Introduction: the Need for Access

Open access of de-identified patient data has been an indispensable resource for understanding and controlling the COVID-19 pandemic. The online dashboard hosted by Johns Hopkins and other COVID-19 sites are examples of real-time tracking that aggregate worldwide COVID-19 testing, case and mortality data.\cite{Dong_2020} However, there remain major gaps in available open data such as a lack of sociodemographic information and data on predisposing factors for becoming infected or spreading COVID-19 infection.\cite{Anderson_2020} Additional COVID-19 information is collected by public health contract tracers that could be shared to improve our understanding of COVID-19 spread. As well, COVID-19 information could be shared using data from individual eHealth applications. However, privacy concerns have curtailed more widespread data sharing. 
Contact tracing identifies people an infectious person may have had contact with, and possibly infected.  Knowing the history of a person's proximity to others, based on cell phone information, can assist contact tracing \cite{kleinman2020digital,gov-covid2020}. Identifying contacts is challenging and important for COVID-19 because of the large proportion of pre- or asymptomatic infectious transmissions that occur. The challenge is increased during re-opening as people come in contact with more people in public settings. Monitoring temperature, heart rate and respiration has the potential to identify COVID-19 prior to a person being aware of infection or for people with mild symptoms. Monitoring these symptoms can be performed through smartwatches and eThermometers \cite{Chamberlain2020,Seshadri2020}.
Many proximity tracking applications \cite{o2020flood} and other smart applications either do not allow data sharing with public health or a patient's clinical care team or make sharing overly challenging. Two scenarios are common. In the first scenario, data are on a person's smart application but there are no or limited provisions to share the data, or it is prohibitive to do so. In the second scenario, a person's data are shared with the company that has developed the application, where it is treated as a company asset. People have limited control over how the company uses or shares data with others. Patients cannot easily direct the application developer to share their data with public health agencies or their primary care team. We advocate for data access and sharing and we identify the recent FAIR data principles as the relevant approach.

The FAIR Data Principles 

In science research, the FAIR data principles \cite{wilkinson2016fair,force112014guiding} have gained recognition— FAIR refers to research data being Findable, Accessible, Interoperable and Reusable. That is, we should be able to find where our data resides and have access our data; and, upon access, data should be interoperable with other software and useful (reusable) because it is well-described.
The FAIR principles should also be applied to data held in private or public organizations, supported by individual privacy, for the patient's use, and if/as they direct, for society's beneficial use too, e.g., in research or public health management and surveillance.  If there are supporting changes to laws and governance, beneficial use can be authorized by the patient's proactive express consent that delegates and mandates access by a third party on the patient's behalf. This means that people should be allowed to delegate sharing of their data according to FAIR principles in a useful, efficient and timely manner. Patients should be allowed to express and enforce their wishes regarding their data, in alignment with values and strategies that put the patient first \cite{ministry2015patients}. After all, the patient or data subject is the inherent owner of their data.
While the private sector has some incentives to share data, such as corporate goodwill, they are under no obligation to do so. There are also barriers in access to health data within Canada's public health care system — e.g., barriers to requestors in Canada who are not affiliated with the custodian and are from a different location in Canada. Changes to the law can address these barriers, both in the will to share data and the timeliness of doing so.

Gaps in the Law to Meet Patients' Wishes

In Canada, privacy and access to information laws do not uniformly require private companies and public entities to follow the four FAIR data principles for patients' use of their data. There are gaps in the coverage of each principle, and importantly, the system does not attend to some patients' wishes in an effective and timely manner.
In Ontario, there has been steady progress on several principles. Access to a patient's record is largely required, but web apps were not covered by Ontario's health law — the Personal Health Information Protection Act (PHIPA) \cite{fabiano2020phipa,law2020personal}. An amendment to address this omission was written into PHIPA this year (March 2020) but has no specified date for when it will come into force.  Interoperability (also called data portability) is improving with PHIPA recently requiring an electronic record, which will be useful once the regulations \cite{reg2020PHIPA} and specifications for the electronic record come into effect in January 2021 and an unspecified date, respectively.  To ensure records are reusable, entities are required to provide an explanation of terms and abbreviations, but only if it is reasonably practical  \cite{law2020personal}.  
A large gap that remains is finding records.  One author has found it challenging to navigate government services through multiple web searches and phone calls to find immunization records from years past.  Going forward, CANImmunize alleviates this challenge by having patients managing their own immunization records \cite{houle2017canimmunize}. However, this solution highlights a systemic problem: the onus is on the patient. 
Currently, the patient is at the center of finding, requesting, receiving, resending and negotiating their records.  Some patients want that, and that option is always available, but other patients want their wishes to be at the center, to be respected and carried out.  They want public health to have their information from a web app, or their family physician to have a copy of their records, or they want to support research--without having to be proficient with technology, privacy laws, the logistics of government or private entities and the semantics of health care.

Changes to the Law and Supporting Governance

To have patient wishes at the center without the patient themselves carrying the technical and logistical burden requires new capabilities, such as delegation and a trusted governing entity, to support it.
Current laws only require information to be provided directly to the patient—not delegated to third parties, such as a health agency or a primary care provider, in accordance with the patient's wishes.  In fact, a recent amendment in PHIPA, which has not yet come into force, clarifies that if a provider of a web app seeks access to a patient's record, with the patient's authorization and consent, a health information custodian (government or private) does not have to provide access to the web app provider, but the custodian does have to provide access to the patient directly.  This deviation from a patient's wishes (i.e., to delegate access in some cases) occurs because there isn't a system or process by which a health information custodian can trust the validity of such authorizations.  However, a governing entity (Fig. \ref{469714}) empowered by the government could play that role and imbue trust in the system.