Book:LIMS Buyer’s Guide for Cannabis Testing Laboratories/LIMS, informatics, and cannabis testing/Data privacy and management

From LIMSWiki
Jump to navigationJump to search

3.4 Data privacy and management

Though "strong data security and confidentiality" was listed in Table 2 as a cannabis testing LIMS consideration, more should be said about that consideration. The security of data housed in the LIMS is paramount. Standards like ISO/IEC 17025 require it, as do laws and regulations in many U.S. states. But data security goes beyond complying with standards and regulations; it's an element found in broad areas of the cannabis industry itself.

3.4.1 Across the broad cannabis industry

In the fall of 2018, Canada legalized the purchase, growth, and consumption of marijuana in small amounts across the country.[1] Ahead of and after the official date of legalization, concerns were being raised about the protection of Canadian cannabis consumers' personally identifiable information (PII)[2], particularly in regards to data processed and stored in the United States.[3][4][5] In truth, comparisons of Canada's privacy laws with those of the United States existed well before the vote, with resources such as FindLaw detailing risks to any Canadian data transferred to the United States.[6] However, concerns grew that Ontario's mandated use of the e-commerce platform Shopify (until private retail outlets opened in April 2019) would put Canadian cannabis consumers' data at risk.[3][7] In particular, Canadian consumers remain worried that if their purchase history becomes available to United States government officials, who function in an environment of criminalization of cannabis use, they will not be allowed entry into the U.S. at minimum, or be treated as criminals upon attempting entry at worst. As such, some developers of cannabis data management software—such as Cova Software—have publicly acknowledged that any cannabis retail data for Canadian customers will remain in Canada "over and above the current legal requirements."[5] Yet even with data providers' intentions to follow Canadian privacy rules and recommendations, data breaches still occur, as happened with the Canada Post in November 2018.[2][8], further emphasizing the need for strict protocols and protections for cannabis consumer data.

In the United States, despite cannabis' federal prohibition, many states have been taking on various levels of legalization of cannabis. As Rachel Hutchinson of Foley Hoag LLP noted in March 2017, much like Canada, "[l]egalization has led to increased oversight and monitoring, as well as to the collection and storage of personally identifiable information ... [and the] threat of a federal crackdown leaves most customers resistant to creating any sort of paper trail."[9] In this sort of environment, where federal threats still exist, a patchwork collection of state-based laws have sprung up, including Oregon's Senate Bill 863, which prevents retailers of recreational cannabis from collecting and sharing customers' PII.[10] California has also implemented a variation of this type of protection for both recreational and medical cannabis consumers.[11] Of note is California's classification of medical marijuana identification cards as "medical information," which lends additional credence to the idea that medical marijuana consumers' PII held in dispensaries should be protected by U.S. Health Insurance Portability and Accountability Act (HIPAA) regulations.[12] However, without a unified policy and legal framework for cannabis use and its associated data, its difficult to foresee what future data collection and privacy regulations will look like in the United States. Despite this, some software development companies are betting on further demand for privacy of PII with the development of "personal privacy and HIPAA complaint cannabis consumer transaction solution[s]."[13]

Additionally, like Canada, concerns still abound concerning data privacy in the United States. Companies such as THSuite, LLC have already been found to inadvertently expose sensitive personal data—and possibly even protected health information (PHI)—from multiple U.S. cannabis dispensaries, potentially violating HIPAA regulations.[14][15] As the anonymous author of the original report concerning THSuite points out, "most legal experts agree that dispensaries must follow HIPAA regulations just like any other health care provider," and even in a realm without legal risk, exposed data could mean "individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis."[14] Again, these issues firmly fall at the feet of the main problem of not having unified cannabis legislation, let alone not having a federally recognized legalized status of cannabis. With the unclear and mismatched state of law regarding cannabis user data protection, the onus still remain firmly with software developers and business' data managers in regards to thoroughly testing software and implementing (as well as enforcing) stricter controls such as encryption, intrusion detection, and authentication mechanisms.[15]

3.4.2 What this means for the lab

Logo der ISO.svg

While many cannabis testing laboratories won't be handling medical marijuana patient information, let alone dispensary sales information, lab managers must consider the data privacy issues of those realms and relate them to the data and workflows of the cannabis testing lab. What data must be protected? What standards must be followed to ensure that data's protection?

Take for example ISO/IEC 17025:2017, item 8.4.2, which requires a lab to have "controls" in place "for the identification, storage, protection, back-up, archive, retrieval, retention time, and disposal of its records."[16] The long-term implication here is that data should be clearly identified, securely stored, backed up and archived, and have clear information about their retention and disposal. The data should be thoughtfully "controlled" so it doesn't get lost or fall into the wrong people's hands. This is further evidenced by ISO/IEC 17025:2017, item 7.11.3, which calls for the data to be "protected from unauthorized access" and "safeguarded against tampering and loss."[17]

As such, it's obvious that cannabis testing labs, at a minimum, have to take data privacy and management seriously to stay in step with the ISO/IEC 17025 standard. That of course doesn't take into consideration any regulatory requirements for chain of custody and certificates of authority to be preserved by the lab for a specific period of time, nor does it account for any proprietary methods and business details that could potentially harm a lab in the wrong hands. Just like the personal health information of medical marijuana patients, and like the customer information of dispensaries, cannabis testing labs are charged with ensuring the security and privacy of the data they collect and manage.

To meet those requirements and more, a LIMS that includes functionality that helps labs support ISO/IEC 17025:2017, NELAC, ELAP, and Patient Focused Certification (PFC) requirements makes for a wise investment. Cannabis testing workflows can be difficult, as is the management of associated analytical instruments and their data. Throw in the complication of a semi-fractured regulatory atmosphere, and the cannabis testing lab is forced to operate with tight, enforced procedures to ensure not only the quality of tested cannabis substances but also the chain of custody of samples that come into the lab's possession. A LIMS that can carefully and automatically collect, manage, track, retain, and archive operational data—as well as the audit trails associated with those activities—is required to better maintain the security and privacy of that data, as well as the long-term viability of the lab.[18]

References

  1. Porter, C. (11 November 2018). "Canada’s Message to Teenagers: Marijuana Is Legal Now. Please Don’t Smoke It". The New York Times. The New York Times Company. https://www.nytimes.com/2018/11/11/world/canada/marijuana-legalization-teenagers.html. Retrieved 08 July 2022. 
  2. 2.0 2.1 Stoller, D.R. (18 November 2018). "Legal Canadian Pot Sales Spur Data Privacy Concerns". Bloomberg BNA. Archived from the original on 02 January 2019. https://web.archive.org/web/20190102164241/https://www.bna.com/legal-canadian-pot-n57982093971/. Retrieved 08 July 2022. 
  3. 3.0 3.1 Blinch, M. (27 August 2018). "How privatized cannabis sales threaten your privacy". The Conversation. https://theconversation.com/how-privatized-cannabis-sales-threaten-your-privacy-101870. Retrieved 08 July 2022. 
  4. "A society in transition, an industry ready to bloom: 2018 Cannabis Report" (PDF). Deloitte LLP. 2018. https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/consulting/ca-cannabis-2018-report-en.PDF. Retrieved 08 July 2022. 
  5. 5.0 5.1 Moore, B. (27 September 2018). "Cova Software Announces Plan to Retain Retail Cannabis Data in Canada". NCIA News. National Cannabis Industry Association. https://thecannabisindustry.org/member_news/cova-software-announces-plan-to-retain-retail-cannabis-data-in-canada/. Retrieved 08 July 2022. 
  6. "Canada's Privacy Laws vs. the USA PATRIOT ACT". FindLaw. Thomson Reuters. 2 March 2018. https://corporate.findlaw.com/law-library/canada-s-privacy-laws-vs-the-usa-patriot-act.html. Retrieved 08 July 2022. 
  7. Abraham, E. (18 October 2018). "Cannabis may be legal in Canada – but this is why it's still not safe to buy it online". Independent. https://www.independent.co.uk/voices/cannabis-canada-legal-sale-buying-online-risks-a8589716.html. Retrieved 08 July 2022. 
  8. Perkel, C. (7 November 2018). "Canada Post admits cannabis privacy breach involving 4,500 Ontario customers". CTV News. https://www.ctvnews.ca/canada/canada-post-admits-cannabis-privacy-breach-involving-4-500-ontario-customers-1.4167149. Retrieved 08 July 2022. 
  9. Hutchinson, R. (22 March 2017). "Marijuana and Privacy: A Primer". Security, Privacy and the Law. Foley Hoag LLP. https://www.securityprivacyandthelaw.com/2017/03/marijuana-and-privacy-a-primer/. Retrieved 08 July 2022. 
  10. Marum, A. (19 April 2017). "Smoke pot in Oregon? Your name now protected from feds". The Oregonian. https://www.oregonlive.com/marijuana/2017/04/marijuana_user_data_protected.html. Retrieved 08 July 2022. 
  11. Sherry, K. (4 October 2018). "Client Alert: New California Privacy Law, AB-2402, Specifically Targets Cannabis Licensees". Nelson Hardiman Newsroom. Nelson Hardiman LLP. https://www.nelsonhardiman.com/client-alert-new-california-privacy-law-ab-2402-specifically-targets-cannabis-licensees/. Retrieved 08 July 2022. 
  12. Drolet, M. (15 May 2017). "Cannabis and privacy compliance: Is your health information protected?". Cannabis Business Executive. https://www.cannabisbusinessexecutive.com/2017/05/hippa-cannabis-and-privacy-compliance/. Retrieved 08 July 2022. 
  13. "USMJ and Landstar Plan to Bring Data Privacy and HIPAA Compliance to Marijuana Consumers". PR Newswire. 14 November 2018. https://www.prnewswire.com/news-releases/usmj-and-landstar-plan-to-bring-data-privacy-and-hipaa-compliance-to-marijuana-consumers-831506836.html. Retrieved 08 July 2022. 
  14. 14.0 14.1 Fawkes, G. (24 January 2020). "Report: Cannabis Users’ Sensitive Data Exposed in Data Breach". vpnMentor Blog. https://www.vpnmentor.com/blog/report-thsuite-breach/. Retrieved 07 July 2021. 
  15. 15.0 15.1 Shaghaghi, S.; Weinstein, I. (18 February 2020). "Leak of 30,000 cannabis customer records heightens need for effective data security". Insights. CohnReznick LLP. https://www.cohnreznick.com/insights/leak-of-30000-cannabis-customer-records-heightens-need-for-effective-data-security. Retrieved 08 July 2022. 
  16. Kramer, M. (20 April 2020). "ISO/IEC 17025:2017 Requirements Concerning Document Control and Control of Records" (PDF). Perry Johnson Laboratory Accreditation, Inc. https://www.pjlabs.com/downloads/webinar_slides/4.20.2020_Doc-Control-Records.pdf. Retrieved 07 July 2021. 
  17. "ISO/IEC 17025:2017: General requirements for the competence of testing and calibration laboratories" (PDF). Shimadzu Europa. https://www.shimadzu.eu/sites/shimadzu.seg/files/SEG/Landingpages/DataIntegrity/SEG_4547_Whitepaper_ISO_v7_OK.pdf. Retrieved 07 July 2021. 
  18. Audino, S. (7 February 2018). "Managing Cannabis Testing Lab Workflows Using LIMS". Cannabis Industry Journal. https://cannabisindustryjournal.com/feature_article/managing-cannabis-testing-lab-workflows-using-lims/. Retrieved 07 July 2021. 


-----Go to the next chapter of this guide-----

Citation information for this chapter

Chapter: 3. LIMS, informatics, and cannabis testing

Edition: Summer 2021

Title: LIMS Buyer’s Guide for Cannabis Testing Laboratories

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: August 2021

Retrieved from "https://www.limswiki.org/index.php?title=Book:LIMS_Buyer’s_Guide_for_Cannabis_Testing_Laboratories/LIMS,_informatics,_and_cannabis_testing/Data_privacy_and_management&oldid=57632"