Concerns are being raised that the confidential medical data of British Columbians could wind up in the hands of U.S. authorities if the provincial government proceeds with plans to outsource the administration of the province’s Medical Services Plan to an American company.
The BC government
has short-listed two companies, IBM Canada and Virginia-based Maximus, to take over administration services of the Medical Services Plan (MSP) and the PharmaCare program.
A legal opinion obtained by the BC Government and Service Employees’ Union (BCGEU) says Canadian subsidiaries of U.S. companies are subject to the Patriot Act. Passed in the US after the Sept. 11, 2001 terrorist attacks, the act requires a company with access to documents sought by the FBI to turn them over, without informing the owner of the information of the release.
BCGEU George Heyman said the union has filed a judicial review seeking to stop the privatization from proceeding, arguing that it is unacceptable to let a private company have access to sensitive medical information.
“In addition to worries about how this will affect our health care system, there are serious issues of personal privacy,” said Heyman. “Putting an American company or even an affiliate in charge of our health-care system will give it access to private information about every British Columbian.”
The outsourcing is being handled by the Ministry of Management Services, which also has responsibility for privacy. Minister Joyce Murray said the government is taking the concerns raised by the BCGEU seriously.
After contacting the BC Privacy Commissioner and other privacy offices across Canada, Murray said it became clear the Patriot Act wasn’t on the radar screen and they decided to seek an expert legal opinion. Two potential experts have been short-listed, and Murray said they expect to have an opinion within one month.
“We’ve been very clear from the beginning that the protection of individuals’ information is a high priority for this government,” said Murray, noting BC already has strong privacy legislation in place. “We’ll make sure that any concerns we receive with respect to this opinion about the Patriot Act are incorporated within the structure of the final contract.”
While that opinion is being sought the outsourcing process is continuing, with a proponent to be selected “in the very near future,” negotiating toward a contract in the fall.
Murray said any concerns raised in the legal opinion will be worked into the structure of the contract to ensure Canadian information stays inside Canada.
“It’s a fundamental issue that the information of Canadians on Canadian soil is not accessible to other organizations from other countries,” said Murray. “We’re going to ensure that contracts are structured such that we have that protection in place.”
But Murray’s plan doesn’t wash with John Beardwood, treasurer of the Canadian IT law association. Beardwood said believing privacy concerns raised by the Patriot Act could be overcome in the contract would be “misstated and misthought,” and such a solution likely wouldn’t be accepted by the vendor.
“If I’m the vendor I’m going to say to the customer there’s nothing I can do about this, I have to follow the law,” said Beardwood. “It’s a bit of a hard sell to expect a vendor to indemnify the customer for any problems that might arise under Canadian law, given the fact they’re following American law.”
The issue for an U.S.-based IT company operating in Canada is the potential conflict between the U.S. Patriot Act, which requires them to hand over the data without consent, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which requires consent.
Beardwood said there are exceptions to PIPEDA’s consent provisions. For example, if a government institution can show reasonable grounds the information relates to a contravention of the laws of Canada or a foreign jurisdiction, then consent may be waived. But that requires the FBI to work through Canadian authorities, and Beardwood said in his view, the vendor would still have to inform the customer.
It’s a murky area that still needs further study, but Beardwood said he feels it’s unlikely Canadian authorities would go after a private company for complying with US law.
“The privacy commissioner can either go after the private entity for violation of Canadian law, which they’ve been forced to do by American law, or they go after the American authorities and complain,” said Beardwood. “With this privacy commissioner, I think they’d be more likely to complain to the American authorities.”
With outsourcing becoming a major business for IT companies, the Information Technology Association of Canada is following the case closely, and policy director Bill Munson said they’re eagerly awaiting the legal opinion being sought by BC government.
“It’s all speculation until the interpretation of the legislation is clear,” said Munson, adding ITAC is meeting with a number of member companies in this business next week to discuss the issue and the potential implications. “It will be of considerable interest to them what the interpretation will be, I think they were caught off guard by the potential impacts of the Patriot Act.”
Munson said companies doing business across borders with conflicting legislation is part of global business, but this case appears to be different. Usually, he said, the laws of country A may be tight but there may be some laxness in country B’s laws, creating some wiggle room. That may not be the case here.
“But that’s only speculation, that’s why we’re waiting for the legal opinion,” said Munson.