Privacy and Security Guidance

Introduction

This section outlines privacy and security considerations for implementations using CA Core+. It draws on existing national and international best practices, including guidance from Infoway, HL7 International, and other pan-Canadian initiatives. This guidance is informative and does not relieve implementers of their obligations to comply with jurisdictional and organizational policies, laws, and standards.

CA Core+ implementers are expected to consider privacy and security throughout the lifecycle of their applications—from design to deployment and operation. Privacy and security requirements vary by jurisdiction, and developers must align their safeguards, consent mechanisms, and data handling procedures accordingly. For more guidance on implementing security in the Canadian context visit CA:Sec in the Canadian Reference Architecture.

Privacy Considerations

Privacy is foundational when exchanging patient data. Implementers must:

• Respect applicable Canadian privacy laws and organizational policies.
• Define and clearly communicate the purposes for data collection and use.
• Limit the collection, use, and disclosure of health information to what is necessary for the intended purpose.
• Obtain and respect patient consent, and where applicable, enable mechanisms to manage, log, and enforce consent.
• Provide transparency about data use through notices or other communication.
• Apply retention policies and disposal procedures for health information.
• Implement measures to safeguard against unauthorized access, use, or disclosure of health information.

Note: Each jurisdiction in Canada has its own privacy regulations. Implementers must ensure that deployments comply with the applicable laws and standards in the jurisdiction where the system is used.