If you are in distress, you can call or text 988 at any time. If it is an emergency, call 9-1-1 or go to your local emergency department.

Assessment Framework for Mental Health Apps

Glossary of Terms, Abbreviations, and Acronyms


Two spirit, lesbian, gay, bisexual, transgender, queer and/or questioning and additional sexual orientations and gender identities.


Americans with Disabilities Act Standards for Accessible Design.


People 19 and older (according to the Office of the Privacy Commissioner of Canada).


Artificial intelligence.


Mathematical calculations that produce outputs, providing further insight into the mental health data it manipulates; for instance, calculating the average mood recorded by the user in a given week.

Android Application Quality Guidelines

Android Application Quality Guidelines is a checklist that defines a set of core quality criteria and associated tests to help developers assess the quality of their app. The checklist highlights the minimum quality that all apps should meet.


Accessibility for Ontarians with Disabilities Act.


Application programming interface.


A firm that accredits organizations to deliver high-quality cybersecurity training courses.

Apple HIG

Apple human interface guidelines.


Refers to the relevant digital health product

assessment framework

A set structure of standards and criteria.


An individual trained to carry out the MHCC’s assessment against the assessment framework

behaviour change

Refers to behaviour change techniques apps may adopt to deliver or achieve a specific outcome. Cognitive behaviour therapy (CBT) and dialectical behaviour therapy (DBT) are examples of such techniques.


Black, Indigenous, and people of colour.


A charitable organization, public foundation, or private foundation registered with the Canada Revenue Agency.


The term for National Cyber Security Centre-approved companies that can conduct authorized penetration tests of state-sector applications.


Persons below age 13 (according to the Office of the Privacy Commissioner of Canada).

CIS Top 20 Compliance

The Centre for Internet Security (CIS) Top 20 Critical Security Controls is a prioritized set of best practices created to protect against today’s most 3 dangerous cyber threats.


In this document, refers to having a person (or people) with lived and living experience as a designer of an app. Kleinsmann and Valkenburg describe co-design as “the process in which actors from different disciplines share their knowledge about both the design process and the design content. . .to create shared understanding on both aspects [and] achieve the larger common objective: the new product to be designed (p. 30).”[1]

[1] Kleinsmann, M., & Valkenburg, R. (2008). Barriers and enablers for creating shared understanding in co-design projects, Design Studies, 29(4), 369-386. https://doi.org/10.1016/j.destud.2008.03.003


A social unit with commonality such as norms, religion, values, customs, or identity.


A software company is a company whose primary products are various forms of software, software technology, distribution and software product development.


Small text files containing information generated by a server when a web connection is established and placed on a user’s or visitor’s personal computer or smart device.


CREST accreditation demonstrates that a company conducts and documents penetration testing (i.e., an authorized simulated cyberattack on a computer system, performed to evaluate its security) in accordance with the highest legal, ethical, and technical standards.


Carefully chosen principles that apps are assessed against. In this document, each criteria is phrased as a question. The list of criteria formulates every standard and makes up the overall assessment framework.


Clinical specialty systems that specialize in a particular health problem, which are usually placed in different areas of a hospital. For example, the maternity ward would have a maternity clinical specialty system to record important information.

CyberSecure Canada

A national program that enables small and medium-sized organizations to achieve certification. To do so, they must implement requirements to protect their business, users, and partners from cyberattacks.

data management standards

Standards that set out guidelines by which data are described and recorded. Adhering to data management standards ensures that a company is following best practices in handling their data.

data subjects

The identified or identifiable individual that personal data relates to.


The person or people who created and developed a mobile or web application.

digital health product

Mobile or web-based applications.


Electronic health-care records that are accessible across a range of services, i.e., the same record is accessible from the family doctor and from the hospital.


Electronic medical records that are only accessible by one service, i.e., a record maintained and accessed only at one family doctor’s office.


A method of converting information into secret code that hides its true meaning. Data that is encrypted is viewed as secure.


The evidence standards framework developed by the National Institute for Health and Care Excellence (NICE) for digital health technologies, made up of effectiveness and economic impact standards.


A population group with a common national or cultural tradition.

federal government organization

Institutions created to regulate industries or practices that require specialized expertise or general oversight.


First Nations Information Governance Centre.


The General Data Protection Regulation is the standard developed in the United Kingdom (U.K.) and the European Union (EU). All apps must be fully compliant with this standard.

general health/wellness

A broad term used to highlight non-specific mental health problems, e.g., non-specific stress.

in vitro diagnostic devices (IVDs)

Devices that test biological samples such as tissues, blood, or urine.

Indigenous peoples

The collective name adopted by the government of Canada “for the original peoples of North America and their descendants” (para. 1).[1]

[1] Crown-Indigenous Relations, & Northern Affairs Canada. (2021). Indigenous peoples and communities. https://www.rcaanc-cirnac.gc.ca/eng/1100100013785/1529102490303

ISO 25062

A framework that provides a standard method for reporting usability test findings collected through quantitative measurements. It is particularly appropriate for summative/comparative testing.

ISO 27001

A widely known framework that provides requirements for an information security management system.

ISO 9241

A framework for understanding the concept of usability and applying it to situations in which people use interactive systems.

jurisdictional principles

Rules set by a state that explain or control how something happens or works and how these elements affect persons, property, and circumstances in its geographical territory.

lived experience/living experience

Personal knowledge about the world gained through “direct, first-hand involvement in everyday events rather than through representations constructed by other people.” [1] The term has also been defined as “the experiences of people on whom a social issue or combination of issues has had a direct impact” (p. 6).[2]

[1] Chandler, D., & Munday, R. (2020). Lived experience. In Oxford: A dictionary of media and communication (3rd ed.). Oxford University Press. https://doi.org/10.1093/acref/9780199568758.001.0001

[2] Sandu, B. (2017). The value of lived experience in social change: The need for leadership and organisational development in the social sector. http://thelivedexperience.org/report/

machine learning

This document considers machine learning a technique of AI. After the assessor has determined that an app uses AI, the framework asks which AI technique is involved. Responses include machine learning, natural language processing, etc.


Mobile health app usability questionnaire.

medical device

Any instrument or component used to treat, diagnose, or prevent a disease or abnormal physical condition.

medical purpose

Please refer to the definition of ‘device’ in the Food and Drugs Act, where medical purpose includes those elements listed in (a) through (e).

mental health problem

A consistently used phrase throughout this framework to denote the full range of mental health conditions that affect people.


The Mental Health Commission of Canada.


The National Health Service is England’s publicly funded health-care system.


The National Institute for Health and Care Excellence is an executive non-departmental public body in the Department of Health and Social Care (U.K.).


First Nations principles of ownership, control, access, and possession that reflect their commitment to use and share information in a way that benefits the community while minimizing harm.


The ORCHA clinical safety assessment is a set of criteria developed to objectively outline safety considerations for health app developers to adhere to.


The Organisation for the Review of Care and Health Apps.


A company, charity, insurer, or provider involved in the mental health and physical health care or therapeutic space.

OWASP level

The Open Web Application Security Project Application Security Verification Standard (ASVS) is a framework that focuses on defining security controls. Each application is assigned an OWASP level based on particular qualities. Evidence is then reviewed proportionally against that assigned level.

PEN/vulnerability — penetration/vulnerability testing

A simulated cyberattack against your computer system to check for exploitable vulnerabilities.

person with disability

A group that includes “those who have long-term physical, mental, intellectual or sensory impairments which in interaction with various barriers may hinder their full and effective participation in society on an equal basis with others” (p. 3).[1]

[1] United Nations Convention of the Rights of Persons with Disabilities, December 6, 2006, https://www.un.org/disabilities/documents/convention/convention_accessible_pdf.pdf


Protected health information, which is any “identifying information” about an individual, whether oral or recorded, that relates to (1) the individual’s mental health problems, including family medical history, (2) the provision of health care or a plan of service for the individual, (3) payments or eligibility for health care or its coverage, or (4) the donation of any body part or bodily substance or the testing or examination of any such part or substance. PHI also includes the individual’s health number and the identification of a health-care provider or substitute decision maker for the individual.


Personal health records give people access to their own medical histories.


Personally identifiable information can identify an individual, either used alone or with other relevant data.

PIPEDA (or Privacy Act)

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use, and disclose personal information in the course of doing business.

provincial or territorial government or representative

Government bodies created to regulate industries or practices that require specialized expertise or general oversight.


A randomized control trial is considered a high-quality study. They enable apps to be tested against a control whereby participants are randomly placed in an experimental or control group.


Software as a Medical Device is a Health Canada term to identify software used for one or more medical purposes.

signal acquisition system

A system that acquires real-world, user-derived, data that can serve as input to the SaMD.


An auditing procedure to ensure that service providers securely manage data.

therapeutic support

Support with a person’s circumstances or mental health problem (as opposed to technical issues).


The U.S. Digital Health Assessment Framework, which ORCHA developed with the American Telemedicine Association.


World Wide Web Consortium.


Web Content Accessibility Guidelines 2.0 AA.


Web Content Accessibility Guidelines 2.1 AA.


People ages 13 to 18 (according to the Office of the Privacy Commissioner of Canada).