Frequently Asked Questions
Personal health information, also known as PHI, is “identifying information” about an individual's health or health care history. This can include quite a lot of information, such as information about your health condition(s), treatment, health care number, drugs that you may be taking, and so much more. Privacy laws in Canada define and aim to protect PHI. The Personal Information Protection and Electronic Documents Act (PIPEDA) protects all persona information, including sensitive and personal health information. Ontario, Nova Scotia, Newfoundland & Labrador, and New Brunswick each have health-specific privacy laws that have been deemed similar to PIPEDA. The General Data Protection Regulation (GDPR) protects sensitive data in all the European Union member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. 'Sensitive data' includes personal health information. In the United States, personal health information is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Health data can include personal health information, however it can also include information that cannot be linked to a person. This type of data is often referred to as anonymized.
Health data can provide insights and information that can be used to improve the health of individuals, families and even communities. Health data can also help us develop new technologies that can help us understand and treat diseases or provide better health.
From the GDPR perspective, ‘personal data’ means "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
Health data can tell us new information about our own health, how to best treat diseases, and can even give us information on how to keep our communities healthy. If we use health data in a smart and responsible way, the insights we develop may help us to prevent disease and keep people from getting sick in the first place. Additionally, these insights can make our healthcare systems more effective and efficient, speed up important scientific research, and even make healthcare services more sustainable for future generations in Canada.
Your personal health information is shared with those who are involved in providing your care or others that you choose to share it with. You can provide it to anyone you wish. The choice is yours!
Data is protected in many different ways. For instance, ‘data minimization’ is one way companies are protecting data. It means that they only collect as little information that is needed and no more. (The less they have - the better. Less is more!)
There are also many other privacy and security practices whereby data is secured including data encryption, data erasure, data masking, and data resiliency.
There are also many other privacy and security practices whereby data is secured including data encryption, data erasure, data masking, and data resiliency.
The GDPR has roles called Controller, and Processor. These roles have similar responsibilities as a Data Custodian in Canada. Controllers and Processors may have different responsibilities regarding storage and security/privacy controls. GDPR defines these roles as follows:
"‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
"‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
You can find out more about how others share your data and how it will be used. Once you know these things you can then choose for yourself and ultimately exercise control over it!
Yes, you can download a Data Path by clicking on the Download button that appears on the screen at the bottom of each Data Path.
We encourage everyone to share this website with other people. To do this, simply click on the Share button which can be found in many locations on the website.
In the Resources tab on this website, you will find many other excellent sources of information that can help you learn more about health data.
These Data Paths are based on Canadian context and may differ slightly in other jurisdictions. We invite you to use these Data Paths as a discussion guide so you can ask questions of your own Care Team to understand if the process is similar in your jurisdiction.