Riley Report

To receive The Riley Report free by e-mail,

CLICK HERE

Back Issues

January 2003

THE RILEY REPORT – March 2003

from Thomas B. Riley (Tom@Rileyis.com)

http://www.rileyis.com

http://www.electronicgov.net

Following is the Riley Report for March 2003. Please feel free to pass this on as you see fit. If you wish to use any or part of the Report in an offline publication please acknowledge the author or contact the author if to be fully republished offline. If you are not currently subscribed to the Riley Report (there is no charge) you can email info@rileyis.com and simply put subscribe in the body of the text. You can also go to the Riley Report at: www.rileyis.com/report/index.html and subscribe there.

Privacy is an important issue to the whole subject of e-government, especially in regards to the way that personal information can be captured, changed, distributed and shared across the networks of the world and between individuals, organizations and governments. In the field of health there are a multitude of privacy issues impacting on e-government developments.

This month's report is from guest correspondent David Keeshan, a specialist in health privacy. In his article he examines some recent developments relating to the application of Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to health information. A case currently before the Federal Court of Canada points out that some very basic foundational questions have yet to be resolved in determining what constitutes “personal health information” for the purposes of that Act. That case will have significant consequences for the non-consensual disclosure to third parties of prescription-related data by pharmacies for commercial purposes. It also suggests that the Courts will take an expansive view of who can use PIPEDA’s enforcement mechanisms, with the result that privacy challenges by business competitors may become common. The Report draws on material written by David Keeshan which appears in the most recent issue of Health Privacy in Canada: Law, Practice and Compliance. David is a lawyer and the co-author of, among other things, The Law of Search and Seizure in Canada, 5^th Edition, The Police Guide to Search and Seizure, and Privacytown. Health Privacy in Canada: Law, Practice and Compliance is published 8 times per year by Electric Law Press (http://www.electriclawpress.com).

Breaking New Ground: Applying PIPEDA to Health Information

The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which received Royal Assent on April 13, 2000, governs the collection, use and disclosure of personal information by private sector organizations in the course of commercial activity. It incorporates, as a schedule, the 10 Fair Information Practices set out in the Canadian Standards Association Model Code, and creates an oversight and enforcement mechanism involving the Federal Privacy Commissioner and the Federal Court.

The legislation has a three phase implementation process. In the first phase, in force January 1, 2001, the Act was applied to the collection, use and disclosure of personal, non‑health related information in the course of commercial activity by organizations under federal constitutional jurisdiction, or to the personal information of employees in connection with the operation of a federal work, undertaking or business. The second phase, in force January 1, 2002, added health related information. As of that date, pursuant to s. 30(1.1), personal health information collection in the federal sphere was required to meet PIPEDA’s requirements. In the third phase, which will commence January 1, 2004, the Act will apply to all organizations that collect personal information - including health information - in the course of commercial activity under both federal and provincial jurisdiction. Organizations which, at that time, are governed by “substantially similar” provincial legislation, will be exempted from the application of the Act in respect of the collection, use or disclosure of personal information that occurs within that province.

One of the most interesting questions being raised with respect to PIPEDA is: How will it be applied to personal health information?

Of all kinds of personal information, health related data is perhaps the most sensitive and raises the greatest privacy concerns for citizens. A case currently before the Federal Court of Canada, involving IMS Health Canada, Ronald Maheu and the Privacy Commissioner of Canada, points out that some very basic foundational questions have yet to be resolved in determining what constitutes “personal health information” for the purposes of the Act. It also sheds some light on how the Courts may interpret the Act.

Some background is helpful. Pharma Communications Group Inc. and IMS are competitors in the business of selling prescription information written by doctors to producers of prescription drugs. In September, 2001, the Privacy Commissioner of Canada rejected a complaint by Ronald Maheu, the principal of Pharma Communications, under PIPEDA that IMS Health Canada had breached the Act by selling information about the prescribing practices of physicians, without their consent. Maheu argued that IMS had purchased a number of items of information from Canadian pharmacies taken off prescriptions without the knowledge or consent of the prescribing doctor. This information was said to include store number, drug identification number, drug name, drug strength, manufacturer, selling price, new or refill, reasons for use, reasons for no substitution order, prescriber’s first and last name, phone number, and patient gender and date of birth. The Commissioner took the view that an individual prescription, though potentially revealing about a patient, “is the outcome of the professional interaction between the physician and the patient...and should be regarded as a work product ‑ that is, the tangible result of the physician’s work activity.” As a “work product” that prescribing information was not personal information and hence PIPEDA did not apply. Maheu then turned to the Federal Court, alleging that the Privacy Commissioner was wrong in determining that information collected and disclosed by IMS was not personal information under the Act.

The litigation raised two significant issues with respect to the interpretation of PIPEDA. First, it addressed the fundamental issue of whether doctors’ prescribing data is personal information and therefore protected by the Act, or, whether it is a non‑personal work product as characterized by the Privacy Commissioner. Should the Federal Court overturn the Privacy Commissioner’s findings, it would have significant implications for the non‑consensual collection and use of doctor and patient prescription information.

Secondly, it raised the question of whether PIPEDA can be used by businesses to challenge the data use practices of competitors. Because failure to follow fair information practices could reduce costs and deliver a competitive advantage, it is conceivable that the Courts would permit applications by other businesses or interested third parties. As its statutory description makes clear, PIPEDA is, after all, primarily e‑commerce legislation.

That second issue was at the forefront when IMS subsequently moved to strike out the application as an abuse of process or, alternatively, to require Maheu to post security for costs under Federal Court R. 416(1)(g) on the basis that he was "impecunious and the proceeding frivolous and vexatious." IMS's motion was heard by a Prothonotary, an officer of the Federal Court who, while not a judge, has duties of judicial nature, including dealing with interlocutory work and even taking trials in minor matters. In May 2002, the Prothonotary ruled that (a) a very stringent standard applied to striking an action, and while it would appear to be an abuse, or vexatious or frivolous to use PIPEDA to obtain a competitive business advantage, the application shouldn't be struck in the absence of decided cases bearing on the scope of PIPEDA; (b) a less stringent standard applied to applications for security for costs and the material gave reason to believe that the proceeding was frivolous and vexatious in the sense that it was not fair and honest to use the process of the Court in order to extend PIPEDA for what was, very arguably, the improper purpose of obtaining a commercial advantage.

Maheu appealed the Prothonotary’s order, and in an important procedural ruling, the Federal Court (Trial Division) held that the Prothonotary misinterpreted PIPEDA when he came to the conclusion there was reason to believe that Maheu’s application for review was for an improper purpose, i.e. an attempt to obtain a commercial advantage over IMS.

Lemieux J held that the scheme of PIPEDA is to establish a set of rules applicable to organizations that collect, use or disclose personal information in the course of commercial activities. It is a public law regulatory statute providing for the means of enforcement through complaints, the Privacy Commissioner’s investigation and report, and an appeal by the complainant as of the right to the Federal Court, which may make orders in the nature of public law remedies. Maheu was seeking from the Court, as he had a right to do, a determination whether IMS’s practices comply with the law in terms of relevant collection gathering techniques involving personal information, in particular paragraph 4.3.5 of the Schedule to PIPEDA. It did not matter that Maheu’s personal information was not at stake in the complaint he made to the Privacy Commissioner. That consideration was irrelevant. The complainant was not Pharma Communications, but rather an individual, Maheu, who had a right to apply to the Federal Court, Trial Division for a hearing following the determination that his complaint was not well founded.

As well, disqualifying a competitor from access to PIPEDA’s enforcement mechanisms was not in Parliament’s contemplation having regard to the fact that it is competitors engaged in commercial activities who, along with persons whose personal information is being collected, are primarily affected by its rules. The action was therefore not frivolous and IMS was not entitled to security for costs from Maheu.

Unless it is overturned, the Trial Division ruling helps clarify how, and by whom, PIPEDA’s enforcement mechanisms can be used. It suggests that the Courts will take an expansive view of who can use PIPEDA’s enforcement mechanisms, with the result that privacy challenges by business competitors may become common. The failure to follow fair information practices could reduce short term costs and potentially deliver a competitive advantage. By allowing competitors standing to enforce PIPEDA, the courts may facilitate a much more dynamic use of the statute.

The ruling also permits the case to move forward s so that the federal Court can deal with the substantive issue, namely whether prescription data is in fact personal health information, or whether, as the Privacy Commissioner suggests, it is a work product that the Act is not intended to regulate.

For further information on this issue go to: Electric Law Press (http://www.electriclawpress.com).

Thomas Riley is available for consultations, preparation of reports, presenting workshops or delivering speeches at conferences and seminars on e-government, e-governance and e-democracy. Please contact me at the email address below for further details.

Thomas B. Riley
Executive Director and Chair
Commonwealth Centre for Electronic Governance
http://www.electronicgov.net
Visiting Professor, University of Glasgow
Riley Information Services.
http://www.rileyis.com
Tom@Rileyis.com

With author attribution, this document may be freely copied in whole or in part for online distribution. Any offline use requires the author's permission.