|
|
| Line 1: |
Line 1: |
| In the fall of 2018, Canada legalized the purchase, growth, and consumption of marijuana in small amounts across the country.<ref name="PorterCanada18">{{cite web |url=https://www.nytimes.com/2018/11/11/world/canada/marijuana-legalization-teenagers.html |title=Canada’s Message to Teenagers: Marijuana Is Legal Now. Please Don’t Smoke It |author=Porter, C. |work=The New York Times |publisher=The New York Times Company |date=11 November 2018 |accessdate=07 July 2021}}</ref> Ahead of and after the official date of legalization, concerns were being raised about the protection of Canadian cannabis consumers' personally identifiable information (PII)<ref name="StollerLegal18">{{cite web |url=https://www.bna.com/legal-canadian-pot-n57982093971/ |archiveurl=https://web.archive.org/web/20190102164241/https://www.bna.com/legal-canadian-pot-n57982093971/ |title=Legal Canadian Pot Sales Spur Data Privacy Concerns |work=Bloomberg BNA |author=Stoller, D.R. |date=18 November 2018 |archivedate=02 January 2019 |accessdate=07 July 2021}}</ref>, particularly in regards to data processed and stored in the United States.<ref name="BlinchHowPriv18">{{cite web |url=https://theconversation.com/how-privatized-cannabis-sales-threaten-your-privacy-101870 |title=How privatized cannabis sales threaten your privacy |work=The Conversation |author=Blinch, M. |date=27 August 2018 |accessdate=07 July 2021}}</ref><ref name="DeloitteASociety18">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/consulting/ca-cannabis-2018-report-en.PDF |format=PDF |title=A society in transition, an industry ready to bloom: 2018 Cannabis Report |publisher=Deloitte LLP |date=2018 |accessdate=07 July 2021}}</ref><ref name="MooreCova18">{{cite web |url=https://thecannabisindustry.org/member_news/cova-software-announces-plan-to-retain-retail-cannabis-data-in-canada/ |title=Cova Software Announces Plan to Retain Retail Cannabis Data in Canada |author=Moore, B. |work=NCIA News |publisher=National Cannabis Industry Association |date=27 September 2018 |accessdate=07 July 2021}}</ref> In truth, comparisons of Canada's [[Privacy law|privacy laws]] with those of the United States existed well before the vote, with resources such as FindLaw detailing risks to any Canadian data transferred to the United States.<ref name="FLCanada04">{{cite web |url=https://corporate.findlaw.com/law-library/canada-s-privacy-laws-vs-the-usa-patriot-act.html |title=Canada's Privacy Laws vs. the USA PATRIOT ACT |work=FindLaw |publisher=Thomson Reuters |date=02 August 2004 |accessdate=07 July 2021}}</ref> However, concerns grew that Ontario's mandated use of the e-commerce platform Shopify (until private retail outlets opened in April 2019) would put Canadian cannabis consumers' data at risk.<ref name="BlinchHowPriv18" /><ref name="AbrahamCannabis18">{{cite web |url=https://www.independent.co.uk/voices/cannabis-canada-legal-sale-buying-online-risks-a8589716.html |title=Cannabis may be legal in Canada – but this is why it's still not safe to buy it online |work=Independent |author=Abraham, E. |date=18 October 2018 |accessdate=07 July 2021}}</ref> In particular, Canadian consumers remain worried that if their purchase history becomes available to United States government officials, who function in an environment of criminalization of cannabis use, they will not be allowed entry into the U.S. at minimum, or be treated as criminals upon attempting entry at worst. As such, some developers of cannabis data management software—such as Cova Software—have publicly acknowledged that any cannabis retail data for Canadian customers will remain in Canada "over and above the current legal requirements."<ref name="MooreCova18" /> Yet even with data providers' intentions to follow Canadian privacy rules and recommendations, data breaches still occur, as happened with the Canada Post in November 2018.<ref name="StollerLegal18" /><ref name="PerkelCanadaPost18">{{cite web| url=https://www.ctvnews.ca/canada/canada-post-admits-cannabis-privacy-breach-involving-4-500-ontario-customers-1.4167149 |title=Canada Post admits cannabis privacy breach involving 4,500 Ontario customers |work=CTV News |author=Perkel, C. |date=07 November 2018 |accessdate=07 July 2021}}</ref>, further emphasizing the need for strict protocols and protections for cannabis consumer data.
| | ====3.4.2 What this means for the lab==== |
| | [[File:Logo der ISO.svg|right|200px]]While many cannabis testing laboratories won't be handling medical marijuana patient information, let alone dispensary sales information, lab managers must consider the data privacy issues of those realms and relate them to the data and workflows of the cannabis testing lab. What data must be protected? What standards must be followed to ensure that data's protection? |
|
| |
|
| In the United States, despite cannabis' federal prohibition, many states have been taking on various levels of legalization of cannabis. As Rachel Hutchinson of Foley Hoag LLP noted in March 2017, much like Canada, "[l]egalization has led to increased oversight and monitoring, as well as to the collection and storage of personally identifiable information ... [and the] threat of a federal crackdown leaves most customers resistant to creating any sort of paper trail."<ref name="HutchinsonMari17">{{cite web |url=https://www.securityprivacyandthelaw.com/2017/03/marijuana-and-privacy-a-primer/ |title=Marijuana and Privacy: A Primer |author=Hutchinson, R. |work=Security, Privacy and the Law |publisher=Foley Hoag LLP |date=22 March 2017 |accessdate=07 July 2021}}</ref> In this sort of environment, where federal threats still exist, a patchwork collection of state-based laws have sprung up, including Oregon's Senate Bill 863, which prevents retailers of recreational cannabis from collecting and sharing customers' PII.<ref name="MarumSmoke17">{{cite web |url=https://www.oregonlive.com/marijuana/2017/04/marijuana_user_data_protected.html |title=Smoke pot in Oregon? Your name now protected from feds |author=Marum, A. |work=The Oregonian |date=19 April 2017 |accessdate=07 July 2021}}</ref> California has also implemented a variation of this type of protection for both recreational and medical cannabis consumers.<ref name="SherryClient18">{{cite web |url=https://www.nelsonhardiman.com/client-alert-new-california-privacy-law-ab-2402-specifically-targets-cannabis-licensees/ |title=Client Alert: New California Privacy Law, AB-2402, Specifically Targets Cannabis Licensees |work=Nelson Hardiman Newsroom |author=Sherry, K. |publisher=Nelson Hardiman LLP |date=04 October 2018 |accessdate=07 July 2021}}</ref> Of note is California's classification of medical marijuana identification cards as "medical information," which lends additional credence to the idea that medical marijuana consumers' PII held in dispensaries should be protected by U.S. [[Health Insurance Portability and Accountability Act]] (HIPAA) regulations.<ref name="DroletCannabis17">{{cite web |url=https://www.cannabisbusinessexecutive.com/2017/05/hippa-cannabis-and-privacy-compliance/?utm_source=CBE+Master+List&utm_campaign=3dd8f01b21-CBE+Policy+%26+Legal&utm_medium=email&utm_term=0_1f64189714-3dd8f01b21-264215833 |title=Cannabis and privacy compliance: Is your health information protected? |author=Drolet, M. |work=Cannabis Business Executive |date=15 May 2017 |accessdate=07 July 2021}}</ref> However, without a unified policy and legal framework for cannabis use and its associated data, its difficult to foresee what future data collection and privacy regulations will look like in the United States. Despite this, some software development companies are betting on further demand for privacy of PII with the development of "personal privacy and HIPAA complaint cannabis consumer transaction solution[s]."<ref name="PRNewswireUSMJ18">{{cite web |url=https://www.prnewswire.com/news-releases/usmj-and-landstar-plan-to-bring-data-privacy-and-hipaa-compliance-to-marijuana-consumers-831506836.html |title=USMJ and Landstar Plan to Bring Data Privacy and HIPAA Compliance to Marijuana Consumers |work=PR Newswire |date=14 November 2018 |accessdate=07 July 2021}}</ref>
| | Take for example ISO/IEC 17025:2017, item 8.4.2, which requires a lab to have "controls" in place "for the identification, storage, protection, back-up, archive, retrieval, retention time, and disposal of its records."<ref name="KramerISOIEC20">{{cite web |url=https://www.pjlabs.com/downloads/webinar_slides/4.20.2020_Doc-Control-Records.pdf |format=PDF |title=ISO/IEC 17025:2017 Requirements Concerning Document Control and Control of Records |author=Kramer, M. |publisher=Perry Johnson Laboratory Accreditation, Inc |date=20 April 2020 |accessdate=07 July 2021}}</ref> The long-term implication here is that data should be clearly identified, ''securely'' stored, backed up and archived, and have clear information about their retention and disposal. The data should be thoughtfully "controlled" so it doesn't get lost or fall into the wrong people's hands. This is further evidenced by ISO/IEC 17025:2017, item 7.11.3, which calls for the data to be "protected from unauthorized access" and "safeguarded against tampering and loss."<ref name="ShimadzuISOIEC">{{cite web |url=https://www.shimadzu.eu/sites/shimadzu.seg/files/SEG/Landingpages/DataIntegrity/SEG_4547_Whitepaper_ISO_v7_OK.pdf |format=PDF |title=ISO/IEC 17025:2017: General requirements for the competence of testing and calibration laboratories |publisher=Shimadzu Europa |accessdate=07 July 2021}}</ref> |
|
| |
|
| Additionally, like Canada, concerns still abound concerning data privacy in the United States. Companies such as THSuite, LLC have already been found to inadvertently expose sensitive personal data—and possible even [[protected health information]] (PHI)—from multiple U.S. cannabis dispensaries, potentially violating HIPAA regulations.<ref name="FawkesReportCanna20">{{cite web |url=https://www.vpnmentor.com/blog/report-thsuite-breach/ |title=Report: Cannabis Users’ Sensitive Data Exposed in Data Breach |author=Fawkes, G. |work=vpnMentor Blog |date=24 January 2020 |accessdate=07 July 2021}}</ref><ref name="ShaghaghiLeak20">{{cite web |url=https://www.cohnreznick.com/insights/leak-of-30000-cannabis-customer-records-heightens-need-for-effective-data-security |title=Leak of 30,000 cannabis customer records heightens need for effective data security |author=Shaghaghi, S.; Weinstein, I. |work=Insights |publisher=CohnReznick LLP |date=18 February 2020 |accessdate=07 July 2021}}</ref> As the anonymous author of the original report concerning THSuite points out, "most legal experts agree that dispensaries must follow HIPAA regulations just like any other health care provider," and even in a realm without legal risk, exposed data could mean "individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis."<ref name="FawkesReportCanna20" /> Again, these issues firmly fall at the feet of the main problem of not having unified cannabis legislation, let alone not having a federally recognized legalized status of cannabis. With the unclear and mismatched state of law regarding cannabis user data protection, the onus still remain firmly with software developers and data managers in regards to thoroughly testing software and implementing (as well as enforcing) stricter controls such as [[encryption]], intrusion detection, and [[authentication]] mechanisms.<ref name="ShaghaghiLeak20" />
| | As such, it's obvious that cannabis testing labs, at a minimum, have to take data privacy and management seriously to stay in step with the ISO/IEC 17025 standard. That of course doesn't take into consideration any regulatory requirements for chain of custody and certificates of authority to be preserved by the lab for a specific period of time, nor does it account for any proprietary methods and business details that could potentially harm a lab in the wrong hands. Just like the personal health information of medical marijuana patients, and like the customer information of dispensaries, cannabis testing labs are charged with ensuring the security and privacy of the data they collect and manage. |
| | |
| | To meet those requirements and more, a LIMS that includes functionality that helps labs support ISO/IEC 17025:2017, NELAC, ELAP, and Patient Focused Certification (PFC) requirements makes for a wise investment. Cannabis testing workflows can be difficult, as is the management of associated analytical instruments and their data. Throw in the complication of a semi-fractured regulatory atmosphere, and the cannabis testing lab is forced to operate with tight, enforced procedures to ensure not only the quality of tested cannabis substances but also the chain of custody of samples that come into the lab's possession. A LIMS that can carefully and automatically collect, manage, track, retain, and archive operational data—as well as the audit trails associated with those activities—is required to better maintain the security and privacy of that data, as well as the long-term viability of the lab.<ref name="AudinoManag18" /> |
|
| |
|
| ==References== | | ==References== |
| {{Reflist|colwidth=30em}} | | {{Reflist|colwidth=30em}} |
3.4.2 What this means for the lab
While many cannabis testing laboratories won't be handling medical marijuana patient information, let alone dispensary sales information, lab managers must consider the data privacy issues of those realms and relate them to the data and workflows of the cannabis testing lab. What data must be protected? What standards must be followed to ensure that data's protection?
Take for example ISO/IEC 17025:2017, item 8.4.2, which requires a lab to have "controls" in place "for the identification, storage, protection, back-up, archive, retrieval, retention time, and disposal of its records."[1] The long-term implication here is that data should be clearly identified, securely stored, backed up and archived, and have clear information about their retention and disposal. The data should be thoughtfully "controlled" so it doesn't get lost or fall into the wrong people's hands. This is further evidenced by ISO/IEC 17025:2017, item 7.11.3, which calls for the data to be "protected from unauthorized access" and "safeguarded against tampering and loss."[2]
As such, it's obvious that cannabis testing labs, at a minimum, have to take data privacy and management seriously to stay in step with the ISO/IEC 17025 standard. That of course doesn't take into consideration any regulatory requirements for chain of custody and certificates of authority to be preserved by the lab for a specific period of time, nor does it account for any proprietary methods and business details that could potentially harm a lab in the wrong hands. Just like the personal health information of medical marijuana patients, and like the customer information of dispensaries, cannabis testing labs are charged with ensuring the security and privacy of the data they collect and manage.
To meet those requirements and more, a LIMS that includes functionality that helps labs support ISO/IEC 17025:2017, NELAC, ELAP, and Patient Focused Certification (PFC) requirements makes for a wise investment. Cannabis testing workflows can be difficult, as is the management of associated analytical instruments and their data. Throw in the complication of a semi-fractured regulatory atmosphere, and the cannabis testing lab is forced to operate with tight, enforced procedures to ensure not only the quality of tested cannabis substances but also the chain of custody of samples that come into the lab's possession. A LIMS that can carefully and automatically collect, manage, track, retain, and archive operational data—as well as the audit trails associated with those activities—is required to better maintain the security and privacy of that data, as well as the long-term viability of the lab.[3]
References
