TLDR; some pharmacies are able to use the data you shared to register for your flu shot [LIST] for advertising purposes. Are we down with that? PS. This post is very Ontario-specific.
It seems that both Shoppers and Rexall say that your data *may* be used by third parties to sell ads. 😟
Maybe that’s just a legal oversight on their part - a product of copy + paste Terms and Conditions. Or, maybe this is something worth examining in greater detail. 🤷
My end: I’ve been looking at (*googling with furrowed brow in my “spare” time) the flu shot booking system stuff b/c I was really curious whether people would be able to re-sell their COVID screening time or flu shot registration; imagining that there was *some* sort of secondary market for them that could also be colonized by scalper bots. Why is that? 1. I need hobbies 2. I am fascinated by our efforts to regulate ticket scalper bots [~foreshadowing a future post~].
In order to provide flu vaccinations, the province of Ontario has partnered with pharmacies/pharmacists. And this year, demand is up 500%.
In the event that the vaccine is available, shots are booked online. Right now, it’s a bit of a SNAFU and there’s a shortage. It sucks! The flu shot is the new toilet paper. Everyone is annoyed. 😤
Andrew Sorry Sunshine Lewis @AndrewLewisFCThanks to Doug Ford’s knowledge of epidemiology and close adherence to medical advice, Ontarians are going to be able to celebrate breaking through the 1000 cases per day barrier by HITTING THE BARS BABY!! #ONpoli #TOpoli @bruce_arthur https://t.co/hz9sxYqcgn
Since we know why we can’t get a flu shot right now, let’s ask a different question:
What do pharmacies “get” when you sign up for a flu shot?
A pharmacy may reward you for registering for a flu shot with them. This is new.
A pharmacy may use the information you share to register for that shot to serve you targeted ads. While this is disconcerting, it is permissible b/c pharmacies are technically data “custodians” under PHIPA (Personal Health Information Protection Act) BUT the digital third parties they partner with are not. Depending on the arrangement, they are the custodian’s “agent” or “service provider.” Non-healthcare provider health companies aren’t directly subject to health information privacy laws.
🍭 What’s the “reward” for booking a flu shot?
(*Other than inoculation).
In an online “chat” with me, Shopper’s shared that:
You have the opportunity to receive 500 PC Optimum points if you register online for a flu shot reminder at shoppersdrugmart.ca/flu by Thursday, October 15th 2020.
(This is the equivalent of $0.50).
So there is a little incentive to register with Shopper’s.
Is this problematic? Somewhat. While it’s not all *that* different than the monetary value of getting a lollipop *after* your shot (my doctor offers full-size Mars bars and this is a huge motivator for me), you don’t need to exchange anything in order to get that lollipop - it’s a bonus for getting inoculated, not the price of it. I find this disconcerting and a little silly, but it’s not my main beef.
🔍 What is Rexall doing with my flu shot info?
Probably not all that much, since they’re passing the information onto MedMe.
Here’s what Rexall says:
Please be advised that you are entering a website operated by MedMe Health. Rexall bears no responsibility for the accuracy, legality or content of this external site or any links on this website. Please contact MedMe Health for answers to questions regarding the content or operation of this website.
We may sell, rent or share your Usage Data and other Non-Personal Information including, without limitation, device IDs, advertising IDs or other persistent identifiers and non-precise geolocation information or precise geolocation information (if you choose to allow us to collect it), with third parties who assist us with our operations such as administration, analytics, research, optimization, and with our business partners in order to, among other things, allow them to serve more relevant advertisements tailored to you.
What about “Remedy’s RX”?
Remedy’s RX represents independently-owned pharmacies. You can search online by city/address to see where you can book a flu shot. They use “Pharmaclick” as a secure order management system.
If there are third parties that process Remedy’sRx data, we will require them to hold all personally-identifiable information confidential, and to use our customer information only for the purpose of fulfilling their business obligation.
4 - No Collection of Personal Information for Browsing Purposes
Remedy’sRx does not collect personal information about you unless you either (i) send an email message to Remedy’sRx; (ii) apply online for a position with Remedy’sRx, (iii) use any of the online Customer Access such as, without limitation, PharmaClik™, amongst others.
We do capture the paths taken as you move from page to page (i.e., your "click stream" activity). Information we collect on our websites may be used to enhance your use of these websites in ways such as:
Organize the website in the most user-friendly way;
Customize your browsing experience of this website;
Communicate special offers, information and featured items to you, if you choose to receive such notices;
Respond to your questions or suggestions.
[If you’ve seen any weirdo language like this - let me know in the comments and I can update the post].
It’s scary to think about the flu shot being used as an access point to...sell you stuff.
Another reason it’s problematic is the limited alternative(s), which right now is to go to your Doctor’s office, which may be closed or virtual.
Scarcity of the shot aside, policy people should be PISSED about these data grabs. 😡
There are two levers of consent that are of interest here:
Consent to marketing;
Consent to healthcare.
So data-sharing with the pharmacy doesn’t necessarily mean that the bargain with Canada’s [mostly…] public health care system is changing to more closely mirror that of much of the internet - “if you’re not paying for it, you are the product.”
You shouldn’t have to pay with your browsing data or trade any privacy to book your flu shot. People should have a clear choice to share their PII/PHI but not lose access to services.
The reality is that pharmacies may have to provide data to health care providers - to public health officials - if requested/authorized by law. The bigger issue is, of course, whether they are de-identifying registration information and selling insights on it.
Where’s the policy opportunity here?
It’s difficult to appreciate why third-party digital platforms working directly with pharmacies aren’t considered to be health information custodians when they are being entrusted with the same information.
How can we clarify the role of private sector service providers under personal health data legislation and deem them responsible as “custodians” or “trustees” if they want to promote basic virtual care services to reduce strain on physical health care infrastructure?
If Shoppers/Optimum/PC/health care apps are just service providers and are only “caught” by PIPEDA and not PHIPA, then that goes against consumer expectations.
Should consumer expectations align with actual regulatory decisions? We expect all health data is protected similarly, but it’s only given special protection if it is collected, used, or disclosed in the context of delivering health care.
💡 It might also be a good idea to figure out the data boundaries with this online booking business before they carry over to the COVID-19 vaccination.
The Ontario legislature is clearly concerned about health privacy (they recently updated PHIPA) but have not yet brought the new provisions into force, which contemplate electronic agents.
🚴♀️ A source of inspo here? How about: Peloton’s Terms? h/t Ellie.
Pelton’s terms are impressive for their comprehensiveness and how well they’ve made one policy apply for GDPR, CCPA and everywhere else. It’s a reminder that one jurisdiction like California or the EU can have the side effect of making companies provide more rights/transparency in other jurisdictions. Given that Ontario has specific health privacy legislation, digital companies that partner with pharmacies should be able to comply with PHIPA. We just need to make sure the legislation accurately captures them.
📘 Zooming out to the macro issues, a recent report from the Ada Lovelace Institute explores the “datafication” of health.
The ‘datafication’ of health has profound consequences for who can access data about health, how we practically and legally define ‘health data’, and on our relationship with our own wellbeing and the healthcare system. Health information can now be inferred from non-health data, and data about health can be used for purposes beyond healthcare.
*Jesse Hirsh wrote about the report in his newsletter here.
The Personal Health Information Protection Act “PHIPA” (2004) is Ontario’s health-specific privacy legislation. It governs that manner in which personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians, as well as individuals and organizations that receive personal health information from custodians.
With limited exceptions, PHIPA requires custodians to obtain consent before personal health information is collected, used or disclosed. In addition, PHIPA provides individuals with a right to access and request correction of their personal health information.
PHIPA also provides a means for redress through the Office of the Information and Privacy Commissioner of Ontario (IPC) when privacy rights relating to personal health information have been violated.
If pharmacies + their digital partners are being leveraged as health providers, they should fall under this legislation as a “custodian” [!]. AKA we need to proactively enforce recent updates to PHIPA.
Registering online for a flu shot requires you to offer certain information like your name, date of birth, address, and gender.
Digital data can be (or seem) valuable from an advertising perspective. We shouldn’t blur the boundaries associated with handing medical data w/ advertising.
e.g. Companies like Carebook (which just raised $21M) have been collecting flu shot sign up information AKA I think they also…buy it.
e.g. Companies like MedMe - a “patient care platform to help pharmacists schedule, conduct, and track clinical services at scale” - which has partnered with Rexall for the flu shot - may be benefitting from digital data collected.
🔩 People are getting screwed.
💉 No one can get a flu shot.
📱 But! Information you volunteered to register for one *might* be used to serve you ads, even though it’s not supposed to be.
📗 New Digital Infrastructures of Workplace Health and Safety
Earlier, I profiled “Safen Labs,” new workplace tech that pledges to protect employees in the name of public health. I pointed out how the technology doesn’t need formal Health Canada approvals as it’s “not a medical device.” 😉
A new report from the Centre for Media, Technology & Democracy at McGill and data & Society warns of how the pandemic is normalizing collecting employee information and surveillance.