Standards and Considerations for Medical Data Disclosure For Open Ethics Transparency Protocol

In the context of understanding, possibly developing, and enhancing an ethical framework for healthcare applications, we face fragmented, evolving standards on medical data disclosure. In light of these significant barriers, we evaluate and discuss a proposed modular integration of legal, ethical, and technical disclosure standards (e.g., HIPAA, GDPR, Xcertia, ISO/IEEE 11073)¹ into transparency, autonomy, and compliance processes across jurisdictions.

The discussion includes considerations around accepting the downsides of this approach, which include increased complexity in implementation and potential difficulties with stakeholder onboarding. We will be proposing a label system with a Multilayered architecture to address these gaps.

Discussion

Healthcare applications and technology, such as Flo (period tracking), Fitbit (fitness tracking), and Calm (mental health support), collect sensitive health data. However, unlike regulated tools, such as patient portals, they are not consistently bound by medical-grade privacy and disclosure requirements, and operate in a hypothetical gray zone; not quite clinical, not quite consumer-focused. They are just somewhat nebulous enough to collect troves of sensitive data without proper disclosure. There lies an opportunity to develop a comprehensive approach that utilizes already existing standards, potentially providing a promising kick in increased transparency in this space. Current practices, as they stand, do not reflect the specific obligations tied to medical-grade data, and these gaps are compounded by the lack of harmonization across standards and laws, creating further challenges for effective implementation.

Existing Regulatory Frameworks

Existing legal and regulatory frameworks include HIPAA (Health Insurance Portability and Accountability Act)² in the U.S. Its scope applies to ‘covered entities’ (e.g., healthcare providers, insurers) and their ‘business associates’ handling Protected Health Information (PHI). Their key provisions include a privacy rule that regulates the use and disclosure of PHI, which mandates administrative, physical, and technical safeguards for electronic PHI (ePHI), and includes a Breach Notification Rule that requires notification of breaches involving unsecured PHI.
There are also several State-Level Health Data Privacy Laws within the US. They include;

• California (CMIA), which extends privacy protections to reproductive health apps, requiring explicit consent and segregation of sensitive data.
• Washington (My Health My Data Act)³, which mandates consumer rights to access, delete, and withdraw consent for health data.
• Nevada (SB370), which requires clear data sharing notices and prohibits certain data practices.

Many notable international regulations are also in place. Ontario’s PHIPA in Canada, which applies to health information custodians and non-custodians, requiring informed consent for data use beyond direct care.The European Union General Data Protection Regulation (GDPR), which  mandates lawful, fair, and transparent processing of personal data, including health information, with strict consent requirements.

Table 1 provides a comparative overview of the key medical data protection regulations across four major jurisdictions: the United States (HIPAA), the European Union (GDPR), Australia (Privacy Act), and Canada (PIPEDA). The table outlines the scope and defining features of each regulation, including the types of data protected, the legal basis for processing and disclosure, the rights granted to data subjects, breach notification requirements, and penalties for non-compliance.

Table 1: Comparison of Key Data Protection Regulations

Ethical Frameworks and Technical Standards

Photo by Amanz via Unsplash.com

Ethical frameworks and best practices for health apps emphasize protecting user rights, ensuring equity, and enforcing developer accountability. According to the American Medical Association’s principles, users should retain control over their data, including how it’s accessed, used, and disclosed, with the explicit option to prevent its sale.⁵ These principles also stress the importance of safeguarding marginalized groups from discrimination and exploitation. Developers are expected to maintain confidentiality and clearly disclose the purposes behind data collection. Complementing this, the Xcertia guidelines focus on robust security measures such as encryption, access controls, and routine vulnerability assessments. Transparency is also key, requiring developers to present clear, user-friendly privacy policies that explain data practices. Lastly, compliance with relevant laws and regulations is essential to uphold data integrity and ensure its availability.

Technical standards and protocols play a critical role in ensuring safe and effective digital health solutions. The ISO/IEEE 11073 standards are designed to support interoperability between medical devices and health information systems. These standards include specifications for data exchange, enabling seamless communication of vital signs and device data; device control, which outlines models for remote monitoring and management of devices; and personal health devices, which ensure standardization for consumer health technologies like glucose monitors and blood pressure cuffs. To support developers in navigating this complex landscape, tools like the HHS Mobile Health Apps Interactive Tool help identify relevant federal regulations based on an app’s features and data practices. Additionally, the AMA Digital Health Implementation Playbook offers practical guidance for adopting digital health tools while ensuring regulatory compliance and data security.

Table 2 provides a summary of key standards, guidelines, and resources that support the development of a multi-layered label system for health technologies. The table highlights ethical frameworks such as the AMA Principles and Xcertia Guidelines, technical standards like ISO/IEEE 11073, and practical tools including developer checklists and playbooks. By aligning these diverse elements, the table demonstrates how legal compliance, ethical responsibility, and technical robustness can be integrated to build trustworthy and adaptable health systems.

Table 2. Key Standards, Guidelines, and Resources for a Multilayered Health Tech Label System.

Solution

Photo by Webstacks via Unsplash.com

The proposed framework would develop a label system⁶ with a multi-layered architecture that incorporates disclosure standards across three pillars: Legal, Ethical, and Technical. 

• Legal standards, such as HIPAA, state-specific laws, and international regulations like GDPR, provide enforceable frameworks for protecting health data but can be complex and inconsistent across jurisdictions. 
• Ethical standards, including AMA principles and Xcertia guidelines, emphasize transparency, autonomy, and fairness but often lack the specificity and enforceability needed for practical implementation. 
• Technical standards, such as ISO/IEEE 11073, focus on interoperability and secure data exchange but may be resource-intensive and technically demanding to implement. A successful system must harmonize these standards to ensure privacy, foster innovation, and maintain public trust, while remaining adaptable to evolving regulations and technologies.

To ensure the operability of an approach towards medical ethical standards in a manner that is both beneficial and ethically sound, the following best practices and recommendations should be considered during its design and implementation:

• Implement a granular consent management system: Individuals should be able to specify the types of data they are willing to share and with whom, providing a high degree of control over their information.
• Prioritize data minimization: Only collect and share the minimum amount of data necessary to achieve the specified purpose, reducing the potential for privacy breaches and misuse.
• Employ de-identification and anonymization: Utilize robust techniques to remove or mask personally identifiable information whenever possible, allowing for data analysis without compromising individual privacy.
• Establish clear data governance policies: Develop transparent policies outlining the purposes of data sharing, access controls, data retention periods, and the responsibilities of all stakeholders involved in the data passport ecosystem.
• Implement strong security measures: Employ encryption for data at rest and in transit, enforce multi-factor authentication for all users, and conduct regular security audits to ensure the ongoing protection of data.
• Provide user education: Create clear and accessible materials to inform individuals about the data passport’s features, benefits, risks, and their rights regarding their data, empowering them to make informed decisions about participation.
• Facilitate data access and correction: Establish a mechanism for individuals to access, review, and request corrections to their data held within the passport, promoting data accuracy and transparency.
• Develop a data breach response plan: Create a clear and well-documented process for handling data breaches, including protocols for notification, containment, and remediation, to minimize potential harm to users.
• Conduct regular ethical reviews: Establish an ethics review board or committee to oversee the data passport’s policies and practices, ensuring ongoing adherence to ethical principles and evolving legal requirements.
• Explore privacy-enhancing technologies: Investigate and implement privacy-preserving techniques that can further safeguard user data while still enabling valuable data analysis and sharing for research and innovation.

Table 3: Summary of Technical Security Best Practices

Key Actions:

The Key actions outlined are meant to support enhanced transparency around standards, which are often hidden in lengthy privacy policies that are often overlooked altogether. Key actions include:

• Introduce a Disclosure Module in the OE label architecture that maps compliance to standards like HIPAA, GDPR, PHIPA, CMIA, and more.
• Align with ethical best practices (AMA Principles, Xcertia Guidelines) to assess autonomy, beneficence, and transparency beyond legal obligations.
• Include technical disclosure tags for security, de-identification, and interoperability (e.g., ISO/IEEE 11073 compliance).
• Implement a developer-facing checklist and tagging schema within the OE for labeling practices like consent granularity, anonymization use, and breach response planning.

Each OE label would clearly indicate:

• Whether the app processes Protected Health Information (PHI).
• If it’s bound by HIPAA or similar frameworks.
• Whether it uses data minimization, anonymization, and granular consent.
• If the app meets Xcertia or ISO standards for security and data control.

Consequences

Photo by Daniele Franchi via Unsplash.com

By surfacing the relevant rules right where users can see them, in clearly understood plain-English terms, trust can be increased. Developers and regulators will also have access to a shared ethical framework, applicable to any application of geographical jurisdiction, which they can use to assess apps. Additionally, there ’is room for modular certifications, which means, for example, an app could state, “ we are anonymization-compliant but still working on HIPAA,” indicating a gold standard for transparency. 

However, the approach is not without its trade offs. As laws continue to evolve, the architectural complexity will continue to increase and require frequent updates.  This may introduce additional work and legal exposure for developers, which is not ideal. Plus too much information can drown users if it’s not designed with smart visuals and simplicity in mind. These ethical frameworks may also require considerable adjustments as they are not one-size-fits-all; they need thoughtful human input to stay relevant. For specifics, we’re talking HIPAA, GDPR, PHIPA, CMIA, Washington’s My Health My Data Act, Nevada’s SB370, and Connecticut’s geofencing ban. Ethically, alignment with AMA principles (autonomy, equity, responsibility), Xcertia’s tech guidelines, and Open Ethics’ own values is needed. Technically, recognition of key standards and practices such as  ISO/IEEE 11073, TLS encryption, MFA, and strong consent/access controls is required. 

And features? A Consent Matrix (what, who, why), a Disclosure Dashboard (with tags like “HIPAA-compliant” or “User-Controlled Consent”), an Ethics Audit Trail for accountability, and a Breach Response Badge to show apps are ready when things go sideways are equally critical.

This system offers a living blueprint of what “compliance plus ethics” can look like in real time, which may be particularly valuable for regulators and policymakers. In the long-term, this system could redefine the baseline for ethical technology by introducing a digital ecosystem where transparency isn’t just a feature but integrates legal and ethical standards from the get-go. As a result, users may start choosing trustworthy platforms that prioritize informed consent and accountability. Over time, adopting this system could reduce data misuse scandals, simplify international rollouts for developers, and strengthen public trust in digital health tools. 

Footnotes

¹ This evaluation considers a modular integration of disclosure standards from various domains. Key legal frameworks include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which sets national standards for the protection of protected health information (45 C.F.R. Parts 160 and 164); and the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, a comprehensive data protection law in the European Union focusing on transparency and data subject rights. Ethical considerations are informed by guidelines such as those developed by Xcertia, an mHealth collaborative that has published guidelines covering privacy, security, usability, operability, and content for mobile health applications. Technical interoperability and communication standards, such as those within the ISO/IEEE 11073 family (e.g., ISO/IEEE 11073 Health informatics – Medical / health device communication), are also integrated, which facilitate the exchange of health device data.

² The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996. One of its primary goals is to protect the privacy and security of individuals’ health information. HIPAA establishes national standards for the electronic exchange of health care information and requires covered entities (such as health plans, health care clearinghouses, and most health care providers) to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).

Beyond privacy, HIPAA also addresses health insurance portability, aiming to make it easier for individuals to maintain health insurance coverage when they change or lose jobs. It also includes provisions to combat waste, fraud, and abuse in health care delivery and insurance. Over the years, HIPAA has been amended and supplemented by further legislation, notably the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which strengthened enforcement and expanded privacy and security rules.

³ The Washington My Health My Data Act (MHMDA), codified as RCW 19.373, significantly expands privacy protections for individual health data beyond HIPAA’s scope. It broadly defines “consumer health data” to include various forms of personal information linked to past, present, or future physical or mental health status, such as general health conditions, reproductive health information, and biometric data. The Act applies to any entity doing business in Washington that collects, processes, shares, or sells consumer health data, regardless of revenue or data volume. Key consumer rights under MHMDA include the right to opt-in consent for data collection and sharing, the right to access and delete data, and the right to withdraw consent. It also prohibits selling consumer health data without explicit authorization and bans geofencing around healthcare facilities. Violations are enforceable under Washington’s Consumer Protection Act and include a private right of action.

⁴ U.S. Department of Health and Human Services (HHS)

⁵ American Medical Association. “AMA Privacy Principles.” May 11, 2020. Accessed [Insert Date of Access]. https://www.ama-assn.org/system/files/2020-05/privacy-principles.pdf. The AMA’s principles emphasize individuals’ rights to know how their data is accessed, used, and disclosed, advocating for meaningful controls, including the right to direct entities not to sell or otherwise share data about them.

 ⁶ A label system in this context works like a trust badge for health technologies, providing a clear, standardized way to show how a product measures up across Legal, Ethical, and Technical layers. The Legal layer signals compliance with laws like HIPAA or GDPR, the Ethical layer highlights principles such as transparency, fairness, and patient autonomy, and the Technical layer indicates standards for security and interoperability, such as ISO/IEEE protocols. Instead of leaving these standards buried in dense documents, the multi-layered label makes them visible at a glance: regulators can verify compliance, hospitals can assess integration readiness, patients can check for ethical safeguards, and developers can showcase accountability. This approach harmonizes complex requirements into a practical, user-friendly system that builds trust while adapting to evolving regulations and technologies.

Resources

1. The Value and Importance of Health Information Privacy – NCBI, https://www.ncbi.nlm.nih.gov/books/NBK9579/
2. Social, Legal, and Ethical Implications of Genetic Testing – NCBI, https://www.ncbi.nlm.nih.gov/books/NBK236044/
3. Privacy, Confidentiality & Medical Records | AMA-Code, https://code-medical-ethics.ama-assn.org/chapters/privacy-confidentiality-medical-records 
4. Ethical Considerations in Sharing Patient Data: A Systematic Review – ResearchGate, https://www.researchgate.net/publication/379598791_Ethical_Considerations_in_Sharing_Patient_Data_A_Systematic_Review 
5. A Comprehensive Guide to Healthcare Data Security – Metomic, https://www.metomic.io/resource-centre/a-comprehensive-guide-to-healthcare-data-security
6. Disclosing Genetic Information to Family Members: The Role of Empirical Ethics, https://www.researchgate.net/publication/300787344_Disclosing_Genetic_Information_to_Family_Members_The_Role_of_Empirical_Ethics
7. Principles for Health Information Collection, Sharing, and Use: A Policy Statement From the American Heart Association, https://www.ahajournals.org/doi/10.1161/CIR.0000000000001173 
8. Collecting Healthcare Data: Ethical Dilemmas and Solutions – Viva Technology, https://vivatechnology.com/news/collecting-healthcare-data-ethical-dilemmas-and-solutions
9. How to Comply with HIPAA and EU GDPR in Medical Device Studies – Greenlight Guru, https://www.greenlight.guru/blog/how-to-comply-with-hipaa-and-eu-gdpr-in-medical-device-studies 
10. Ethical Considerations in Clinical Data Sharing – Falcon Scientific Editing, https://falconediting.com/en/blog/ethical-considerations-in-clinical-data-sharing/ 
11. Ethical Considerations and Data Protection Principles – WHO SMART Trust v1.2.0, https://smart.who.int/trust/ethical_principles.html
12. HIPAA Privacy Rule – HHS.gov, https://www.hhs.gov/hipaa/for-professionals/privacy/index.html 
13. Summary of the HIPAA Privacy Rule – HHS.gov, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html 
14. Health Insurance Portability and Accountability Act of 1996 (HIPAA) – CDC, https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html 
15. HIPAA Privacy Rule – Updated for 2025, https://www.hipaajournal.com/hipaa-privacy-rule/ 
16. HIPAA and Privacy Laws | Texas Health and Human Services, https://www.hhs.texas.gov/regulations/legal-information/hipaa-privacy-laws 
17. HIPAA Privacy Rules for the Protection of Health and Mental Health Information – New York State Office of Mental Health, https://omh.ny.gov/omhweb/hipaa/phi_protection.html 
18. HIPAA Basics for Providers: Privacy, Security, & Breach Notification Rules – CMS, https://www.cms.gov/outreach-and-education/medicare-learning-network-mln/mlnproducts/downloads/hipaaprivacyandsecurity.pdf
19. HIPAA Disclosure Standards for Independent Medical Practices – Abyde, https://abyde.com/hipaa-disclosure-standards-for-independent-medical-practices
20. HIPAA and Disclosures Under Florida State Law – Privacy, https://privacy.ufl.edu/laws-and-regulations/state-privacy-laws-/hipaa-and-disclosures-under-florida-state-law/ 
21. Exceptions to HIPAA Privacy Policy – Healthcare Compliance Pros, https://www.healthcarecompliancepros.com/blog/exceptions-to-the-hipaa-privacy-rule
22. What are the rule exceptions to HIPAA? – Strike Graph, https://www.strikegraph.com/blog/what-are-the-rule-exceptions-to-hipaa 
23. NIST Finalizes HIPAA Security Rule Implementation Guidance, https://www.hipaajournal.com/nist-finalizes-hipaa-security-rule-implementation-guidance/ 
24. When Does HIPAA Not Apply? – Intraprise Health, https://intraprisehealth.com/when-does-hipaa-not-apply/
25. HIPAA Exceptions: What Isn’t Covered By the Data Privacy Law? | Secureframe, https://secureframe.com/hub/hipaa/exceptions 
26. Constraints on Sharing Mental Health and Substance-Use Treatment Information Imposed by Federal and State Medical Records Privacy Laws – NCBI, https://www.ncbi.nlm.nih.gov/books/NBK19829/ 
27. HIPAA Privacy Rule and Sharing Information Related to Mental Health – HHS.gov, https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf 
28. Sharing mental health information under HIPAA – Paubox, https://www.paubox.com/blog/sharing-mental-health-information-under-hipaa 
29. Privacy & Security – Health IT Playbook, https://www.healthit.gov/playbook/privacy-and-security/ 
30. Patient Confidentiality – StatPearls – NCBI Bookshelf, https://www.ncbi.nlm.nih.gov/books/NBK519540/ 
31. HIPAA Implementation Guide for Healthcare Organizations – MedStack, https://medstack.co/blog/hipaa-implementation-guide/ 
32. Understanding Penalties for HIPAA Non-Compliance: A Comprehensive Guide – Sprinto, https://sprinto.com/blog/penalties-for-hipaa-non-compliance/ 
33. Employee HIPAA Violations: Comprehensive Penalty Guidelines – Drata, https://drata.com/blog/hipaa-violation-penalties-for-employees 
34. HIPAA Violations: Examples, Fines + 5 Cases to Learn From | Secureframe, https://secureframe.com/hub/hipaa/violations 
35. 0130.005.10.55 Penalties, Complaints, Privacy Officer, and Administrative Requirements – DSS Manuals – MO.gov, https://dssmanuals.mo.gov/general-information/legal-aspects/0130-005-00/0130-005-10/0130-005-10-55/
36. Health data in the workplace | European Data Protection Supervisor, https://www.edps.europa.eu/data-protection/data-protection/reference-library/health-data-workplace_en
37. Data protection under GDPR – Your Europe – European Union, https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm
38. The new EU Regulation on the protection of personal data: what does it mean for patients?, https://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf 
39. Protect Patient Privacy: The Definitive Guide to GDPR Compliance for Healthcare Companies – Kiteworks, https://www.kiteworks.com/gdpr-compliance/patient-privacy-protection-best-practices/
40. Patient consent and digital health data in GDPR and HIPAA… – Revolve Healthcare, https://revolve.healthcare/blog/patient-consent-and-digital-health-data-in-gdpr-and-hipaa-context 
41. Art. 9 GDPR – Processing of special categories of personal data, https://gdpr-info.eu/art-9-gdpr/ 
42. GDPR Health Data Compliance: Key Considerations for Healthcare Providers, https://gdprlocal.com/gdpr-health-data-compliance-key-considerations-for-healthcare-providers/ 
43. Does GDPR Regulate Clinical Care Delivery by US Health Care Providers? | McDermott, https://www.mwe.com/insights/does-gdpr-regulate-us-clinical-care-delivery/
44. HIPAA vs. GDPR Compliance: What’s the Difference? | Blog – OneTrust, https://www.onetrust.com/blog/hipaa-vs-gdpr-compliance/ .
45. GDPR Fines Explained: Penalties for Data Breaches – Sprinto, https://sprinto.com/blog/gdpr-fines/ 
46. Data Breach Statistics 2024: Penalties for Major regulations – Accutive Security, https://accutivesecurity.com/data-breach-statistics-2024-penalties-and-fines-for-major-regulations/ 
47. GDPR: Penalties for Noncompliance and How to Avoid Them – UpGuard, https://www.upguard.com/blog/gdpr-penalties-for-noncompliance
48. Fines / Penalties – General Data Protection Regulation (GDPR), https://gdpr-info.eu/issues/fines-penalties/ 
49. Health and medical research | OAIC, https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/health-and-and-medical-research 
50. About health data in Australia | Australian Government Department of Health and Aged Care, https://www.health.gov.au/topics/health-data-and-medical-research/about-health-data 
51. HIPAA Australia: The Privacy Act 1988 – Compliancy Group, https://compliancy-group.com/hipaa-australia-the-privacy-act-1988/ 
52. Chapter 3: Using or disclosing health information – OAIC, https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/guide-to-health-privacy/chapter-3-using-or-disclosing-health-information 
53. Australian Standards for Medical Data Privacy and Compliance, https://www.medicalit.services/australian-standards-for-medical-data-privacy-and-compliance/ 
54. Privacy Act Australia Penalties: A Comprehensive Overview – Captain Compliance, https://captaincompliance.com/education/privacy-act-australia-penalties/ 
55. Data protection laws in Australia, https://www.dlapiperdataprotection.com/index.html?c=AU&t=law 
56. Guide to health privacy – OAIC, https://www.oaic.gov.au/__data/assets/pdf_file/0011/2090/guide-to-health-privacy.pdf 
57. Security/storage of health information – ASHM Contact Tracing, https://contacttracing.ashm.org.au/security-storage-of-health-information/
58. Use and disclosure of health information | ALRC, https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/63-privacy-health-information-regulations/use-and-disclosure-of-health-information/ 
59. Circumstances in which use and disclosure is permitted | ALRC, https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/25-use-and-disclosure/circumstances-in-which-use-and-disclosure-is-permitted/ 
60. Privacy Obligations Of Health Service Providers – Armstrong Legal, https://www.armstronglegal.com.au/commercial-law/national/privacy-law/privacy-obligations-health-service-providers/ 
61. Doing business in Australia – Data protection, privacy and artificial intelligence laws, https://www.dentons.com/en/insights/articles/2024/november/18/data-protection-privacy-and-artificial-intelligence-laws 
62. Understanding and Complying with the Australia Privacy Act 1988 | A Comprehensive Guide, https://secureprivacy.ai/blog/australia-privacy-act-1988-compliance-guide 
63. Health Records Act: Navigating Overseas Disclosure for Healthcare Providers – LegalVision, https://legalvision.com.au/health-records-act-overseas-disclosure/
64. Get your privacy policy in order or risk a fine – new changes to data privacy and security laws now in effect, https://kennedyslaw.com/en/thought-leadership/article/2025/get-your-privacy-policy-in-order-or-risk-a-fine-new-changes-to-data-privacy-and-security-laws-now-in-effect/
65. Australian Privacy Act Incident Response Guidelines – BreachRx, https://www.breachrx.com/global-regulations-data-privacy-laws/australia-privacy-act/
66. PIPEDA requirements in brief – Office of the Privacy Commissioner of Canada, https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/ 
67. Data protection laws in Canada, https://www.dlapiperdataprotection.com/index.html?t=law&c=CA
68. Understanding PIPEDA | Compliance Requirements, Scope, and Enforcement in Canada, https://secureprivacy.ai/blog/what-is-pipeda 
69. PIPEDA: Canada’s Privacy And Data Protection Law – Usercentrics, https://usercentrics.com/knowledge-hub/canada-personal-information-protection-and-electronic-documents-act-pipeda/ 
70. The Personal Information Protection and Electronic Documents Act (PIPEDA) – Office of the Privacy Commissioner of Canada, https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

Featured image credit: ©National Cancer Institute via Unsplash.com