Policy on collection and retention of records related to health product compliance and enforcement (POL-0140)

  • Date issued: 17 March, 2021
  • Date implemented: March 17, 2021
  • Replaces: N/A

Disclaimer

This document does not constitute part of the Food and Drugs Act (the Act) or its regulations and in the event of any inconsistency or conflict between the Act or regulations and this document, the Act or the regulations take precedence. This document is an administrative document that is intended to facilitate compliance by the regulated party with the Act, the regulations and the applicable administrative policies.

Table of Contents

Policy on collection and retention of records related to health product compliance and enforcement POL-0140

Download the alternative format
(PDF format, 2,185 KB, 19 pages)

Organization: Health Canada

1. Purpose

The purpose of this policy is to inform stakeholders of the legislative provisions related to records accessed and obtained by inspectors during compliance and enforcement (C&E) activities, as provided for in the Food and Drugs Act (the Act), as well as the Government of Canada's policies in respect of the collection, electronic transfer, retention and disposal of records.

This policy explains:

2. Background

This policy is an administrative document. If there is inconsistency or conflict between the Act or regulations and this policy, the Act or regulations take precedence.

The Act and regulations establish a regulatory framework to help protect the health and safety of consumers using health products regulated under the Act. It also helps to prevent deception in relation to these products.

Health Canada's Regulatory Operations and Enforcement Branch (ROEB) has two directorates that are responsible for the compliance and enforcement of health products.

These are the Health Product Compliance Directorate (HPCD) and the Medical Devices and Clinical Compliance Directorate (MDCCD). HPCD and MDCCD staff monitor or verify that health products comply with the Act and its regulations.

Inspectors are designated by the Minister of Health to administer and enforce the Act. They have the authority to enter certain places, and to acquire, access, copy, reproduce, download, save, transfer/transmit, and retain records related to the administration of the Act or its associated regulations.

When an inspector believes, on reasonable grounds, that records include information relevant to the Act or associated regulations, under the authority of the Act, they may:

Over the course of an inspection or compliance verification, inspectors may come across records containing personal information, such as patient prescriptions, adverse event reports, medical records, complaint records, or sales records. Although this information may be found in records that are subject to an inspector's authority to examine or make copies, inspector activities with respect to the collection and use of personal information are subject to the Privacy Act, which governs the collection, use, disclosure and retention of personal information.

3. Responsibilities

Inspectors designated under subsection 22(1) of the Act:

Parties regulated under the Act must:

Under subsection 24(1), a regulated party may not obstruct, hinder or knowingly make false or misleading statements, either orally or in writing, to an inspector.

These provisions require a person to provide an inspector with any information that an inspector may reasonably require.

Failure to comply with these provisions is an offence.

4. Scope

This policy applies to records created and acquired during inspections, including activities undertaken to verify compliance, either in person, as authorized by subsection 23(1), or remotely, by means of telecommunication as authorized by subsection 23(3) the Act.

Under subsection 22(1), inspectors have the authority to verify compliance or prevent non-compliance with the Act and its regulations for a range of health products, including:

5. Policy statement

Inspectors acquire records during the course of their C&E duties to verify compliance with regulatory requirements. Compliance actions include activities such as inspections, surveillance, sampling, testing, or responding to complaints; enforcement actions include activities such as seizure, recall, amendment or revocation (suspension or cancellation) of an authorization or a license.

Records created and acquired during C&E activities are the property of the Government of Canada. Records include paper records, electronic records (emails, databases, internet, data), and publications (reports, books, magazines and all other forms including films, sound recordings, photographs, documentary art, graphics and maps). Records fall under two categories: information resources of business value and transitory information resources.

Transitory records are information received by an inspector for information purposes, and are of use for a limited time. Transitory records are disposed of once the information is no longer of use. Information resources of business value must be saved in the official repository. Inspectors are responsible for the custodianship and retention of all records of business value from the point of collection until the documents are saved in the official repository.

The authority for inspectors to examine and copy documents, use computer systems, or take photographs or make sketches is essential to the effective administration of the Act, and therefore the protection of consumers by mitigating risk to the health and safety of the public. This authority is used to help reduce the risk to consumers' health and safety. Failure to provide all reasonable assistance to an inspector is a serious offence. Health Canada may take action, using measures outlined in the Compliance and enforcement policy for health products (POL-0001).

6. Procedure

6.1 Entering a place for inspection

Under the Act, the inspector has certain powers to verify compliance with the Act and regulations, as well as to prevent non-compliance.

Power to enter a place (subsection 23(1))

An inspector, and any individual(s) accompanying them under the authority of subsection 23(7) of the Act, may enter any place, including a conveyance, in which they have reasonable grounds to believe that:

Inspectors may enter places that meet the criteria described in subsection 23(1) of the Act at any reasonable time. While the facts will establish what is reasonable, in most cases, the normal working hours of the place being entered is considered reasonable. Consent to enter is not required for entry into a place, unless the place being entered is a dwelling-house.

Power to conduct a remote entry (subsection 23(3))

An inspector can also enter a place as described in Accessing the Premises of a Regulated Party Remotely to Verify Compliance (POL-0138) by means of telecommunication.

Power to enter private property (subsection 23(8))

An inspector and any individual accompanying them under the authority of subsection 23(7) of the Act, may enter and pass through private property, other than a dwelling-house on that property, in order to enter the place to be inspected.

Consent to enter a dwelling-house (subsection 23(9))

When a regulated party conducts business in their home, an inspector and any individual accompanying them under the authority of subsection 23(7) of the Act, may enter the dwelling-house only if the occupant consents or if there is a warrant (subsection 23(10)).

The inspector must have reasonable grounds to believe that one of the paragraphs in subsection 23(1) applies.

The inspector will use a form to obtain consent from the occupant in advance of the inspection. This form includes details of the inspector's authorities once the inspector enters the dwelling house.

6.2 Records – general principles

Integrity of records

Records provide reliable, objective evidence to confirm that the regulated activities were conducted in compliance with the requirements of the Act and regulations. Records can be created manually or can be generated electronically. Irrespective of the method used, data integrity of the records is fundamental in ensuring that the records created are attributable, legible, contemporaneous, original, accurate and complete (ALCOAC).

Electronic records

The use of an electronic record as objective evidence requires proof of the authenticity of the record. Authenticity can be demonstrated by the integrity of the electronic record management system in which the record was made, received, or stored, as well as proof that the record was made in the usual and ordinary course of business. For more details on the proof of the integrity of an organization's record system, refer to the Canadian General Standards Board's guideline, CAN/CGSB-72.34-2017 Electronic Records as Documentary Evidence.

Record management

Regulated parties using electronic records as their principal method of data capture should establish a process that includes record protection measures (restricted entry/security, audit trail, backup) and record quality assurance. The record management process should ensure that:

6.3 Examination, collection and retention of records

Examine and make copies (subsection 23(2)(c))

After an inspector has entered a place under subsection 23(1) of the Act, whether they have entered physically or via remote entry, an inspector may access, review, print, reproduce, and take screenshots, copy and/or export copies of the data to confirm compliance to the Act. Subsection 23(2) of the Act gives an inspector the authority to access, examine, and make copies of any records that are found at the place, and that the inspector believes, on reasonable grounds, include information relevant to the administration of this Act or the regulations. This also includes records generated and maintained in computerized systems, including, but not limited to, electronic communications, e-mails, spreadsheets, and security camera footage that relate to regulated activities. In addition, regulated parties may also voluntarily provide information to inspectors, or these records may be provided through other means, such as orders, or complaints received from the public.

Reproduce electronic data (subsection 23(2)(d))

Any reproduced electronic record shall be generated in a readable/viewable format as requested by the inspector. Whenever paper or electronic copies of electronic records need to be produced, they can be authenticated as certified true copies by the inspector. Where the paper copy differs in structure, form or content from the electronic record, the nature of the difference, and the reason for the differences, will be documented in the paper copy. Whenever possible, regulated parties should supply copies of electronic records in common readable formats, such as, but not limited to, Portable Document Format (PDF), Microsoft Excel (XLS), Microsoft Word (DOC), or Digital Image (JPEG). Copies of the original documents must preserve the content and meaning of the record.

The regulated party must provide all reasonable assistance to the inspector during compliance and enforcement activities. Records requested by an inspector must be made available to the inspector within a reasonable amount of time and should be presented in a manner that permit their full assessment; this also includes retrieval by the regulated party of electronic records from another location or site. These records or copies are subject to photocopying or other means of reproduction as part of the inspection. The regulated party may retain records as either original records or as true copies, such as photocopies, microfilm, microfiche, or other accurate reproduction of the original records. Where a reducing technique such as microfilming is used, suitable reading and photocopying equipment must be readily available for the inspector's use. Electronic copies are considered true copies of paper or electronic records, provided the copies preserve the content and meaning of the original record, which includes metadata.

6.4 Use of computer systems or telecommunication systems (subsection 23(2)(e))

After entry into a place under subsection 23(1) or 23(3) of the Act, an inspector may access a computer system or a telecommunication system available at the facility to confirm compliance or prevent non-compliance with the Act and regulations. Examples of systems/applications that an inspector may require access to include:

Depending on system complexity, an inspector may access the computer on their own, or may ask a person from the regulated party to be present and to assist with the navigation of the system. To facilitate the inspection, the regulated party should consider establishing a formal process for granting and modifying system access to inspectors for the duration of the inspection. The regulated party may establish a role-based access control for their computerized system such that the inspector can have "read only" access to the records required to verify compliance to the Act and regulations. If a role-based access control cannot be established, then the inspector will request that company personnel be present when they access the system.

6.5 Record transmission

Interoperability among technologies used between ROEB and a regulated party is important for transmitting data between both parties during an inspection. Any protected or classified electronic data sent by an inspector to a regulated party should be securely transmitted using Health Canada approved electronic transmission applications, or Health Canada approved portable data storage devices (for example, USB devices, tablets, laptops, smart devices, portable media). The inspector will protect the records in accordance with applicable legislation and follow Health Canada's information management policies and procedures. Electronic records obtained from the regulated party will be transferred to Health Canada's official repository within a reasonable timeframe.

Inspectors will follow the Government of Canada’s information technology policy on the Secure Use of Portable Data Storage Devices within the Government of Canada to minimize risk to protected, classified and confidential information. Inspectors are only permitted to use authorized devices on Health Canada’s network. The use of unauthorized portable data storage devices (for example, non-government issued USB devices, or portable media) presents risks to the Government of Canada’s information technology (IT) network security. Risks include the introduction of malicious software onto Health Canada IT network, unauthorized access or use of the information stored on the device, or loss or theft of the device itself.  

6.6 Taking photographs, making recordings and sketches (subsection 23(2)(j))

Inspectors are authorized to take photographs and make recordings (audio and/or visual) and sketches per subsection 23(2)(j) of the Act to verify compliance or to prevent non-compliance with the provisions of this Act or the regulations. Photographs are an integral part of an inspection, and they can present an objective and contemporaneous representation of regulated activities, products and/or facilities. Consent of the company representative is not required for taking a photograph or recording of objective evidence related to enforcement of the Act. Any refusal on the part of the representative of the regulated party could be considered an obstruction to inspection activities. Photographs and recordings are taken using government-issued devices. Inspectors take digital recordings in order to achieve the following:

While taking photographs and recordings, the inspector will avoid capturing any personal and/or private information irrelevant to the administration/enforcement of the Act. All digitized images will be transferred to an official repository within a reasonable time. Inspectors may include sketches of the facility to add to the completeness and comprehension of the inspector notes.

6.7 Certified copies (subsection 36(3) of the Act)

A copy of or extract from a document, including electronic data, can be certified to be a true copy by the inspector who collected the records under subsection 23(2)(c),(d)or (f).
For records submitted by a regulated party as part of a C&E action such as an inspector order, an inspector can request the party to submit a certified true copy, copies certified by affidavits, or originals. Inspectors shall only request originals when necessary to verify compliance or prevent non-compliance.  

6.8 Security and proper handling of sensitive information

Records of business value stored in an inspector's portable device(s) are transferred to Health Canada's official repository as soon as possible. Inspectors will secure portable storage devices at all times, as appropriate to the highest level of security classification of the data on the device. Inspectors follow Health Canada Information Management's security requirements when transporting sensitive information between sites or during travel using a secure portable electronic data storage system.

6.9 Retention of records

Records of business value created or collected by inspectors during C&E activities are the property of the Government of Canada. These information resources are subject to various legislative, regulatory and policy requirements governing their retention and disposition. Records are managed in Health Canada's official repository, which facilitates the creation, acquisition, management, use, storage, disclosure, accessibility, confidentiality and destruction of records. Inspection records are saved in individual inspection files that follow standardized classification taxonomy within the corporate repository, ensuring easy access when needed to support program and service delivery. The length of time the C&E records of business value are retained depends on several factors, including, but not limited to the following:

Inspection records remain usable, accessible and retrievable for the entire period of their retention times. The contextual and structural integrity of Information Resources of Business Value (IRBV) are also maintained.

Disposal of records

Destruction of C&E records follows the Records Retention and Disposal Schedule (RRDS) established by Library and Archives Canada (LAC). RRDS prescribes requirements for the length of time a government record must be retained and the means of disposal at the end of its lifecycle.

Confidential information and privacy concerns

Items or things (including, but not limited to, premises, records, and equipment) related to the administration of the Act or its associated regulations are subject to inspection. When an inspector believes, on reasonable grounds, that records include relevant information, the inspector, and by extension individuals accompanying them, in accordance with their identified role(s) in the inspection, are authorized to view or examine those things to verify compliance or prevent non-compliance.

Regulated businesses have a reduced expectation of privacy than individuals. When a person undertakes business activities regulated under legislation, those businesses are subject to inspection for compliance with all applicable legislation. However, the inspector and any individual(s) accompanying them will make every reasonable effort to minimize risk to protected, classified and confidential information. Inspectors will communicate the importance of proper handling of sensitive information and ensure that individuals accompanying them on inspection understand this.

6.10 Obstructing, providing false information, or failing to provide assistance

Obstruction, hindering, knowingly lying, or failing to provide all reasonable assistance to an inspector who is carrying out their duties or functions are offences under the Act and will not be tolerated. Further compliance and enforcement actions that may be taken are outlined in the Compliance and enforcement policy for health products (POL-0001).

The inspection provisions in the Act are designed to protect consumers who are vulnerable to risks posed by health products and their advertising. It is a violation of subsection 24(1) to prevent an inspector from inspecting or to make false or misleading statements, orally or in writing.

Depending on the classification of the health product involved and the election of the prosecutor to proceed summarily or on indictment, a violation may result in prosecution. If convicted, a person can be fined or be imprisoned.

Subsection 23(13) puts a duty on the owner or person in charge and any person found in a place entered (even remotely) by an inspector to provide:

Appendix A – Glossary

Acronyms

C&E
Compliance and Enforcement
HPCD
Health Products Compliance Directorate
IRBV
Information Resources of Business Value
MDCCD
Medical Devices and Clinical Compliance Directorate
ROEB
Regulatory Operations and Enforcement Branch

Terms

Appendix B – References

Laws and Regulations

Other related documents

Page details

Date modified: