TLDR; some pharmacies are able to use the data you shared to register for your flu shot [LIST] for advertising purposes. Are we down with that? PS. This post is very Ontario-specific.
It seems that both Shoppers and Rexall say that your data *may* be used by third parties to sell ads. π
Maybe thatβs just a legal oversight on their part - a product of copy + paste Terms and Conditions. Or, maybe this is something worth examining in greater detail. π€·
My end: Iβve been looking at (*googling with furrowed brow in my βspareβ time) the flu shot booking system stuff b/c I was really curious whether people would be able to re-sell their COVID screening time or flu shot registration; imagining that there was *some* sort of secondary market for them that could also be colonized by scalper bots. Why is that? 1. I need hobbies 2. I am fascinated by our efforts to regulate ticket scalper bots [~foreshadowing a future post~].Β
Which is to say: this more βMiss Marpleβ than The Markup. Like, Iβm literally a lady with a laptop. But I think somethingβs up. π΅οΈββοΈ
In order to provide flu vaccinations, the province of Ontario has partnered with pharmacies/pharmacists. And this year, demand is up 500%.
In the event that the vaccine is available, shots are booked online. Right now, itβs a bit of a SNAFU and thereβs a shortage. It sucks! The flu shot is the new toilet paper. Everyone is annoyed. π€


Since we know why we canβt get a flu shot right now, letβs ask a different question:
What do pharmacies βgetβ when you sign up for a flu shot?
A pharmacy may reward you for registering for a flu shot with them. This is new.
A pharmacy may use the information you share to register for that shot to serve you targeted ads. While this is disconcerting, it is permissible b/c pharmacies are technically data βcustodiansβ under PHIPA (Personal Health Information Protection Act) BUT the digital third parties they partner with are not. Depending on the arrangement, they are the custodianβs βagentβ or βservice provider.β Non-healthcare provider health companies arenβt directly subject to health information privacy laws.Β
π Whatβs the βrewardβ for booking a flu shot?
(*Other than inoculation).
In an online βchatβ with me, Shopperβs shared that:
You have the opportunity to receive 500 PC Optimum points if you register online for a flu shot reminder at shoppersdrugmart.ca/flu by Thursday, October 15th 2020.
(This is the equivalent of $0.50).
So there is a little incentive to register with Shopperβs.
Is this problematic? Somewhat. While itβs not all *that* different than the monetary value of getting a lollipop *after* your shot (my doctor offers full-size Mars bars and this is a huge motivator for me), you donβt need to exchange anything in order to get that lollipop - itβs a bonus for getting inoculated, not the price of it.Β I find this disconcerting and a little silly, but itβs not my main beef.
π What is Rexall doing with my flu shot info?
Probably not all that much, since theyβre passing the information onto MedMe.
Hereβs what Rexall says:Β
Please be advised that you are entering a website operated by MedMe Health. Rexall bears no responsibility for the accuracy, legality or content of this external site or any links on this website. Please contact MedMe Health for answers to questions regarding the content or operation of this website.
Terms of Service for MedMe Health and Privacy Policy
We may sell, rent or share your Usage Data and other Non-Personal Information including, without limitation, device IDs, advertising IDs or other persistent identifiers and non-precise geolocation information or precise geolocation information (if you choose to allow us to collect it), with third parties who assist us with our operations such as administration, analytics, research, optimization, and with our business partners in order to, among other things, allow them to serve more relevant advertisements tailored to you.Β
What about βRemedyβs RXβ?
Remedyβs RX represents independently-owned pharmacies. You can search online by city/address to see where you can book a flu shot. They use βPharmaclickβ as a secure order management system.
If there are third parties that process RemedyβsRx data, we will require them to hold all personally-identifiable information confidential, and to use our customer information only for the purpose of fulfilling their business obligation.
4 - No Collection of Personal Information for Browsing Purposes
RemedyβsRx does not collect personal information about you unless you either (i) send an email message to RemedyβsRx; (ii) apply online for a position with RemedyβsRx, (iii) use any of the online Customer Access such as, without limitation, PharmaClikβ’, amongst others.
We do capture the paths taken as you move from page to page (i.e., your "click stream" activity). Information we collect on our websites may be used to enhance your use of these websites in ways such as:
Organize the website in the most user-friendly way;
Customize your browsing experience of this website;
Communicate special offers, information and featured items to you, if you choose to receive such notices;
Respond to your questions or suggestions.
[If youβve seen any weirdo language like this - let me know in the comments and I can update the post].
Itβs scary to think about the flu shot being used as an access point to...sell you stuff.Β
Another reason itβs problematic is the limited alternative(s), which right now is to go to your Doctorβs office, which may be closed or virtual.
Scarcity of the shot aside, policy people should be PISSED about these data grabs. π‘
There are two levers of consent that are of interest here:Β
Consent to marketing;Β
Consent to healthcare. Β
So data-sharing with the pharmacy doesnβt necessarily mean that the bargain with Canadaβs [mostlyβ¦] public health care system is changing to more closely mirror that of much of the internet - βif youβre not paying for it, you are the product.β
You shouldnβt have to pay with your browsing data or trade any privacy to book your flu shot. People should have a clear choice to share their PII/PHI but not lose access to services.
The reality is that pharmacies may have to provide data to health care providers - to public health officials - if requested/authorized by law. The bigger issue is, of course, whether they are de-identifying registration information and selling insights on it.Β
Whereβs the policy opportunity here?
Itβs difficult to appreciate why third-party digital platforms working directly with pharmacies arenβt considered to be health information custodians when they are being entrusted with the same information.
How can we clarify the role of private sector service providers under personal health data legislation and deem them responsible as βcustodiansβ or βtrusteesβ if they want to promote basic virtual care services to reduce strain on physical health care infrastructure?
If Shoppers/Optimum/PC/health care apps are just service providers and are only βcaughtβ by PIPEDA and not PHIPA, then that goes against consumer expectations.Β
Should consumer expectations align with actual regulatory decisions? We expect all health data is protected similarly, but itβs only given special protection if it is collected, used, or disclosed in the context of delivering health care.Β
π‘ It might also be a good idea to figure out the data boundaries with this online booking business before they carry over to the COVID-19 vaccination.


The Ontario legislature is clearly concerned about health privacy (they recently updated PHIPA) but have not yet brought the new provisions into force, which contemplate electronic agents.
π΄ββοΈ A source of inspo here? How about: Pelotonβs Terms? h/t Ellie.
Peltonβs terms are impressive for their comprehensiveness and how well theyβve made one policy apply for GDPR, CCPA and everywhere else. Itβs a reminder that one jurisdiction like California or the EU can have the side effect of making companies provide more rights/transparency in other jurisdictions. Given that Ontario has specific health privacy legislation, digital companies that partner with pharmacies should be able to comply with PHIPA. We just need to make sure the legislation accurately captures them.
π Zooming out to the macro issues, a recent report from the Ada Lovelace Institute explores the βdataficationβ of health.


The βdataficationβ of health has profound consequences for who can access data about health, how we practically and legally define βhealth dataβ, and on our relationship with our own wellbeing and the healthcare system. Health information can now be inferred from non-health data, and data about health can be used for purposes beyond healthcare.
*Jesse Hirsh wrote about the report in his newsletter here.
π’ regs
The Personal Health Information Protection Act βPHIPAβ (2004) is Ontarioβs health-specific privacy legislation. It governs that manner in which personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians, as well as individuals and organizations that receive personal health information from custodians.
With limited exceptions, PHIPA requires custodians to obtain consent before personal health information is collected, used or disclosed. In addition, PHIPA provides individuals with a right to access and request correction of their personal health information.
PHIPA also provides a means for redress through the Office of the Information and Privacy Commissioner of Ontario (IPC) when privacy rights relating to personal health information have been violated.
If pharmacies + their digital partners are being leveraged as health providers, they should fall under this legislation as a βcustodianβ [!]. AKA we need to proactively enforce recent updates to PHIPA.
Registering online for a flu shot requires you to offer certain information like your name, date of birth, address, and gender.
π° riches
Digital data can be (or seem) valuable from an advertising perspective. We shouldnβt blur the boundaries associated with handing medical data w/ advertising.
e.g. Companies like Carebook (which just raised $21M) have been collecting flu shot sign up information AKA I think they alsoβ¦buy it.
e.g. Companies like MedMe - a βpatient care platform to help pharmacists schedule, conduct, and track clinical services at scaleβ - which has partnered with Rexall for the flu shot - may be benefitting from digital data collected.
tldr;
π© People are getting screwed.
π No one can get a flu shot.
π± But! Information you volunteered to register for one *might* be used to serve you ads, even though itβs not supposed to be.
π New Digital Infrastructures of Workplace Health and Safety
Earlier, I profiled βSafen Labs,β new workplace tech that pledges to protect employees in the name of public health. I pointed out how the technology doesnβt need formal Health Canada approvals as itβs βnot a medical device.β π
A new report from the Centre for Media, Technology & Democracy at McGill and data & Society warns of how the pandemic is normalizing collecting employee information and surveillance.

