Harmonization of Health Data Governance,Oversight,and Policy: Reimagining Stewardship

Abstract

The Pan-Canadian Health Data Charter advocates for new legal institutions, that would empower organizations to steward health data for future use. We propose three potential legal mechanisms to realize this vision: (i) data stewards as fiduciaries, (ii) licensed data stewards, and (iii) licensed data trusts. These mechanisms would enable representative decision-makers acting on behalf of affected communities and publics to make binding choices about whether proposed health information uses respect applicable norms. This would help to foster public trust in health sector use of information. It would also enable data stewards to base their decisions on data re-use upon actionable feedback from affected populations regarding their preferences in balancing competing norms, which these institutions would produce. Our proposals hope to move the literature beyond narrow debates about the benefits of increasing or reducing regulation, towards an actionable vision of adaptive data governance in practice.

Introduction

Leading public policy reports have consistently ranked Canada in the bottom quartile among developed countries in sharing health data.^1,2 Antiquated data protection legislation contributes significantly to Canadian underperformance. Incompatible rules govern the use thereof across the provinces, the territories, federal Canada, and in distinct economic sectors. Further, existing laws do not create mechanisms through which health organizations can make binding choices about how to re-use and share record-level health data. This legal vacuum fosters conservatism in sharing health data.^3,4

In 2022, the Pan-Canadian Health Strategy Expert Advisory Group issued recommendations to enable interoperable re-use of health data across Canada.⁵ Central thereto was adopting a “stewardship” model of health data governance.⁵ Stewardship implies trust in, and reliance on, appropriately incentivized decision-makers to make binding choices about how health data can and cannot be used.^6,7 Innovative new legal mechanisms are needed to establish health organizations as data stewards, whilst aligning their choices to public mores.

Furthermore, article 10 of the proposed Pan-Canadian Health Data Charter commits Canada’s territorial, provincial, and federal governments to the “harmonization of health data governance, oversight, and policy.”⁸ To achieve this, baseline data protection laws applicable to health data should be made interoperable across Canada.

Part 1: From Data Custodianship to Data Stewardship

Canadian law establishes organizations that hold health data as “custodians.”⁹ The custodial structure grants health organizations limited powers to use data for purposes enumerated in statutes. Organizations must also hold data secure, document their uses thereof, respond to requests from affected persons, and demonstrate respect for governing principles. Federal, provincial, and territorial Privacy Commissioners (i.e., regulators) assess the compliance of custodians with these obligations. To this end, they engage in audit, enforcement, and sanction. This includes issuing investigation reports, corrective orders, and fines.

This custodial model creates two challenges for Canadian health data stewardship. First, each organization is incentivized to be responsive to the legal requirements as their local regulator interprets them. Local regulators do not coordinate on compatible interpretations of local data protection rules. Efforts to establish harmonized data governance arrangements can thus collapse where distinct local regulators’ pronouncements conflict. This frustrates the adoption of shared national approaches to data exchange. Second, data protection laws differ in their substance. Though the broad strokes remain similar, the specific purposes of use allowable in each jurisdiction, and the procedural requirements that must be satisfied in each, differ. This creates both (i) high transaction costs that organizations must bear in establishing interjurisdictional data governance arrangements and (ii) a data sharing “race to the bottom,” as such arrangements internalize the most onerous restrictions from each participating jurisdiction’s laws.

Though the custodial model does not preclude health organizations from acting as the “stewards” of health data, its structure creates prohibitive administrative costs, and regulatory risks, for data stewards. More problematically, it actively disincentives health organizations from holding themselves directly accountable to affected publics, populations, and communities. The law holds out the Privacy Commissioner as the main actor responsible for determining the acceptability of governance arrangements, to the exclusion of other interest holders. However, Privacy Commissioners might adopt positions that differ from those of the affected interest groups, in choosing how to balance their rights and interests.

In contrast, data stewardship arrangements are networked relationships between multiple organizations, which are formalized in the informed consents of research participants, organizations’ internal policies governing clinical data use, contracts between multiple health organizations, the role-based access controls built-into data sharing platforms, and the audit and oversight mechanisms applied thereto. Organizations develop and implement these through private law arrangements between one another, and confirm that such arrangements appear compatible with the local data protection laws that are applicable to each. The normative challenge that this creates is that affected publics and patient communities do not participate in brokering such arrangements. This can create significant misalignment between the preferences of affected publics or populations, and the data stewardship choices that health organizations make in practice.

In reforming Canadian law to enable harmonized data stewardship, two normative goals must be pursued (as stated above). First, the substance of federal and provincial data protection laws should be further harmonized to reduce friction between health organizations that pool data together for future use. Second, new legal mechanisms should be created, through which organizations can confirm that their proposed data stewardship arrangements meet public expectations in balancing competing social values, and obtain an explicit license confirming the lawfulness thereof. This latter change would create a feedback mechanism between public or community expectations regarding data use, and applied data governance practices.

Our core recommendations for harmonization are the following:

1. First, to align definitions of data identifiability across Canada, adopting a contextual, proportionate risk-based approach to distinguishing regulated “identifiable” data from unregulated “non-identifiable” data.¹⁰ The legal identifiability of a dataset determines the strength of the governance safeguards to be applied. Common identifiability standards are needed to implement harmonized data governance arrangements.

The contextual, risk-based approach has multiple advantages, and has historically been made standard across Canada, through court decisions affirming it.¹¹ It encourages organizations to consider not hypothetical, but real, risk of re-identification in determining which data to release.^10,11 Further, it aligns with the standards in research ethics requirements, ensuring that bioethics requirements and data protection laws remain compatible. However, recent Canadian legislation and regulatory guidance have deviated from this approach, introducing multiple competing definitions.^12,13 Organizations now struggle to coordinate upon compatible choices about which datasets each can share. In the European Union (EU), a brief period of experimentation with new data identifiability standards occurred (in 2016),¹⁴ after which the Union's highest court reaffirmed the primacy of the contextual, risk-based approach (in 2025).¹⁵ Canada should also revert to that approach.

2. Second, to harmonize the purposes for which data can be collected, used, and disclosed, across distinct federal and provincial laws, and across economic sectors. Collaboration across sectors is critical to healthcare innovation.

However, though health organizations have a broad mandate to collect, use, and disclose health-relevant data, their powers to share these data with other organizations are limited.¹⁶ Further, the powers of private-sector organizations to collect data are also quite narrow.¹⁶ Health sector organizations, and private-sector organizations, should be invested with a broader mandate to collect, use, and disclose health-relevant data, for the health-related purposes that are enumerated in health sector data protection laws’ “use” provisions.

3. Third, to eliminate explicit barriers to interprovincial data exchange. Numerous laws preclude data sharing with recipients in a different province, or outside Canada. These contradict the commitments that provincial governments made in the Pan-Canadian Health Data Charter,¹⁷ and must be eliminated to bring its promises to fruition.

Harmonizing these rules will strengthen existing efforts at data governance within the health sector. New legal mechanisms are needed, however, to devolve to health organizations an explicit mandate to act as data stewards, and to integrate feedback from interest holders into data stewardship decisions.

Part 2: The Institutional Foundations of Data Stewardship

The European Union has created a comprehensive legal framework through which organizations are required to make public-sourced data, and health data, available for downstream re-use. A mandate is delegated to them, to develop and to operationalize data governance arrangements that meet criteria described in statute.^18,19 These laws also grant new powers to bodies that help steward data from multiple organizations.^19,20 This fosters the scalable oversight of data of disparate provenance, from all across the European Union.

Creating special laws for this purpose, as further described below, advances important policy goals. First, it confirms the legitimacy of the “data steward” as a discrete legal role bearing obligations different from those of the initial data-producer, or its end-user. In Canada, the functions of a data steward exist in tension with available legal statutes (i.e., data “user,”/custodian, and agent). Second, it partitions responsibilities between the organizations that first generate data and those that steward it for future use. In Canadian law, a lack of clarity as to these boundaries creates reticence for organizations to contribute their data to the oversight of centralized stewards, or to act as a centralized steward for health data. Third, doing so defines the standard of conduct that data stewards must follow in choosing how data can be re-utilized. It specifies the substantive obligations, procedural requirements, and obligations to consult of each interest holder. This instills public confidence in data stewards, as it justifies shared beliefs about how such stewards act. Below, we propose three distinct legal mechanisms to formalize data steward responsibilities (Table 1).

Table 1.

Comparative Overview of the Proposed Data Stewardship Models

Data stewardship model	Data stewards as fiduciaries	Licensed data stewards	Licensed data trusts
Who or what would this model affect	Individuals and organizations acting as data stewards	Organizations that voluntarily apply for a license to act as a data steward	Technological platforms and their administrative processes that are designated as a data trust in a license
Legal structure	Civil liability, and the legal regime that governs fiduciaries	Regulatory (i.e., data protection and bioethics)	Regulatory (i.e., data protection and bioethics)
Source of legal obligations	Applies automatically to all actors that meet the definition of “data steward”	Organizations that apply for a license must respect the conditions of that license	Actors named in the data trust’s charter must respect its conditions
Source of legal obligations		This replaces their usual regulatory obligations for those activities	This replaces their usual regulatory obligations for those activities
Who defines the legal obligations	The accepted practices of data stewards	The licensing body defines the obligations of the applicant in granting the license (e.g., an ethics committee, a citizen committee, or a private licensing body)	The licensing body describes the obligations of each named actor in granting the license (e.g., an ethics committee, a citizen committee, or a private licensing body)
Who defines the legal obligations	The accepted practices of data stewards	The licensing body determines whether the conditions of the license have been respected	The licensing body determines whether the conditions of the license have been respected

Data Stewards as Fiduciaries

The law recognizes actors performing specialized duties for vulnerable charges as “fiduciaries.” Examples include accountants, doctors, and trustees. This designation recognizes that individuals depend on their fiduciaries, and that an imbalance of knowledge and of power that exists between fiduciaries and their charges. The law thus holds the fiduciary to a high standard of conduct in acting on their behalf.^21,22

This standard of conduct has two elements. First, fiduciaries must demonstrate that others that hold the same role would consider their behaviour to be an accepted practice among that group. For example, a doctor must show that other doctors would have agreed that the action performed was an accepted practice among doctors. Second, fiduciaries must demonstrate that their conduct was in utmost good faith, that the interests of their charges were prioritized over their own interests, and that they acted with loyalty and with transparency.²³ Even where both elements are satisfied, courts can sanction fiduciaries, where their behaviour conflicts with the reasonable expectations of the general public, in matters susceptible to lay appreciation.

This model could be applied to health data stewards.⁷ It would grant legal recognition to the norms of behaviour that are shared among them. Also, it would introduce strong legal protections for data subjects that acknowledge their vulnerability towards, and reliance on, data stewards. Last, it would enable courts to sanction data stewards that violated public mores.

Licensing Data Stewards

Organizations could be invested with a “license” to act as data stewards, through special-purpose legislation. To hold this mandate, an organization would subject its data access controls, contracts, security practices, audit and oversight mechanisms, data de-identification processes, and the like, to review from designated accreditors. These accreditors could include representation from affected populations, governance professionals, and the public. Organizations that self-select into the “licensing” program would obtain additional powers to collect and disclose information,²⁴ and confirmation that their activities are lawful. This creates strong incentives to participate in the licensing program, to obtain the associated privileges. Our proposal builds on existing models (e.g., in European Union and Ontario law). However, the existing examples direct additional requirements to participating organizations, but grant them precious little benefit.^9,19 This lopsided incentive structure has led to their disuse.

Licensing Data Trusts

This organizational licensing model creates considerable value for long-term, central, “repositories” that steward data from multiple organizations (as do the European Genome-phenome Archive,²⁵ dbGaP,²⁶ or the Institute for Clinical and Evaluative Sciences (ICES)).²⁷ However, this model would not meet the needs of those special-purpose “data trusts” that are created through the collaborative efforts of multiple partners, for an indefinite period of time, and that are specific to a chosen population, disease group, or research initiative. Data trusts are created to bring together specialized technological infrastructure (e.g., data portals, query tools, and analysis software), and difficult-to-acquire data, across multiple partners. Examples include longitudinal population health studies,^28,29 genomic or multi-omic “atlases” of the human body,³⁰ or population-wide serological studies that create a “snapshot” of immune response.³¹

Organization-level licenses would not suit such infrastructure. It is artificial to name one central organization as steward. Applied governance safeguards (i.e., data coding and data de-identification methods, access controls, and end-user commitments) are designed bespoke, and reflect the particularities of the affected data, and the realities of data subject communities. And their time-horizons are short, with the data shifting from the stewardship of one organization to another as budgets run out and partners enter or exit.^32,33

We propose a licensing mechanism through which organizations can define the structure of specific data trusts. Such a mechanism would define the respective responsibilities of each partner participating in the data trust, and detail the technological infrastructure and oversight mechanisms implemented. The potential liability of each organization would be incurred only where that organization did not perform its respective responsibilities; the other organizations would not be held liable. Organizations would be exculpated from liability under relevant data protection laws, where their acts remained compliant with the license received. Other organizations could replace departing partners, so long as the conditions of the license continued to be respected.

Conclusion

The Pan-Canadian Health Data Charter is inspired by, and founded on, human rights whose universal nature transcends jurisdictional and disciplinary differences.³⁴ Recognizing international standards and data governance norms, the Charter’s principled, parsimonious, and prospective nature fosters international implementation and harmonization both within and across different national systems. However, harmonization is not standardization. On a technical level and for secure cross-recognition and data flow to say nothing of data integrity, standardization is a scientific prerequisite. Conversely, harmonizing data governance at the policy and regulatory levels fosters interoperable principles and “stewardship” approaches to data governance.³⁵ At the local level, the precise mechanisms to achieve this may differ and take the form of legislation, regulations, or professional guidance that reflect the principles and overall strategic approaches. Local jurisdictional sovereignty and implementation remains. Indeed, the ethics of the collection and use of data in research and healthcare is moving from paternalism and protection, towards the participation of citizens and populations.^36-39 The values are channeled through anticipatory data governance sharing strategies and infrastructures that enable affected interest holders to make meaningful choices in balancing benefits, risks, and preferences in using and exchanging their data.

Agreement by FTP governments for pan-Canadian coordination on health data governance, oversight and policy mechanisms, and approaches that are deemed to be in the public interest irrespective of political and legal boundaries would be a first step to ensuring that local translation neither runs afoul of these shared ideals nor undermines their realization. Indeed, shared anticipatory governance structures and approaches serve to carry principled frameworks forward and build trust in the system.⁴⁰ We propose the following regulatory roadmap toward achieving this vision: first, to align the infrastructural legal provisions that are needed to enable common data sharing infrastructures to spring up in Canada. Second, to legislate new “anticipatory governance” mechanisms that empower health organizations and affected interest holders to make binding and actionable choices about how the rights and interests in their data should be balanced.

These changes are but the beginning of a sea change in the methods used to regulate the use of information. This change will shift agency from distant regulators back to affected interest holders. Anticipatory governance models will overcome historically unsatisfying trade-offs between under-inclusive private law arrangements, and regulatory paternalism. It is our hope that affected interest holders will soon leverage such new institutions to make meaningful choices about the design and implementation of governance arrangements, and bring the Charter to “legislated” life.

Footnotes

ORCID iD

Alexander Bernier

Ethical Approval

The research described in this manuscript did not constitute human participants research, and as such did not require ethics approval (i.e., it did not involve research participants, nor make use of data derived from research participants).

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

No data were collected, generated, or used as part of this research.*

References

Health Canada . Learning From SARS: Renewal of Public Health in Canada; 2003.

Canadian Institutes for Health Information . Commonwealth Fund Survey; 2022.

Canadian Medical Association . Digital Health Interoperability Task Force Report; 2024.

Van Panhuis

Paul

Emerson

, et al. A systematic review of barriers to data sharing in public health. BMC Public Health. 2014;14(1):1144.

Pan-Canadian Health Data Strategy Expert Advisory Group . Pan-Canadian Health Data Strategy: Toward a World-Class Health Data System. Online: Government of Canada; 2022.

Burt

Street

Naveed

McGrail

. Public Trust, Literacy and Health Data Foundations in Canada. Online: HDRN Canada; 2025.

Expert Panel on Health Data SharingCouncil of Canadian Academies . Connecting the Dots; 2023.

Government of Canada . Pan-Canadian Health Data Charter; 2023.

Personal Health Information Protection Act, SO, c 3, sched A; 2004.

10.

Bernier

Knoppers

. Biomedical data identifiability in Canada and the European Union: from risk qualification to risk quantification? SCRIPTed. 2021;18(1):4-56.

11.

Gordon v Health (Minister of Canada), FC 258; 2008.

12.

Information and Privacy Commissioner of Ontario . De-Identification Guidelines for Structured Data; 2025.

13.

Act Respecting Health and Social Services Information, CQLR c R-22.1. 2025.

14.

Case C-582/14 . Patrick Breyer V Bundesrepublik Deutschland, ECLI:EU:C; 2016:779.

15.

Case C-413/23 . EDPS v SRB, ECLI:EU:C; 2025:645.

16.

Bernier

Liu

McDougall

Joly

. Law and Policy of Public Health Information Sharing in Canada. Report to the Public Health Agency of Canada, Centre of Genomics and Policy; 2021.

17.

Government of Canada . Working Together to Improve Health Care for Canadians Plan; 2023.

18.

Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast).

19.

Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (data governance act).

20.

Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847.

21.

Miller

. A theory of fiduciary liability. McGill Law J. 2011;56(2):235-288.

22.

Rotman

. Understanding fiduciary duties and relationship fiduciarity. McGill Law J. 2017;62(4):975-1042.

23.

Richardson

. Fiduciary and other legal duties. In: Socially Responsible Finance and Investing: Financial Institutions, Corporations, Investors, and Activists. Hoboken, New Jersey: Wiley; 2012.

24.

Rosenbaum

. Data governance and stewardship: designing data stewardship entities and advancing data access. Health Serv Res. 2010;45(5 pt 2):1442-1455.

25.

Freeberg

Fromont

D’Altri

, et al. The European genome-phenome archive in 2021. Nucleic Acids Res. 2022;50(d1):D980-D987.

26.

Mailman

Feolo

Jin

, et al. The NCBI dbGaP database of genotypes and phenotypes. Nat Genet. 2007;39(10):1181-1186.

27.

Schull

Azimaee

Marra

, et al. ICES: data, discovery, better health. Int J Popul Data Sci. 2020;4(2):1135.

28.

Mahmood

Levy

Vasan

Wang

. The Framingham Heart Study and the epidemiology of cardiovascular disease: a historical perspective. Lancet. 2014;383:999-1008.

29.

Raina

Wolfson

Kirkland

, et al. The Canadian longitudinal study on aging (CLSA). Can J Aging. 2009;28(3):221-229.

30.

Kaye

Wasserman

. The genome atlas: navigating a new era of reference genomes. Trends Genet. 2021;37(9):807-818.

31.

Freedman

Brown

Newman

, et al. COVID-19 SeroHub, an online repository of SARS-CoV-2 seroprevalence studies in the United States. Sci Data. 2022;9(1):727.

32.

Currie-Alder

Cundill

Scodanibbio

Vincent

Prakash

Nathe

. Managing collaborative research: insights from a multi-consortium programme on climate adaptation across Africa and South Asia. Reg Environ Change. 2020;20(4):117.

33.

Breschi

Cassi

Malerba

Vonortas

. Networked research: European policy intervention in ICTs. Technol Anal Strateg Manag. 2009;21(7):833-857.

34.

Pan-Canadian Health Data Strategy Expert Advisory Group . Charting a Path Toward Ambition; 2021.

35.

American Society of Human Genetics . Collaborative Science in Genomics: The Value of Data Sharing and Thoughtful Stewardship; 2025.

36.

Fogg

Lanning

Shoebridge

, et al. The role of participatory action research in developing new models of healthcare: perspectives from participants and recommendations for ethical review and governance oversight. Ethics Med Public Health. 2022;24:100833.

37.

Grant

Wolf

Nebeker

. Approaches to governance of participant-led research: a qualitative case study. BMJ Open. 2019;9(4):e025633.

38.

Beresford

. From “other” to involved: user involvement in research: an emerging paradigm. Nord Soc Work Res. 2013;3(2):139-148.

39.

Cooper

Martin

Wilson

Rasmussen

. Equitable data governance models for the participatory sciences. Community Sci. 2023;2(2):e2022CSJ000025.

40.

OECD . Framework for Anticipatory Governance of Emerging Technologies. Science, Technology, and Industry Policy Papers; 2024.