TLDR; some pharmacies are able to use the data you shared to register for your flu shot [LIST] for advertising purposes. Are we down with that? PS. This post is very Ontario-specific.
It seems that both Shoppers and Rexall say that your data *may* be used by third parties to sell ads. š
Maybe thatās just a legal oversight on their part - a product of copy + paste Terms and Conditions. Or, maybe this is something worth examining in greater detail. š¤·
My end: Iāve been looking at (*googling with furrowed brow in my āspareā time) the flu shot booking system stuff b/c I was really curious whether people would be able to re-sell their COVID screening time or flu shot registration; imagining that there was *some* sort of secondary market for them that could also be colonized by scalper bots. Why is that? 1. I need hobbies 2. I am fascinated by our efforts to regulate ticket scalper bots [~foreshadowing a future post~].Ā
Which is to say: this more āMiss Marpleā than The Markup. Like, Iām literally a lady with a laptop. But I think somethingās up. šµļøāāļø
In order to provide flu vaccinations, the province of Ontario has partnered with pharmacies/pharmacists. And this year, demand is up 500%.
In the event that the vaccine is available, shots are booked online. Right now, itās a bit of a SNAFU and thereās a shortage. It sucks! The flu shot is the new toilet paper. Everyone is annoyed. š¤
Since we know why we canāt get a flu shot right now, letās ask a different question:
What do pharmacies āgetā when you sign up for a flu shot?
A pharmacy may reward you for registering for a flu shot with them. This is new.
A pharmacy may use the information you share to register for that shot to serve you targeted ads. While this is disconcerting, it is permissible b/c pharmacies are technically data ācustodiansā under PHIPA (Personal Health Information Protection Act) BUT the digital third parties they partner with are not. Depending on the arrangement, they are the custodianās āagentā or āservice provider.ā Non-healthcare provider health companies arenāt directly subject to health information privacy laws.Ā
š Whatās the ārewardā for booking a flu shot?
(*Other than inoculation).
In an online āchatā with me, Shopperās shared that:
You have the opportunity to receive 500 PC Optimum points if you register online for a flu shot reminder at shoppersdrugmart.ca/flu by Thursday, October 15th 2020.
(This is the equivalent of $0.50).
So there is a little incentive to register with Shopperās.
Is this problematic? Somewhat. While itās not all *that* different than the monetary value of getting a lollipop *after* your shot (my doctor offers full-size Mars bars and this is a huge motivator for me), you donāt need to exchange anything in order to get that lollipop - itās a bonus for getting inoculated, not the price of it.Ā I find this disconcerting and a little silly, but itās not my main beef.
š What is Rexall doing with my flu shot info?
Probably not all that much, since theyāre passing the information onto MedMe.
Hereās what Rexall says:Ā
Please be advised that you are entering a website operated by MedMe Health. Rexall bears no responsibility for the accuracy, legality or content of this external site or any links on this website. Please contact MedMe Health for answers to questions regarding the content or operation of this website.
Terms of Service for MedMe Health and Privacy Policy
We may sell, rent or share your Usage Data and other Non-Personal Information including, without limitation, device IDs, advertising IDs or other persistent identifiers and non-precise geolocation information or precise geolocation information (if you choose to allow us to collect it), with third parties who assist us with our operations such as administration, analytics, research, optimization, and with our business partners in order to, among other things, allow them to serve more relevant advertisements tailored to you.Ā
What about āRemedyās RXā?
Remedyās RX represents independently-owned pharmacies. You can search online by city/address to see where you can book a flu shot. They use āPharmaclickā as a secure order management system.
If there are third parties that process RemedyāsRx data, we will require them to hold all personally-identifiable information confidential, and to use our customer information only for the purpose of fulfilling their business obligation.
4 - No Collection of Personal Information for Browsing Purposes
RemedyāsRx does not collect personal information about you unless you either (i) send an email message to RemedyāsRx; (ii) apply online for a position with RemedyāsRx, (iii) use any of the online Customer Access such as, without limitation, PharmaClikā¢, amongst others.
We do capture the paths taken as you move from page to page (i.e., your "click stream" activity). Information we collect on our websites may be used to enhance your use of these websites in ways such as:
Organize the website in the most user-friendly way;
Customize your browsing experience of this website;
Communicate special offers, information and featured items to you, if you choose to receive such notices;
Respond to your questions or suggestions.
[If youāve seen any weirdo language like this - let me know in the comments and I can update the post].
Itās scary to think about the flu shot being used as an access point to...sell you stuff.Ā
Another reason itās problematic is the limited alternative(s), which right now is to go to your Doctorās office, which may be closed or virtual.
Scarcity of the shot aside, policy people should be PISSED about these data grabs. š”
There are two levers of consent that are of interest here:Ā
Consent to marketing;Ā
Consent to healthcare. Ā
So data-sharing with the pharmacy doesnāt necessarily mean that the bargain with Canadaās [mostlyā¦] public health care system is changing to more closely mirror that of much of the internet - āif youāre not paying for it, you are the product.ā
You shouldnāt have to pay with your browsing data or trade any privacy to book your flu shot. People should have a clear choice to share their PII/PHI but not lose access to services.
The reality is that pharmacies may have to provide data to health care providers - to public health officials - if requested/authorized by law. The bigger issue is, of course, whether they are de-identifying registration information and selling insights on it.Ā
Whereās the policy opportunity here?
Itās difficult to appreciate why third-party digital platforms working directly with pharmacies arenāt considered to be health information custodians when they are being entrusted with the same information.
How can we clarify the role of private sector service providers under personal health data legislation and deem them responsible as ācustodiansā or ātrusteesā if they want to promote basic virtual care services to reduce strain on physical health care infrastructure?
If Shoppers/Optimum/PC/health care apps are just service providers and are only ācaughtā by PIPEDA and not PHIPA, then that goes against consumer expectations.Ā
Should consumer expectations align with actual regulatory decisions? We expect all health data is protected similarly, but itās only given special protection if it is collected, used, or disclosed in the context of delivering health care.Ā
š” It might also be a good idea to figure out the data boundaries with this online booking business before they carry over to the COVID-19 vaccination.
The Ontario legislature is clearly concerned about health privacy (they recently updated PHIPA) but have not yet brought the new provisions into force, which contemplate electronic agents.
š“āāļø A source of inspo here? How about: Pelotonās Terms? h/t Ellie.
Peltonās terms are impressive for their comprehensiveness and how well theyāve made one policy apply for GDPR, CCPA and everywhere else. Itās a reminder that one jurisdiction like California or the EU can have the side effect of making companies provide more rights/transparency in other jurisdictions. Given that Ontario has specific health privacy legislation, digital companies that partner with pharmacies should be able to comply with PHIPA. We just need to make sure the legislation accurately captures them.
š Zooming out to the macro issues, a recent report from the Ada Lovelace Institute explores the ādataficationā of health.
The ādataficationā of health has profound consequences for who can access data about health, how we practically and legally define āhealth dataā, and on our relationship with our own wellbeing and the healthcare system. Health information can now be inferred from non-health data, and data about health can be used for purposes beyond healthcare.
*Jesse Hirsh wrote about the report in his newsletter here.
š¢ regs
The Personal Health Information Protection Act āPHIPAā (2004) is Ontarioās health-specific privacy legislation. It governs that manner in which personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians, as well as individuals and organizations that receive personal health information from custodians.
With limited exceptions, PHIPA requires custodians to obtain consent before personal health information is collected, used or disclosed. In addition, PHIPA provides individuals with a right to access and request correction of their personal health information.
PHIPA also provides a means for redress through the Office of the Information and Privacy Commissioner of Ontario (IPC) when privacy rights relating to personal health information have been violated.
If pharmacies + their digital partners are being leveraged as health providers, they should fall under this legislation as a ācustodianā [!]. AKA we need to proactively enforce recent updates to PHIPA.
Registering online for a flu shot requires you to offer certain information like your name, date of birth, address, and gender.
š° riches
Digital data can be (or seem) valuable from an advertising perspective. We shouldnāt blur the boundaries associated with handing medical data w/ advertising.
e.g. Companies like Carebook (which just raised $21M) have been collecting flu shot sign up information AKA I think they alsoā¦buy it.
e.g. Companies like MedMe - a āpatient care platform to help pharmacists schedule, conduct, and track clinical services at scaleā - which has partnered with Rexall for the flu shot - may be benefitting from digital data collected.
tldr;
š© People are getting screwed.
š No one can get a flu shot.
š± But! Information you volunteered to register for one *might* be used to serve you ads, even though itās not supposed to be.
š New Digital Infrastructures of Workplace Health and Safety
Earlier, I profiled āSafen Labs,ā new workplace tech that pledges to protect employees in the name of public health. I pointed out how the technology doesnāt need formal Health Canada approvals as itās ānot a medical device.ā š
A new report from the Centre for Media, Technology & Democracy at McGill and data & Society warns of how the pandemic is normalizing collecting employee information and surveillance.