Current laws only require information to be provided directly to the consumer— not delegated to third parties such as a health agency or a primary care provider in accordance with the consumer's wishes. In fact, a recent amendment in PHIPA which has not yet come into force, clarifies that
We recommend that laws and regulations include an obligation to share data electronically in a timely manner adhering to the FAIR data principles. We also recommend laws include the right of consumers to delegate their access to third parties, proactively at the consumer's request, rather than re-actively at the third party's request. With governance, this can be done with informed consent \cite{PrivacyCommissionerofCanada2018}. The benefit of a legal mandate/obligation on custodians to share data, is that it removes the need to negotiate data-sharing agreements between the data custodian (the company or public entities that either hold or make applications that hold patient data) and third parties. The data custodian and application developers' onus is to ask patients how to share their data and then share their data according to their wishes and consent. The data recipient has the responsibility to adhere to the patients' wishes, the law and good practice. Governing authorities continue their oversight and enforcement responsibilities, however new governance is also needed.
Our proposal requires a trustworthy process for the consumer, custodian and delegated recipient to identify, authenticate and authorize each other in a trusted manner that prevents fraudulent requests, fraudulent information and mistakes in mixing up the information from one patient with another by the same name. This new process, i.e., governance, is required to certify and accredit recipients of data and properly identify and authenticate patients. This governance would be conducted by legally designated organizations, committees, roles and responsibilities. The government (or an agent thereof) could also act as a clearinghouse for such access, so that private companies are not required to accept connections from multiple requestors which would be burdensome.
A legal mandate could have unforeseen consequences with private organizations that are custodians of data--e.g., an application provider could choose not to comply with the law, incurring delays during legal wrangling \cite{cbc2020fb} or worse yet, they could discontinue their service within Canada.
Discussion and Conclusions