Secondary Use of Health Data in Ontario

Navigating laws relevant to secondary use of health data in Canada can be extremely difficult. I’ve created a decision aid that engages relevant frameworks for Ontario. This tool is currently under development and should not be taken as a substitute for legal advice. As always, legal acceptability should not be taken to equate to social license or normative desirability.

You can view an interactive version of this decision aid here.

Ontario Health Data Privacy Algorithm

Secondary Use of Health Data | Algorithm for Ontario, Canada

Ontario / Canada · Decision Framework · February 2026

Applicable Legal Frameworks
PHIPA (Ont.)
Personal Health Information Protection Act — primary Ontario health privacy statute
PIPEDA / Bill C-27
Federal private-sector law; applies when PHIPA not "substantially similar"
TCPS 2 (Tri-Council)
Research ethics policy for federally funded health research
QHIA (Ont.)
Quality of Care Information Protection Act — QI activities & committee privilege
FIPPA / MFIPPA
Ontario public-sector privacy for government & public bodies
Step 1 — Identify the Data & Custodian
1a

Is this "personal health information" (PHI)?

PHI = identifying information about an individual's physical/mental health, health history, health-care services, family health history, or OHIP number (PHIPA s.4).

YES → PHIPA applies as primary statute.Continue to Step 2.
NO (aggregate / de-identified) → PHIPA may not apply.Confirm IPC de-identification standard met. Consider PIPEDA/C-27 if re-identification risk remains.
1b

Who holds the data? Identify the Health Information Custodian (HIC)

Public-sector HIC(hospital, public health unit, OHIP, ICES/IQVIA) → PHIPA + possibly FIPPA / MFIPPA
Private-sector HIC(pharmacy, private lab, clinic) → PHIPA + PIPEDA (if interprovincial commercial activity)
Non-HIC holder(app company, insurer, employer) → PIPEDA / C-27 primarily; PHIPA relevant if receiving PHI from HIC
Step 2 — Characterise the Secondary Use Purpose
2a

Research

Systematic investigation to develop generalizable knowledge.

→ PHIPA s.37(1)(e) or s.44 + TCPS 2REB approval + PHIPA research agreement + public notice required. Consent waiver available only if all s.44 criteria are met.
2b

Quality Improvement (QI)

Systematic activities to evaluate or improve health services within/among health-care entities.

→ PHIPA s.37(1)(d) + QHIADisclosure within circle of care is broader. QHIA grants legal privilege to quality-of-care committee records.
2c

Health System Planning / Public Health Surveillance

Use by government, public health authorities, ICES, or CIHI for population analytics or disease surveillance.

→ PHIPA s.37(1)(b)/(c) + HPPA + FIPPAPublic health authorities may collect without consent under HPPA. Sharing to ICES permitted under PHIPA Regulation.
2d

Commercial / AI Product Development

Training AI models, developing commercial products, or monetising analytics using PHI.

→ PHIPA s.29–30 + PIPEDA (/ C-27) + proposed AIDAExplicit consent required unless data is de-identified to IPC standard. Commercial secondary use is NOT a permitted purpose without consent.
Step 3 — Is there Valid Legal Authority to Use Without Consent?
3a

Has consent been obtained?

PHIPA s.29: consent is the default. Must be knowledgeable, voluntary, and related to the information.

YES → Proceed.Document consent scope. Honour withdrawal rights. Skip to Step 4.
NO → Must find a PHIPA permitted purpose (s.37–44) or PIPEDA Schedule 1 exception.Continue to 3b.
3b

PHIPA Permitted Purposes (Consent-Free Secondary Use)

s.37(1)(a) — Providing health care:Treatment, payment, related admin within the circle of care.
s.37(1)(b)/(c) — Planning & management / Risk assessment:By HICs, health data institutes, or Ministry for system-level purposes.
s.37(1)(d) — Education & QI:Training health professionals within the HIC or associated institution.
s.37(1)(e) / s.44 — Research:Subject to REB approval + PHIPA research criteria + IPC oversight.
s.39 — Legal functions:Required by law, court order, or proceedings.
3c

Research Consent Waiver — PHIPA s.44 + TCPS 2 (ALL 4 criteria required)

Research is of significant benefit to society AND impractical to conduct with consent
Privacy risks are proportionate and minimised (data minimisation, de-identification where possible)
PHI will not be used to contact individuals or families without separate consent
Full REB approval obtained AND PHIPA research agreement signed with HIC
Step 4 — Data Sharing & Transfer Safeguards
4a

De-identification & Aggregation (preferred path)

PHIPA s.47: HICs may disclose de-identified information without restriction. IPC De-identification Guidelines require formal risk assessment (Expert Determination or Safe Harbour equivalent).

4b

Data Sharing Agreements (DSA)

Required whenever PHI is disclosed to agents, researchers, or third parties. Must address: purpose limitation · security standards · breach notification · return/destruction of data · audit rights.

4c

Cross-border / Cross-provincial Transfer

To another Canadian province:PIPEDA applies if commercial activity. PHIPA s.42 restrictions apply. Confirm receiving province has comparable protection.
To USA / international:PHIPA s.42(1)(b) + PIPEDA accountability principle. If US covered entity involved, consider HIPAA. Follow IPC cross-border transfer guidance.
Step 5 — Outcome & Ongoing Obligations

No valid authority found — USE IS PROHIBITED

Must obtain consent, de-identify data, or restructure purpose to fit a PHIPA permitted use. Document the decision and consult IPC or Privacy Officer.

~

Authority exists with conditions — CONDITIONAL USE

All safeguards must be implemented: REB approval · DSA · Privacy Impact Assessment (PIA) · data minimisation · access controls · audit logging · breach response plan · staff privacy training.

Authority established — USE IS PERMITTED

Ongoing: purpose limitation · report PHI breaches to IPC within 7 days (PHIPA ss.12.1–12.2) · honour access and correction requests · destroy PHI per retention schedule · annual compliance review.

Permitted
Consent obtained, OR valid PHIPA permitted purpose with all required safeguards in place
⚠️
Conditional
Consent waiver, QI, or planning purpose — REB, DSA, PIA, and IPC oversight required
🚫
Prohibited
No legal authority found. Restructure purpose, de-identify, or obtain consent first

References: PHIPA R.S.O. 2004 c.3 Sched. A · PIPEDA S.C. 2000 c.5 · Bill C-27 (proposed CPPA) · TCPS 2 (2022) · QHIA R.S.O. 1996 c.Q.3 · FIPPA R.S.O. 1990 c.F.31 · IPC De-identification Guidelines 2016 · HPPA R.S.O. 1990 c.H.7

⚠ For general informational purposes only — not legal advice. Consult qualified privacy counsel for specific situations.