Bill S-202, An Act to establish and maintain a national registry of medical devices (Medical Devices Registry Act)

Submission to the Senate Committee on Social Affairs, Science and Technology

April 22, 2013

The Honourable Kelvin Kenneth Ogilvie
Chair
Senate Committee on Social Affairs,
Science and Technology
The Senate of Canada
Ottawa, Ontario
K1A 0A4

Dear Honourable Senator:

I wish to thank you and your Committee for the opportunity to submit this written statement concerning Bill S-202, An Act to establish and maintain a national registry of medical devices (Medical Devices Registry Act). 

As you know, the purpose of Bill S-202 is to establish a national registry of medical devices, which will require manufacturers, importers and distributors of these devices to notify a registrar if they become aware that a device poses a risk to the health and safety of the user.

Under Bill S-202, the registry would be held and operated by Health Canada, and information would be provided by the medical practitioner who inserts an implantable medical device into a person’s body or who supplies a home use medical device to a person. In all cases, the registry would contain information about the date and location of the implantation procedure, the name of the practitioner who performed the procedure, and detailed information about the device.

The name, date of birth and address of the user would only be provided if the recipient consents to it – after having been informed of the nature and purpose of the registry. If the user does consent, he or she would also be advised to notify the registrar of any change of address. Personal information related to the user would be deemed confidential, and would only be disclosed to another organization or person with his or her written consent.

From the outset, I wish to express my understanding of the concerns underpinning the idea of creating a national registry of medical records, namely that Canadians be informed in a timely manner of any health or safety issue that may arise from their use of such a device.

I also note that Bill S-202 contains significant privacy protecting measures, such as:

  • explaining the nature and purpose of the registry to the user;
  • obtaining their consent before adding their personal information to the registry;
  • limiting the personal information obtained to name, date of birth and address;
  • providing a copy of the information held to the user; and
  • requiring written consent before any disclosure of personal information to another person or organization is made.

These are all positive measures. And while I understand that further privacy enhancing details may be set out in regulations, I would like to draw your attention to other important privacy principles and practices that ought be considered:

  • Personal information should be accurate, complete and up-to-date. In this respect, the fact that the proposed bill would rely on users to update their address information with the registrar may prove to be a challenge in ensuring accurate and up to date information;
  • Personal information should be physically and electronically secured from breach or unauthorized access. Only authorized personnel, with appropriate security clearances, should be able to access data;
  • Given the sensitive nature of the data, consideration should be given to segregating personal information from other data sets and putting in place strict protocols for re-linking the information. Anonymization of personal information should also be considered if continuous post-market research and analyses were to be performed;
  • Clear retention and disposal schedules and procedures should be put in place;
  • All entries should leave an audit trail. As well, information collection, use, retention, disclosure, disposal and general flow should be easy to audit, whether internally or by an independent party; and
  • In the event of a breach, users should be notified in a timely manner and policies and protocols should be in place to minimize the impact of the breach and ensure corrective measures can be promptly taken.

As illustrated above, setting up and operating a registry in a privacy respectful manner are both essential duties and complex endeavours. My Office has a long standing position that the creation of a registry should be assessed with great caution as it opens the way for the state to access large databases about many of its citizens.

I understand that one in ten Canadians has an implantable device and thousands more use a home medical device. As such, more than 3.4 million Canadians could see their sensitive personal and medical information provided to a centralized registry. And this number is only likely to grow as the population ages. 

Given the privacy challenges that a national medical device registry could entail, an open reflection should be made on whether the benefits of creating such a registry would outweigh the potential costs to the privacy of Canadians. If a registry were deemed necessary in order to achieve legitimate consumer protection objectives sought by the Bill, a careful consideration should be given to how to enable its operation in the most privacy protective manner.    

 I hope you have found these reflections useful and I thank you once again for providing me an opportunity to share my thoughts on Bill S-202.

Sincerely,

(Original signed by)

Jennifer Stoddart
Privacy Commissioner of Canada

Date modified: