Hence, our proposal requires a governing entity (Fig. \ref{469714}) that offers trustworthy processes for the patient, custodian and recipient to identify, authenticate and authorize each other.  Trusted processes are needed to prevent fraudulent requests, to prevent mistaking one patient for another with the same name. The governing entity would also certify and accredit recipients of data, and collect, manage and enforce patient wishes.  Data custodians and application developers may ask patients if they want their information shared, however, patients will be directed to the governing entity to manage their directives and delegation in a trusted manner free of conflicts of interest.
The governing entity, or their agents, could also act as a clearinghouse for access and exchange of data, so that private companies are not required to make connections to or accept connections from multiple requestors, which would be burdensome.  In practice, because healthcare is provincially regulated, each province may have its own governing entity and coordination between provinces would be needed.
Finally, all of these concepts would need to be articulated in laws and regulations.  We note that, legal mandates can sometimes have unforeseen consequences with private organizations that are custodians of data--e.g., an application provider could choose not to comply with the law, incurring delays during legal wrangling \cite{cbc2020fb} or they could discontinue their service in Canada.  

Discussion and Conclusions