In this exclusive interview with CanadianSME Small Business Magazine, Dr. Khaled El Emam, Founder and CEO of Woodway Assurance and Canada Research Chair in Medical AI at the University of Ottawa, discusses how organizations can move beyond risk avoidance to responsible data use. He shares why evidence-based privacy assurance is essential for AI and analytics, and how automated, standards-aligned approaches can unlock sensitive data while maintaining trust and regulatory confidence.
Interview By Kripa Anand
Dr. Khaled El Emam is the Founder and CEO of Woodway Assurance and Canada Research Chair (Tier 1) in Medical AI at the University of Ottawa, where he is a Professor in the School of Epidemiology and Public Health. He is also a Senior Scientist at the CHEO Research Institute and Director of the Electronic Health Information Laboratory. He recently served as Scholar-in-Residence at the Office of the Information and Privacy Commissioner of Ontario, where his main focus was updating Ontario’s de-identification guidelines for structured data. Over his career, he has founded or co-founded multiple data and analytics companies based on his research on de-identification, synthetic data and privacy-enhancing technologies.
What is EviData in simple terms, and what problem were you trying to solve by creating an independent, automated privacy-assurance tool for sensitive data?
In simple terms, EviData helps organizations answer a question they struggle with every day: is this data actually safe to use or share?
For years, teams have been de-identifying or synthesizing data, but approvals still stall because it’s hard to independently verify those claims. Legal and privacy teams are asked to make technical judgments under time pressure, and the safest answer often becomes “no.” That slows research, quality improvement efforts, analytics and AI projects, even when the data could be used responsibly.
EviData was built to change that dynamic. It is independent, automated enterprise software that evaluates de-identified, anonymized and synthetic datasets against contemporary standards and regulatory guidance, including the Ontario Information and Privacy Commissioner’s de-identification guidance and international ISO standards such as ISO/IEC 27559. In minutes, it produces a clear, documented report showing whether widely accepted conditions for safe use are met.
What once took weeks of manual analysis and specialized expertise can now be done quickly and consistently, without losing rigour. The goal isn’t to weaken privacy safeguards, but to replace uncertainty with evidence, so organizations can move from a default “no” to a managed, defensible “yes.”
What are the most common obstacles organizations face when trying to access or share sensitive data, and how do those challenges slow down AI and analytics projects?
One major obstacle has been risk avoidance. When organizations have been unsure whether data has been de-identified properly, it has often been easier to say no for a decision on internal data reuse or external data sharing. That approach may feel safe, but it has had real consequences for competitiveness and success. We’ve seen this across commercial, academic and government organizations.
Another obstacle has been how privacy risk assessments have traditionally been done. Re-identification risk assessments required specialized training, expertise and judgment and have been difficult to scale across multiple datasets or teams.
Time has been another constraint. These assessments have traditionally taken months to complete. In an environment where AI and analytics projects move at light speed, months to get an answer can slow progress and innovation significantly. Projects have been delayed, opportunities missed and valuable data left underused, not because it couldn’t be shared responsibly, but because the process to get there was slow, inconsistent and uncertain.
What’s been missing is a practical way to simplify a highly complex task without losing the necessary rigour when dealing with sensitive data. EviData solves that problem. By satisfying the requirements of privacy and legal teams in a highly automated way, it reduces friction and enables faster, but still responsible, access to data so the business can move forward quickly across product development, marketing, research and analytics.
Who is EviData designed for, what are its main use cases, and how is it different from more traditional, manual privacy reviews or consulting-based approaches?
EviData is designed for organizations in sectors such as health and life sciences and financial services that rely on data for analytics, research and AI. It supports teams doing data intensive work, including for secondary purposes, and is targeted for use by business users, researchers and data scientists who need to assess whether sensitive data can be used and shared.
EviData is AI-enabled and automated enterprise software that runs entirely in the client’s environment. It operationalizes contemporary regulatory guidance and international standards in practice, such as from Canadian regulators and ISO. In minutes, it generates a clear, independent report indicating whether a dataset can be considered non-identifiable and safe to use and share responsibly. That report provides transparent, auditable evidence of due diligence that can be relied on for internal oversight, partners or regulators, including in the event of a breach.
We see a few main uses cases for EviData. Data users can directly assess datasets and share the report with privacy or legal teams. EviData can also be used within data workflows, allowing organizations to consistently apply the same standards as data moves into analytics and AI activities, supporting confident data use without compromising data protection or quality. EviData allows for continuous monitoring of risk and the seamless integration of risk assessment in data pipelines.
How did your journey from software analytics to clinical trials and health data privacy influence the way you designed EviData and the standards it follows?
I’ve been in the data analysis and machine learning space for almost 30 years, initially working on high reliability software systems such as automobiles, avionics, telecommunications and space.
A chance discussion resulted in a pivot to healthcare, where the same analytic methods and techniques were seen as much more impactful in addressing significant inefficiencies with clinical trials. It became evident that data privacy was a barrier. We had many ideas and capabilities to analyze and learn from the data we were collecting, but limits on secondary uses and disclosures were inhibiting these applications and the many beneficial patient outcomes that could have been realized. This resulted in a second pivot to health data privacy and working to develop and deploy privacy enhancing technologies in practice. The significant potential benefits of unlocking health data were evident and we wanted to solve that problem.
Woodway is one of several successful spin-offs from the CHEO Research Institute and the University of Ottawa over the past few years, where we’ve created game-changing technologies that enable responsible, ethical data use. It’s very satisfying to be part of the machinery that has enabled advances in healthcare by making data available for researchers and analysts to do their important work that impacts tens of thousands of patients globally. And there’s still more work to do.
For leaders who aren’t privacy specialists but own data-driven initiatives, what practical steps should they take to use sensitive data safely, and how can they learn whether EviData is a good fit for their organization?
The first step is to move away from the expectation of zero risk, which can’t be met in practice. Using sensitive data responsibly is a business decision that involves understanding and managing risk, and demonstrating due diligence using well-established thresholds and standards.
The next step is to make risk assessment practical and repeatable. Manual approaches place too much burden on small teams or require repeated use of external consultants – they are just not scalable. Leaders should look for ways to apply existing guidance efficiently without requiring deep technical expertise across the organization.
Shortcuts and simplistic approaches to solving privacy problems, and de-identification specifically, aren’t a good solution because they cannot ensure high data utility. Following best practices and relying on automation maximizes data utility so that the resultant data is safe to use and still has high utility for the secondary purposes.
With EviData there are now tools that automate assessments and provide clear, documented evidence aligned with regulatory guidance. That gives data teams confidence to move AI and data projects forward and gives privacy and legal teams defensible support for their oversight role.
I think the fact that we recently closed an oversubscribed $1M seed funding round is a strong signal of confidence in the growing need for independent, standards aligned and automated data assurance.
If what I have described resonates, the best way for organizations to see whether EviData is a good fit is to reach out to us for a demo.
Disclaimer:
The views and opinions expressed in this interview are those of the interviewee and do not necessarily reflect the official policy or position of CanadianSME Small Business Magazine. Our platform is dedicated to fostering dialogue and sharing insights that inspire and empower small and medium-sized businesses across Canada.
