Abstract

On April 13, 2000 the Personal Information Protection and Electronic Documents Act ("PIPEDA") received royal assent making it the law across Canada. As the legislation itself states, PIPEDA establishes rules to govern the collection, use and disclosure of personal information in Canada in a manner that recognizes the right of privacy of individuals.

Staged Implementation


Although PIPEDA came into effect on January 1, 2001, its implementation is staged and will not become completely in effect until January 1, 2004. As of January 1, 2001, PIPEDA applied to:
  • All works, undertakings and businesses that come within the legislative authority of the parliament of Canada as set out in the Constitution; and
  • personal information that is disclosed for consideration outside of the province in which it was originally collected.

The exception to the above-noted scope is that PIPEDA did not apply to "personal health information" until January 1, 2002.

Effective January 1, 2004, PIPEDA will apply to the collection, use and disclosure of all personal information, including personal health information, in all commercial activities in Canada regardless of whether they are engaged in by organizations that are federal in nature and regardless of whether personal information involved travels across provincial borders.

If PIPEDA has not already had an effect on pharmaceutical and medical device/technology companies that conduct business in Canada, it most certainly will as of January 1, 2004.

Overview of PIPEDA


The core provisions of PIPEDA are based upon the Model Code for the Protection of Personal Information which was approved by the Canadian Standards Association in 1996 (the "Model Code"). The Model Code establishes 10 principles which must be adhered to in order to ensure the protection of privacy of personal information. These 10 principles have been embodied in a schedule to PIPEDA which forms an operative part of PIPEDA. The 10 principles are:


Accountability
1.Identified Purposes
2.Consent
3.Limiting Collection
4.Limiting Use, Disclosure and Retention
5.Accuracy
6.Safeguards/Security
7.Openness
8.Individual Right of Access
9.Challenging Compliance

In order to be PIPEDA compliant, organizations must conduct their affairs in a manner consistent with these 10 principles.

The cornerstone of PIPEDA is that "personal information" may not be collected, used or disclosed in the context of a "commercial activity" without the consent of the individual to whom the information relates. "Personal Information" is defined in PIPEDA as: "information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization". "Commercial activity" is defined in PIPEDA as: "any particular transaction, act or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists".

PIPEDA does not apply to any data that have been made anonymous and does not apply to data or information that are already in the public domain. That being said, it is likely that personal information in the public domain may only be used in a manner that is consistent with the reason that such information is found in the public domain.

PIPEDA does not apply to personal information about employees collected, used or disclosed by an organization in the employment context unless the information is collected, used or disclosed in connection with the operation of a federal work, undertaking or business. As the employment relationship typically falls within provincial jurisdiction, one would have to look to the laws in each province to determine what, if any, obligations exist in respect of the privacy or confidentiality of employee personal information. The common law may also impact on privacy rights in the workplace.

In addition to these general exceptions, there are specific exceptions to the consent requirement in PIPEDA which are set out in the legislation as follows:


  • collection, use and disclosure for journalistic, artistic or literary purposes
  • collection, use and disclosure by individuals for domestic purposes
  • collection, where the collection is clearly in the interests of the individual and the organization cannot obtain consent in a timely way
  • use, where if the information is used to respond to an emergency threatening the life, health, or security of an individual
  • use or disclosure for statistical, or scholarly study or research if the purposes cannot be achieved without using the information, the organization takes steps to ensure confidentiality, it would be impracticable to obtain consent and the organization gives prior notice to the Privacy Commissioner
  • disclosure, if required by law
  • disclosure, where the disclosure is made either 100 years after the organization collected the personal information or 25 years after the death of the subject of the personal information, whichever is earlier

Obligations on Organizations


PIPEDA requires that all organizations engaged in commercial activities in Canada do the following:


Identify the purposes for which the organization collects, uses and discloses personal information. It is recommended that organizations conduct a privacy audit that considers all aspects of the organizations commercial activities. If the organization is not aware of all of the circumstances under which it collects, uses or discloses personal information, it will be ineffective at ensuring that the privacy of this information is appropriately protected.

Develop a process for obtaining consent for the collection, use and disclosure of personal information. To be valid, the consent must be meaningful and must be freely obtained. An organization cannot require a person to provide consent to the collection, use and disclosure of personal information a precondition to providing services unless the collection, use or disclosure of personal information is reasonably required to fulfill the explicitly stated and legitimate purposes. Consent may be express or implied, oral or written. The appropriate form of consent will depend upon the circumstances and the sensitivity of the personal information in question.

Ensure that personal information in their possession, power and control is kept up-to-date and accurate in order to minimize the possibility that inaccurate information is used to make a decision about an individual. This responsibility must be tempered, however, with an organization's responsibility not to routinely update information unless it is necessary in order to fulfill the purposes for which the information was collected. These conflicting requirements will require organizations to reevaluate their data retention policies.

Develop and implement a Privacy Policy that is consistent with the Model Code's 10 principles and which sets out the organization's purpose for collecting, using and disclosing personal information and sets out the measures taken for ensuring the safe-keeping of such information. The Privacy Policy must also provide a mechanism for individuals to access their personal information and provide a mechanism for making and responding to inquiries and complaints.

Appoint a Privacy Officer to oversee the implementation of the Privacy Policy and to ensure compliance with PIPEDA. The Privacy Commissioner encourages organizations to ensure that the designated Privacy Officer is a member of senior management.

Publicize its Privacy Policy and the identity and contact information of the individual Privacy Officer. An organization must also publicize the kinds of personal information it holds, how it can be accessed and what types of personal information it provides to third parties, including its subsidiaries and or parent company.

Implement security measures to protect the personal information in their control. Such security measures must take into account protecting both hard copies as well as electronic copies of personal information from theft and other unauthorized access, disclosure, use or modification.

Remedies for Breaches of PIPEDA


Individuals are entitled to bring complaints either to the organization itself or directly to the Privacy Commissioner. PIPEDA also provides individuals with the ability to file an application in the Federal Court if the individual is dissatisfied with the Privacy Commissioner¹s handling of the matter.

Where a complaint is brought to the Privacy Commissioner, (s)he may conduct an investigation of the organization that is the subject of the complaint upon being provided with reasonable grounds that there has been a privacy violation. The Privacy Commissioner has broad powers to subpoena documents and witnesses and the Privacy Commissioner or his/her staff may enter any premises, other than a dwelling-house, occupied by an organization upon satisfying any security requirements of the organization. The Privacy Commissioner or his/her staff may examine any records found and may question or converse with anyone on the premises. Where the Privacy Commissioner has reasonable grounds to believe that an organization is contravening PIPEDA, (s)he also has the right to audit the personal information practices of an organization at any time upon providing reasonable notice.

Where a complainant is not satisfied with the Privacy Commissioner's handling of the complaint (s)he may , within 45 days of receiving the Privacy Commissioner's report, file an application with the Federal Court. The Federal Court has the jurisdiction to order an organization to correct its practices and/or publish a notice of any corrective action taken and to award damages to the complainant, including damages for any humiliation that the complainant has suffered.

Substantially Similar Provincial Laws


If a province enacts its own private sector privacy legislation and the federal government deems it to be "substantially similar", the provincial legislation will govern in that province and the applicability of PIPEDA within that province will be suspended.

At the moment, the only province with comprehensive privacy legislation that has been deemed substantially similar to PIPEDA is Quebec. Some of the other provinces have either enacted private sector privacy legislation (British Columbia) or have legislation pending (Alberta) but none have yet received approval from the federal government that the legislation is substantially similar.

In addition, some provinces have enacted sector specific private sector privacy legislation. For example, Manitoba, Alberta and Saskatchewan all have enacted legislation that deals with the privacy of personal health information. Although it has not happened yet, it is possible that this sector specific legislation will be deemed to be substantially similar to PIPEDA thereby exempting the organizations to which it applies from PIPEDA. As such, in these provinces, one must take into consideration both PIPEDA and the provincial, health specific privacy legislation.

Impact of PIPEDA on the Pharmaceutical and Medical Device/Technology Industries


Pharmaceutical and medical device/technology companies, by virtue of the nature of their businesses, have occasion to deal with personal information that is quite sensitive in nature - personal health information. As such, companies in these industries that are conducting business in Canada will need to take particular care in how they collect, use and disclose personal information.

Of particular interest to the pharmaceutical and medical device/technology industries are the following:


  1. Pharmaceutical and medical device/technology companies should consider the nature and extent of personal information that has been and is collected, used and/or disclosed in the context of clinical trials and other research activities that they engage in. While consent has historically been required for individuals to participate in research, companies involved in or reliant upon clinical trials should consider whether the consent forms used to obtain consent to participation in the research adequately inform the potential subject of how his/her personal information will be collected, used and disclosed. Also consideration must be given to whether data that has already been collected may be used if an individual withdraws his/her consent at anytime. Finally, potential subjects should be advised of the primary investigator or sponsor¹s obligation to report adverse events to Health Canada and other regulatory authorities should any be observed in the course of the research.
  2. Pharmaceutical and medical device/technology companies are likely to have a substantial quantity of personal information under their control as the process to get marketing approval requires them to collect it. Such companies should reflect on the types of personal information collected, used and disclosed in the regulatory approval process to ensure that it is done in a manner that is PIPEDA compliant. This analysis will have to be both forward looking as well as retrospective as PIPEDA will apply to the use or disclosure of personal information that was collected prior to PIPEDA coming into effect.
  3. Sometimes pharmaceutical and medical device/technology companies rely on third parties to provide them with information about who is using their products so that they can focus their marketing and sales activities. Whether or not this will continue to be permissible is the subject of much debate. Recently there have been a couple of cases considering whether pharmacists/pharmacies may provide information about physicians' prescribing practices to IMS Health Canada Ltd. In one of these cases, the federal Privacy Commissioner determined that such activity is permissible under PIPEDA. The Alberta Privacy Commissioner has, however, determined in another case that this type of activity is a violation of the Health Information Act, Alberta's health sector privacy legislation, and is therefore, prohibited. Both decisions are the subject of separate judicial review applications which are currently pending. The cases demonstrate the significant impact that PIPEDA and provincial privacy legislation may have on how pharmaceutical and medical device/technology industries conduct their marketing and sales activities. They also highlight how Canada's privacy laws may not be consistent across the country.
  4. PIPEDA's impact may be felt beyond the Canadian borders. Many pharmaceutical and medical device/manufacturing companies operate internationally. To the extent that personal information originating in Canada is disclosed to a third party (perhaps a subsidiary or parent company of the Canadian entity or a foreign regulatory body like the FDA), PIPEDA principles will apply. Pharmaceutical and medical device/technology companies must reflect upon the circumstances under which they disclose personal information across international borders.

    Conclusion


    As of January 1, 2004, all private sector businesses in Canada will be subject to PIPEDA and/or substantially similar provincial privacy legislation governing the private sector. In addition, in some provinces organizations will be subject to sector specific privacy legislation. The pharmaceutical and medical device/technology industries are not immune from the application of privacy laws in Canada. In fact, because these industries deal with such highly sensitive personal health information on a regular basis, they are likely to find the impact of the privacy regime in Canada quite significant.

    There is no time to waste. If not already underway, organizations must immediately appoint a Privacy Officer and conduct a privacy audit to evaluate how and when they collect, use and disclose personal information so that immediate steps must also be taken to develop and implement a Privacy Policy that will assist the organization in ensuring PIPEDA compliance by January 1, 2004.

About the Author

Megan Evans is a member of Cassels Brock's Health Law practice group. She has a background in litigation but also advises healthcare clients on a broad range of legal and policy issues.

Acknowledgment

© 2003 Cassels Brock & Blackwell LLP. Cassels Brock is a trade-mark of Cassels Brock & Blackwell LLP. All rights reserved.