top of page
Search

Your Client's Story Doesn't End When the Session Does

A proposed framework for a data object nobody has governed yet — and an invitation to those already working on it


The idea for this brief started with a simple question: what happens to a client’s story after the session ends? In digital mental health systems, it often does

not stay in one place. It moves across platforms, accumulates notes, scores, summaries, and other traces, and can eventually become something more than a set of records. What seemed to be missing was not just a rule or a standard, but a category — a name for the kind of data object that forms when a person’s history becomes inferentially rich, longitudinal, and reusable.


That question led me to publish a policy brief — The Trusted Hub: How Canada Can Lead Global AI by Governing What It Cannot See — which proposes a name for that object: the Digital Subject Representation (DSR). The brief is a starting point, not a finished answer. And this post is as much an invitation to collaborate as it is an explanation of what the brief is trying to name.


Digital Subject Representation (DSR)

Two women in a counseling session, overlaid with infographic text on shared trust and digital subject representation.
Ethical obligation follows the nature of the information, not the absence of a name.

How the framework emerged


In February, I attended an ISI Academy webinar, An International Framework for Data Governance, where global experts explored the challenge of building governance approaches that can keep pace with rapidly evolving AI. For those of us working in digital mental health, the discussion resonated with questions we were already encountering in clinical data practice. It prompted me to write about what I was seeing.Why this issue gained traction


What gave the issue traction was that it did not stay inside one discipline. After I published Digital Agency: The Heart of Ethical AI in Mental Health, I started hearing from people well beyond digital mental health. The Chief Statistician of the OECD commented, “Good article. I hope people read it,” and the former Director General of Statistics Canada wrote, “Great article… Looking forward to following your work and to explore potential opportunities for collaboration.” Those responses suggested that the concern was being recognised more broadly. The underlying ideas also found their way into a contribution to the UN Global Dialogue on AI Governance in Geneva in July 2026 — submitted before the DSR had a name, when the concern was clear but the governance object at its centre had not yet fully taken shape.


The first concrete step was the Clinical Data Governance Checklist (CDGC) — an awareness tool for clinicians, supervisors, and clinical directors to start asking better questions about what they are implementing and sharing. Not a compliance instrument. An invitation to look clearly at the data flowing through clinical systems.


In April, I introduced the CDGC at Beyond the Hype: Human Connection, Equity, and Clinical Judgment in an AI-Shaped Future. The response was strong: about 250 people attended live, with roughly 450 registered in total. What stayed with me was not the turnout, but how many people said they simply did not know this — did not know what was happening to the clinical data flowing through the systems they were using.


Then I followed one thread further: consent portability — whether the consent a client gives at the point of care travels with their data as it is transformed and reused. That thread led somewhere specific. A client's structured assessment data gets collected. Clinical notes and AI-generated artefacts — risk scores, session summaries — get added. Those records are linked across time and external sources. The resulting object is then de-identified and classified as an anonymised case. On that basis it may be cleared as low-risk, made eligible for secondary use, and commercially extracted to train AI models.


At no point in that sequence did the governance framework have an adequate category for the object that had formed. The client didn't know. The clinician didn't know. Often the clinical director who approved the data-sharing arrangement didn't know either — because the framework gave them no third category to reach for.

That is the gap. And it needed a name.


These ideas began to crystallise more fully this June in Ottawa, at the GLE Mental Health Match, Stronger Together: Transforming E‑Mental Health Across Borders. People told stories — not about governance in the abstract, but about real situations in real systems and real jurisdictions. Those stories helped shape both the scenarios and the language in the brief. They also sharpened the motivation for writing it: when practitioners working at the front lines of digital mental health implementation are encountering the same situations without adequate governance for them, the case for writing it down stops being theoretical.


What the brief proposes


At the centre of the brief is a simple distinction. In governance frameworks for de-identified health data, two kinds of object are commonly recognised:

  • Anonymised Data — discrete structured values such as a diagnosis code, PHQ-9 score, or lab result. These are generally governed adequately.

  • Anonymised Cases — a de-identified record of a single encounter or episode, including clinical notes and imaging. In technical and research contexts, these are often treated in practice as distinct from anonymised data composed only of discrete variables.


In practice, that distinction is not always consistently formalised, and may not yet be explicit in clinical or operational settings, where anonymised data is often treated as a single category.


What this can leave insufficiently recognised is what forms when cases are linked across time and external sources, and that linked data includes unstructured or derived content — clinical notes, session summaries, risk scores, and AI-generated outputs — relating to the same person.


The brief argues that this linked, longitudinal object may no longer be adequately governed as an anonymised case. It proposes calling it a Digital Subject Representation (DSR) and suggests that it may warrant a dedicated governance category — one that treats it more like a research subject record than a de-identified dataset.


A simple example may make the distinction clearer.


A plausible scenario: The Research Repository


A national platform aggregates de-identified hospital records across provinces. A single record contains a decade of linked encounters, laboratory trends, medication trajectories, imaging reports with free-text narratives, and diagnosis codes — all connected over time by an internal identifier that preserves the person as the coherent unit of analysis.


A consent waiver was granted on the basis that direct identifiers were removed and risk was assessed as low. Yet what has formed is no longer just a collection of discrete data points or a single anonymised case. It is a longitudinal, inferentially rich representation of a person assembled across time.


This scenario reflects a plausible architecture consistent with platforms currently in development; it is not a description of any specific operating system. The governance question it raises is whether existing frameworks are adequately distinguishing this kind of object from other forms of de-identified data.


Infographic showing AD to AC to DSR, from scattered data points to connected patient records and a human silhouette.

The bottom axis — Increasing Representational Capacity — is the governance-relevant dimension the brief proposes. At Tier 3, clinical notes, images, voice transcripts, lab results, embeddings, risk scores, AI summaries, and treatment history have combined into something that may function less like a record of events and more like a representation of a person. The brief argues that governance frameworks built for Tiers 1 and 2 were not designed for Tier 3.


The classification turns on two conditions intended to be detectable and operational. First, structured discrete values remain Anonymised Data, however many are linked — linkage alone does not raise the tier. Second, where unstructured or derived content is present, the question is whether it remains within one internally coherent episode of care or extends across episodes and external sources. One episode: Anonymised Case.


Across episodes: on this proposed framework, a Digital Subject Representation.

The brief also proposes that where a person can already log in to a health portal to view test results or book appointments, that same access could carry the option to state: I do not consent to my digital records being combined to create a Digital Subject Representation of me for purposes beyond my care. Not a restriction on care. Not a restriction on genuine research. A boundary on secondary commercial use, using infrastructure that already exists in many health systems.


Why this might matter — and where we need help


The brief is an attempt to name something many people have been seeing for some time without a shared vocabulary for it. It is not a standard, and it is not a finished answer. It is a way of making a governance gap visible and offering a framework that others can examine, test, and improve.


If you are a clinical director, privacy officer, or system leader already working through questions about longitudinal client data and secondary use, the proposed DSR as a distinct governance object may offer a useful lens — or it may simply raise the right questions to put to vendors, ethics boards, or platform providers. It is not prescriptive. It is a starting point.


If you are a researcher, policy developer, or governance practitioner already working on this problem in any jurisdiction, I offer the brief as a contribution to a conversation that needs more voices, more testing, and more practical scrutiny than any one perspective can provide. I would genuinely welcome hearing from you.


The full brief is published as The Trusted Hub: How Canada Can Lead Global AI by Governing What It Cannot See, in the Clinical Data Governance community, a place to gather related work and continue the conversation. https://zenodo.org/communities/clinical-data-governance


The point of naming this object is not simply to improve classification. It is to help ensure that when a person’s life is translated into data, governance evolves with what that data has become. The session ends. The story doesn’t. Naming that reality is only a first step — but it may be one worth taking together.


Cindy Hansen is the Founder and Chief Science Officer of Holistic Research Canada. She is the author of the Clinical Data Governance Checklist (CDGC), a governance framework for structured, unstructured, and AI-enabled clinical data systems. Her work focuses on clinical data governance, feedback-informed outcome monitoring, and the ethical integration of AI in mental health systems. She contributes to international policy discussions on digital mental health and AI governance, including participation in UN-related and global multi-stakeholder forums. She writes and works from Syilx Okanagan Nation territory in Vernon, British Columbia, Canada.

 
 

Welcome to Holistic Research Canada

We acknowledge and appreciate that we live, work and play on the ancestral, traditional, and unceded territory of the Syilx Okanagan Nation. We are confident in the quality of our copyrighted site design, logos, and content. 

Please be advised that all materials on this site are intended solely for educational purposes and should not be as a substitute for accredited mental health training. Educators are welcome to use our materials with proper attribution.

For any inquiries regarding the use of our copyrighted content, please send your request via our contact page.

Privacy Policies

This WIX.com site and its content have been developed with Gen-AI, including a collaborative Gen-AI editor/cowriter, where the human author retain the copyrights of their works.

  • LinkedIn
  • Facebook
  • Twitter
  • YouTube

©2026 by Holistic Research Canada

bottom of page