The question of ownership of data, the language of ownership, can be a bit problematic or misleading in this context. In the Canadian approach, we've always talked about interests in data. We recognize that there can be multiple interests in data. A private sector company that collects data has an interest in the data they collect. The individual they collect it from has an interest in that data, and there may be other interests.
It's the same with personal health information. The health system has an interest in data collected through the medical system, for a variety of purposes, and the individual has an interest in that data.
The GDPR is a model that pushes us much more towards.... Well, it strengthens those interests. It doesn't assign ownership of data either, but it does provide for stronger interests on the part of the individual. Right now, I think we're in a data protection framework, particularly at the private sector level, that gives individuals considerably less interest in or control of their data than you would see in the European context.
I think that in all cases it's really a matter of interests, and you can have multiple interests in the same data.