000. We were one of the first companies in Canada to have such a position. I joined the company from the Ontario Ministry of Health, where I provided legal advice to the ministry on all privacy-related issues under the provincial public sector privacy and access law. I previously worked at the Information and Privacy Commissioner's office in Ontario for a number of years. So my experience in privacy and access issues spans the government, the regulator, and now the private sector.
You'll recall that Gary referred to one of IMS's key databases, information we receive from pharmacies that identifies drugs that have been prescribed by identified physicians. I again emphasize that we receive no patient identifiable information. We do not have access to the actual prescription record. Information that we receive about physician prescribing practices is disclosed in groups of at least 30 physicians. Generally, the groups are much larger. So that the actual prescribing pattern of an individual physician is never disclosed, rather a client sees a report that indicates one number for all the named physicians in the group.
Physicians may have access to their individual prescribing information upon request to IMS. It's free. IMS only discloses the information on an individual basis to the physician or as required by law.
Why are we here today? We're here to request that the committee consider a narrow technical amendment to PIPEDA to clarify, codify, and provide certainty that work product information be excluded from the definition of personal information and therefore from the scope of the act.
As the committee knows, the definition of personal information in PIPEDA is information about an identifiable individual. The definition then goes on to exclude the name, title, or business address, or telephone number of an employee of an organization. The question is whether the information IMS receives from pharmacies related to a physician's prescribing is subject to PIPEDA.
When the legislation was being drafted and debated, we had questions as to whether the apparently very broad scope of the definition would capture the prescribing information, which did not appear to be intended. Even before the act came into force, our data suppliers and our clients expressed concerns about the information because of the lack of clarity in PIPEDA. As soon as the act came into effect in 2001, we were advised by the commissioner's office that they had received two complaints about our practices, alleging that we were contravening PIPEDA, as we were collecting personal information without the consent of physicians.
In the fall of 2001, the commissioner issued his findings on both complaints together, concluding that the prescribing information is not personal information, but rather work product information, and thus not subject to PIPEDA.
One of the complainants, a former business competitor, took the matter to the Federal Court, where it was dismissed, on consent of all parties, in the spring of 2004.
Working with Industry Canada, we proposed that a clarifying regulation be promulgated under PIPEDA to ensure the legislative intent that such information was not subject to the act was clear. However, the Department of Justice provided the opinion that such clarity had to be provided through a legislative amendment as opposed to a regulation. We followed their advice, so we're here today asking for such an amendment.
Why is it necessary? We, and others that you've heard from, still operate under a cloud of business uncertainty. Despite the commissioner's finding, another complaint against IMS on the same question could be filed with the commissioner's office tomorrow. As you've heard, the commissioner could make a different finding. She has no obligation to follow the previous one. As you can appreciate, this is a very difficult and uncertain environment in which to conduct business and to make decisions about ongoing investments in technology, infrastructure, and human resources in our Canadian operation in Quebec, Ontario, and Alberta.
Just as importantly, in the Canadian privacy environment, we've seen over the years an explicit recognition of the commissioner's finding on work product. You've heard from Department of Industry representatives that B.C. has substantially similar provincial private sector legislation, PIPA. This came into effect in January 2004 and, in effect, codifies the commissioner's finding. It has a definition of work product information that's explicitly excluded from the definition of personal information.
:
Thank you. I'm Dave Carey, vice-president of Iron Mountain Secure Shredding, and the elected volunteer chair of NAID Canada. With me is Robert Johnson, the executive director of NAID and NAID Canada.
On behalf of the National Association for Information Destruction, NAID Canada, I would like to thank the committee for the opportunity to speak here today.
NAID Canada is a non-profit trade association for the secure information destruction industry. NAID Canada's members, like those of its sister organizations in the U.S. and Europe, provide commercial services ranging from the secure shredding of discarded paper records to the destruction of information contained on end-of-life electronics.
We take the invitation to address you here this morning as a sign of a growing understanding among policy-makers around the world that protecting personal information at the end of its life cycle is every bit as important as protecting it during its useful life. We will offer recommendations to reflect that in the legislation.
NAID Canada and its sister associations in the other countries have earned a reputation as a vigilant consumer advocate and as a trusted and credible resource for policy-makers. Our association has been asked to provide counsel in matters of proper information destruction to the Canadian Privacy Commissioner's office; the Ontario Information and Privacy Commissioner; the governments of Ontario, Alberta, and British Columbia; the U.S. Federal Trade Commission; the U.S. House of Representatives financial services committee, and the British Standards Institute.
With that said, we did not travel here today simply to remind you that discarded personal information should be destroyed first. That is a basic and well accepted principle of information protection. However, we would like to share with you our observation that governments need to provide a higher level of direction to ensure compliance with this principle and thereby real protection for its citizens. We maintain that you have that opportunity by amending PIPEDA.
Even with PIPEDA and other applicable provincial regulations in place, personal information is routinely abandoned or discarded without benefit of proper destruction. Here are a few examples.
In September 2005, a film company obtained several hundred boxes of office paper from a recycling centre to be used to replicate the scene of the World Trade Centre tragedy. As it turned out, the recycling company had delivered confidential medical records to fulfill that request. These most personal records were then summarily strewn about the windy city streets of Toronto's business district.
Most recently it was widely reported that bank employees had deposited confidential information in publicly accessible waste bins. The resulting investigation found the bank had inadequate policies and procedures to ensure proper information destruction.
In March 2006, a B.C. government official sold magnetic tapes at public auction that contained 77,000 medical files, including those of patients with many sensitive diagnoses. A month later, in Winnipeg, the dental records of hundreds of citizens were reported to have been found in a dumpster.
The truth is that these incidents are unique only in that they made the headlines. On any given day, it would not take long to find personal information being discarded, intact and accessible to the public. Careless disposal in dumpsters or garbage bins is the obvious example. Keep in mind as well, however, that recycling alone is not safe information destruction. Documents may still remain intact and vulnerable to privacy breaches for extended periods of time before being recycled.
Privacy protection is no longer simply a human rights issue. Violating the rights of others by casually discarding their personal information provides much of the feedstock for what has become a global epidemic of identity fraud. According to a study conducted in the United States, the vast majority of identity theft results from low-tech access to personal information such as dumpster diving. Indeed, law enforcement officials in the U.S. recently exposed elaborate rings of organized criminals capitalizing on this ready source of personal information. These rings were found to have divisions of labour, where lower ranks start by harvesting the information from dumpsters, which is then handed over to others of higher rank who have been trained to exploit it.
Only in the United States has a new generation of legislation begun to appear, exemplified by FACTA and a host of state laws. It is designed not only to protect privacy rights, but also to stem the tide of identity fraud. As a result, there is a marked difference in the regulatory language regarding information disposal.
Where in the past a regulatory reference to information disposal would require limiting unauthorized access, improved regulations now require that steps be taken to destroy personal information prior to its disposal. Further to the point, the newer generation of legislation requires that such security measures be documented in the organization's policies. We are here to respectfully urge this committee to enhance the effectiveness of PIPEDA in protecting the citizens of Canada by adopting a similar approach. Information destruction requirements must be clearly spelled out in legislation. That is the only way to put an end to these unnecessary breaches.
A number of specific recommendations must be noted to ensure that such protections are effective. We will focus on the most important here.
To ensure the full impact of a requirement to destroy discarded personal information, NAID Canada recommends that information destruction be clearly defined as “the physical obliteration of records in order to render them useless or ineffective and to ensure reconstruction of the information, or parts thereof, is not practical”. Enshrining such a definition is critical. It cannot be left to interpretation, as it is currently.
Further, we recommend that any organization that collects or stores personal information must have an information and document destruction policy. That forces organizations to think about the issues and implement a policy that fits the definition just provided.
We also support stronger contracting requirements between information custodians and third parties to whom processing is outsourced. That contract should clearly delineate the third party's responsibilities, policies, and procedures. The contract should also clearly indicate the third party's acknowledgement that they are bound by the same obligations as primary custodians to protect the personal information under PIPEDA.
We also recommend requiring information custodians to provide notification to individuals put at risk by breaches of security. Historically, such notifications have been reserved for incidents involving sensational electronic data breaches. However, just over a year ago there was an incident where millions of citizens of Los Angeles were put at risk by irresponsible disposal of paper records. In that case, L.A. County determined that the incident warranted a formal notification event. It is our recommendation that PIPEDA not only be amended to include a notification requirement for electronic data put at risk, but also casual disposal of paper records.
In closing, everything we have recommended this morning is already included in current information protection regulations elsewhere in the world. Identity theft is a growing scourge with no borders. When governments strengthen information protection in one jurisdiction, the criminals will move to where the laws are weaker and less well defined. Also, keep in mind that as processors of personal information ourselves, we fully understand that we are subject to the same regulations and consequences of violation.
Finally, I will leave you with a story that best demonstrates the value of increased government direction in the area of disposal. In May 2002, the State of Georgia passed the first serious shredding law in the United States. About two weeks afterwards, our executive director received a call from the VP of operations of a very large insurance company, well known to everyone in this room. The gentleman asked if NAID could send him a list of our NAID members in Georgia so that their multiple claims offices could comply to that new law. Of course, we were more than happy to accommodate the caller, but our director added that he could also send a list of NAID members across the country for their other offices. Without a second thought, the customer said, no thanks, the other states don't have a shredding law.
I wish I could tell you that your good counsel and prodding would be enough to prevent the casual disposal of personal information. But history has proven that more deliberate direction is required. Most importantly, the legislation must define the term “information destruction”.
Thank you for the opportunity to appear here today. We remain at your service at any time to provide further input or support for this committee's efforts to better protect the privacy of Canadians. Thank you.
I think the difficulty with the case-by-case approach proposed by the commissioner is that it really doesn't give any legislative policy direction, as determined by Parliament, to the commissioner to interpret any individual case. In that situation, policy would effectively be left up to the commissioner, as opposed to the commissioner being required to apply the policy that government and Parliament had determined. I think it's particularly important in this case, when we're talking about the definition of personal information versus work product, because of course that definition determines whether the information is subject to the rules of the act--whether you're in scope or without scope.
As for how that would impact our company particularly, the case-by-case approach doesn't provide any long-term certainty for anybody. As we've mentioned, a complaint tomorrow could be decided differently. The Federal Court could ultimately decide differently as well.
On our data that's used for long-term research projects, you want to look at trends over time precisely because they're long-term projects. Again those projects require certainty that you're going to be able to continue collecting data from your population at issue.
The commissioner appeared to indicate she has accepted that there's a qualitative distinction between personal information and work product, so it's kind of difficult to understand why that policy direction should not be clearly provided in the legislation itself, as it has in the B.C. legislation, for example.
:
Thank you, Mr. Chair, and my thanks to the witnesses.
I'm going through the IMS documents. I'm sorry I wasn't here for the actual presentation, but I've scanned the presentation.
I'm interested in a couple of general things that are beyond your brief. The duty to notify, of course, keeps coming up in our work here as a committee. We're rapidly approaching the end of the study on PIPEDA and we'll be making recommendations, so I would appreciate a brief comment from both of the witnesses as to how they feel about that.
The other thing is the transborder transfer of information. There are some jurisdictions that will not allow the transfer of data to jurisdictions that don't have comparable protections. That would be of interest to me too.
Specifically on IMS, Ms. Fineberg, I notice that on page 3 of your speaking notes, you say your business is to “provide information products and services to governments, researchers, health providers, regulators and the private sector—pharmaceutical and biotech companies—to support the safe and effective use of medications”, and so on. Is there ever a case in which the pharmaceutical and biotech companies want to know from you not personal information but information regarding frequency of claims of certain types of drugs or the experience of certain types of treatments in certain jurisdictions, so that they can have an idea which products are more popular, which are being used, etc.? Is that one of the information services you might offer to the pharmaceutical and biotech industries?
:
Thank you for the question.
First of all, on notification, from our comments, NAID Canada's position would clearly be that notification is not only important as a protection for the individual whose information may have been breached, but I think we all know that as much as teeth or enforcement can be put into this, it may be one of the most serious deterrents to casually treating the information as well. If notification is hanging out there as an obligation, I think you're going to see organizations that handle personal information be much more concerned about that real thing happening.
As far as the transborder issue is concerned, it has cropped up. It originally cropped up when the European Union adopted data protection directives and then directives about sharing that data with the U.S., which was lagging behind at that time. It has also arisen between Canada and the U.S. with regard to the Patriot Act being passed in the U.S., and various things like that.
I would just say that it is fairly common-sense. As far as NAID Canada is concerned, the common-sense approach would certainly be that personal information belonging to a jurisdiction's citizens should not be allowed to be shared or to enter into an environment where those same protections aren't allowed for in the other jurisdiction.
My thanks to our panel for attending this morning. With just seven minutes, I'm going to divide as equally as I can here, because I do have two questions for each of the two groups represented here.
First to Ms. Fineberg, I'm actually referring to the recommendation that you have put on page 34 of your submission, which is the actual text of what you're proposing in relation to your work product information and how to include that as an exception to the definition of personal information.
Specifically, in your second recommendation, which talks about the definition of work product information, subsection (i) says that work product information “does not include—personal information about an identifiable individual who did not prepare, compile or disclose the information”, and then it goes on to talk about the surveillance issue. It's good that you see the surveillance issue covered.
My question really is, from a practical point of view, who are we really talking about here? Could you give me a practical example of who would be excluded here?
:
Certainly on the personal information side, IMS has been a very strong supporter of patient privacy rights. When there was a suggestion that the information we have might be identifiable in some way, I would say to people that clearly it is illegal across the country for IMS to collect, use, or disclose any identifiable patient information without that individual's consent. We have lots of measures in place to ensure that we do not do that.
There was a previous witness, I believe it was Dr. Rosenberg, who suggested that based on some work that was done a number of years ago in the U.S., perhaps people could be identified through publicly available information. The situation down there is very different. They don't have the privacy laws that we do, the federal Privacy Act and provincial laws that prohibit the availability of databases, such as our voters lists, motor vehicles licensing databases, vital statistics, and so on. As a matter of fact, a researcher up here in Ottawa recently tried to replicate those U.S. studies and found that it was not possible to do so. If the committee likes, I can provide that reference afterwards.
As I mentioned, we've never had a breach of patient privacy. With respect to physician information, as a matter of fact, we have had a code of practice in place for a number of years that sets out explicitly how we deal with all this information. We are transparent; it is posted on our website. It has been there for a number of years, and it's based on the Canadian Standards Association's principles, which is the code that is a schedule to PIPEDA.
Also we're independently audited each year by QMI, which is an audit branch of CSA. Our most recent certification is in your packages.
Most of our witnesses in this have come with specific details that affect their particular businesses. But I'm interested as well, because you're experts in the privacy field, in a more general concern that doesn't come up as often.
When the Public Safety Act was introduced, Bill C-7, it amended PIPEDA dramatically in 2004. It allows that private sector organizations can act as agents of the state to collect personal information, without consent, for the sole purpose of disclosing this to the government.
Under these amendments, CSIS or the RCMP could now ask a business to collect new data that these agencies might otherwise not be able to collect, and they might be able to use their power under PIPEDA to conduct searches at the request of these agencies that would otherwise violate the Charter of Rights and Freedoms. Is that a concern that you have heard raised as experts in the privacy field? I know it may not pertain to your particular businesses.
This is for either or both of you. We have only a few minutes.
Ms. Fineberg.
I just have a really quick follow-up, because I was politely cut off.
I wanted to ask the information management folks about the question of notification. I was interested to hear you say that you want to extend that or have more detailed notification requirements. The commissioner has come to tell us previously—and we're going to have the commissioner back—that the notification system we have now is adequate and that, if possible, notification is not required and the issue gets resolved internally. Then nobody's hurt by it and that's sufficient.
Have you actually surveyed your members so they know that they will be more liable, based on your presentation today, if there is a change to the notification piece, in that, as some have argued, for any breach at all there should be notification to the person?
In my mind, a lot of records in this country are stored near warehouses, and sometimes they get destroyed and sometimes they don't. I think you're at a higher risk than many. So I'd like to know for sure that I can say that I heard from your organization, and that you have surveyed your members, and they are confident that you are right that there should be a greater notification process than what exists now in PIPEDA.
:
I think that's a perfect example of where the IMS data, the availability of such a comprehensive database—and those were some of the issues I cited in my opening remarks.
We've done extensive work in the research community on specific diseases such as the treatment of infection and antibiotics. There was an educational program launched in Alberta, called “Do Bugs Need Drugs?”, and they needed comprehensive and authoritative information to find out if the program was actually working. We were able to provide the small community with information about whether the program was actually working and whether there was a change in the general consumption of anti-infectives. It was very simple things, such as teaching people to wash their hands, cleanliness and things like that, right up to not asking your doctor for an anti-infective every time you visit because you have a sore throat.
Without our information they weren't able to tell if people's habits were changing, whether physicians were prescribing differently, and whether people were taking fewer anti-infectives. That's a very good example of one that worked in a small community.
Similarly, we did extensive work for the Collège des médecins in the province of Quebec on the use of ritalin in children. They had no supporting information about that. It was a perfect example. You had educational and health issues, with children, physicians, and parents involved. They needed strong empirical evidence, and we were able to provide it.
Without the kind of basic information we collect, you wouldn't be able to provide that. Nobody else has it. The governments don't have it and no other research organization has it.
:
I'm just trying to figure out how to respond to that.
That's not reality in Quebec. First of all, the whole medical profession in Quebec knows exactly what we do. As Anita has alluded to, it's on our website. They get the IMS journal. We go to great lengths to provide all the information, so it is done with their knowledge across the province. That's number one.
Number two, I can understand that some might not like that, but on the other hand, a lot of physicians don't like to be approached by a whole variety of pharmaceutical reps in areas of no concern to them. More and more physicians are focusing on an area of practice and they want to deal with pharmaceutical companies that have products for their areas of interest. So part of what we do helps the pharmaceutical industry target physicians who are really using or prescribing their medications.
On the other hand, it prevents them from approaching physicians who have no interest in these, so there's a benefit to that. As a matter of fact, there is significant benefit to that, because in cases that I know of personally, physicians have a relationship with the pharmaceutical reps and get scientific information from them, especially in relation to side effects. And that's a reality.
As a matter of fact, two weeks ago I was in the hospital milieu and I heard about these things, and then we saw reps. The whole approach of pharmaceutical reps has changed over the years and it's become much more scientific, so there's value there. And that's the counter, the other side of the coin that you present.
:
I want to thank both groups for coming and giving us your views. You've stimulated some conversation for us, and I appreciated your doing that. So thank you very much for coming.
Before we adjourn, members of the committee, our chairman, Mr. Wappell, will be returning next week. We're approaching the end of this review, and I believe that somewhere along the line we're going to be asking for the report to be prepared. Normally the Library people, Ms. Holmes or whoever, prepare a summary of the recommendations that have been made by witnesses, the proposed amendments. And the question I have is, do we wait until the end when we've heard from the minister—and I think the minister is coming, and the commissioner—or do we have a draft report before they come, so they can hear the proposed amendments from our witnesses, and ask them to comment on that when they come.
I'm not asking for an answer now. This is something that perhaps the chair should deal with when he returns, but it's an observation I have made in my position today, that we should be thinking ahead as to how we're going to prepare our report. So I'll leave that with you.
Again, thank you for coming.
The meeting is now adjourned.