Privacy Considerations in Setting up Tweed’s Medical Marijuana Distribution Business

 

Image

Medical marijuana growing at Tweed’s Smiths Falls location

 

After April 1st, Tweed Inc. will be among the first businesses to sell medical marijuana in Canada. The new legislative framework that will be in effect on that date allows businesses that have received licenses from Health Canada to grow and sell medical marijuana. Tweed has started production activities in its Smiths Falls facility that was previously home to a Hershey chocolate factory. Over the last couple of months, I had the opportunity to work with Tweed to develop its privacy policy and practices to ensure compliance with the Marijuana for Medical Purposes Regulations (MMPR) and applicable privacy legislation. The following is a summary of some of the privacy considerations we looked at in establishing Tweed’s medical marijuana distribution business.

The Application Process

The MMPR require applicants registering to become clients of licensed medical marijuana producers to provide certain personal information, including their name, date of birth and gender. The MMPR also require information about the residences of applicants. For example, if an applicant does not live in a private residence, the applicant must disclose the type of residence that he or she lives in (i.e. a shelter).

Because an individual is only permitted to use medical marijuana if he or she has a “Medical Document”, a producer seeking to sell medical marijuana must be able to contact the applicant’s health care practitioner to verify the applicant’s prescription. Before this can be done, the applicant must complete a consent form granting the distributor permission to contact the applicant’s health care practitioner to inquire about the prescription.

Purchasing Medical Marijuana

Once applicants become registered clients, they can purchase medical marijuana from their distributors. Distributors are required to maintain records pertaining to purchases in order to comply with regulatory requirements. In certain circumstances, the MMPR requires licensed distributors to disclose information about their clients to the police. In the interest of transparency, Tweed’s privacy policy outlines the legal obligations regarding such disclosure and the steps that Tweed will take prior to responding to such law enforcement requests. For example, before Tweed will disclose information about a client, the police officer making the request must provide Tweed with the full name, date of birth and gender of the individual being investigated.

The Delivery Stage

The delivery stage is very important from a privacy perspective. Health Canada itself learned this lesson last November when it sent notices to 40,000 individuals using medical marijuana in envelopes showing the patients’ names and referencing the Medical Marijuana Access Program. As expected the disclosure of such personal information has resulted in the initiation of a class action lawsuit against Health Canada.

In order to maintain the privacy of its clients, Tweed will be using a secure delivery service. The external packaging of the deliveries will not contain Tweed’s name, its famous address (1 Hershey Drive), or information disclosing the medical marijuana contents of the package.

Transparency and Accountability      

As far as personal information goes, health information ranks among the most sensitive in nature as it reveals the most intimate details of individuals personal lives. Accordingly, it is particularly important for businesses handling such information to operate in a transparent and accountable manner. More information about Tweed’s privacy practices and the contact information of Tweed’s Chief Privacy Officer can be found on Tweed’s website.

*This post was written with permission from Tweed.

Canada’s Anti-Spam Legislation: What businesses need to know

Before Canada’s new Anti-Spam Legislation (CASL) comes into force, businesses operating in Canada will need to review and modify their practices to ensure compliance with the new requirements regarding commercial electronic messages and the installation of computer programs. CASL will come into force in three stages over the next few years – the following is a brief summary of the main provisions of each stage.

Stage 1 (July 1, 2014): Commercial Electronic Messages (CEM) Provisions

Subject to meeting any of the prescribed exceptions, CASL creates a prohibition against sending CEM, except in cases where the receiver has consented to receiving CEM, and the CEM meets the prescribed requirements. There are certain situations in which consent may be implied. For instance, consent is implied where there is an “existing business relationship” as defined in CASL and its accompanying regulations. An example of a qualifying “existing business relationship” is one in which there has been a purchase or lease of a product or a service in the two years preceding the sending of the CEM.

If an existing business relationship does not meet any of the conditions for implied consent, the business must seek express consent from intended recipients. A valid express consent must also meet certain prescribed requirements. For example, a business seeking consent must clearly convey that it is seeking consent to send CEM, and intended recipients must take an active step to indicate their consent to receiving such CEM. This means that standard business practices such as using opt-out mechanisms or implementing a pre-checked consent box will no longer be acceptable.

CASL also specifies certain requirements regarding the form and content of CEM. Each CEM must: identify the sender; disclose the sender’s contact information (as prescribed); and provide a mechanism to allow the recipient to unsubscribe. The unsubscribe mechanism must allow the recipient of the CEM (at no cost to them) to indicate the withdrawal of their consent, and must include the contact information of the sender which must be valid for at least 60 days after the CEM is sent. A request to unsubscribe must be given effect in no more than 10 business days.

Stage 2 (January 15, 2015): Provisions Related to Installation of Computer Programs

CASL prohibits a business from installing certain categories of computer programs on computers belonging to other people, unless the business has obtained express consent from the persons on whose computers the programs are being installed. Additionally, businesses seeking to install computer programs must comply with certain requirements regarding the unsubscribe mechanism. For instance, businesses must provide the recipients of computer programs with an email address to which the recipients may send a request to remove or disable the programs. The email address must be valid for one year after the programs are installed. In cases where consent was obtained based on an inaccurate description of the applicable computer program, the business which installed it must assist in removing or disabling the program.

Stage 3 (July 1, 2017): Private Right of Action

CASL creates a private right of action that enables individuals to seek compensation from individuals and businesses that contravene the provisions. Individuals will be able to seek compensation for actual losses, damages and expenses incurred due to contraventions. It is expected that once these provisions are in force, class actions will soon follow.

Next Steps

As CASL’s three stages come into effect, businesses operating in Canada that are sending commercial electronic messages or installing computer programs should seek legal advice to ensure compliance. This summary is intended to highlight CASL’s key provisions, and in light of the nuances of CASL and its accompanying regulations, it is recommended that businesses obtain legal advice regarding compliance.