Privacy Officer: The person within the College who is responsible for ensuring compliance with privacy obligations, including this Privacy Code, with respect to the collection, use, disclosure and handling of personal information by College representatives (including staff, contractors and authorized agents).
Collection: Refers to the act of gathering, acquiring, recording or obtaining personal information from any source, by any means.
Consent: Voluntary agreement to the collection, use and disclosure of personal information for defined purposes. Consent can be express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of the College. Implied consent can be reasonably inferred from an individual’s action or inaction.
Disclosure: The release, transfer, provision of access to, or divulging in any manner of information outside of the College.
Individual: Anyone who has entrusted the College with their personal information, including, but not limited to, applicants, members, clients, complainants, witnesses, as well as council and committee members.
Personal Information: Information about an identifiable individual, including sensitive information such as personal health information. Personal information does not include aggregate information that cannot be associated with a specific individual.
Retention: Refers to the act of storing personal information as long as necessary to fulfill stated purposes, or as long as otherwise specified by law.
Third Party: An organization aside from the College and its members.
Use: Refers to the treatment, handling and management of personal information by the College.
The College of Nurses of Ontario (“the College”) is committed to protecting the privacy of the personal information collected and maintained on applicants, members, the public and stakeholders. To highlight this commitment, the College has developed this Privacy Code based on the ten privacy principles in the Canadian Standards Association’s Model Code for the Protection of Personal Information (CAN/CSA-Q830-96).
The Ten Privacy Principles Followed by the College
The College is responsible for personal information under its control and has designated an individual who is accountable for compliance with the following principles.
1.1. Responsibility for ensuring compliance with the provisions inherent in this Privacy Code rests with the Privacy Officer for the College, being the Director, Information Systems. The Privacy Officer may delegate responsibilities to one or more College employees to act on his or her behalf, and to oversee the day-to-day management of personal information handling practices and procedures.
1.2. The College uses contractual or other means to ensure that third parties with whom personal information is shared provide a comparable level of protection while information is being processed by them.
1.3. To give effect to the principles of privacy, in addition to developing this Privacy Code, the College has:
- Developed and implemented internal procedures to protect personal information;
- Established procedures to receive and respond to privacy inquiries or complaints; and
- Established a training program and regular staff communications regarding the College’s privacy policies and practices.
2. Identifying Purpose
The College identifies the purposes for which personal information is collected at or before the time the information is collected.
2.1. The College collects personal information under the general authority of the Regulated Health Professions Act, 1991, S.O. 1991, c. 18; the Nursing Act, 1991, S.O. 1991, c. 32; their regulations; and the College’s by-laws.
2.2. The College collects personal information in order to fulfill its regulatory mandate, and in particular, for the following purposes:
a) Assessing conformance to entry-to-practice competencies;
b) Assessing eligibility for registration, membership renewal or reinstatement;
c) Responding to requests for examination accommodation;
d) Assessing members’ continued competence through its Quality Assurance Program;
e) Enforcing standards of practice and conduct;
f) Assessing the risk to the public when alerted that there is a concern about a nurse’s practice or conduct;
g) Responding to requests or inquiries from or providing information to prospects, applicants, members, employers and the public;
h) Verifying identity in order to process requests for access to personal information;
i) Carrying out the College’s operations, including selecting members for appointment to the College’s committees and contacting potential volunteers and focus group participants;
j) Supporting all activities of Council and Committee members regarding Council and Committee related matters;
k) Conducting research and compiling aggregate statistics for reporting purposes; and
l) As required by law or regulation.
2.3. Upon request, College staff will explain the purposes for which the personal information is collected, or refer the individual to a designated representative of the College who can explain the purposes.
2.4. The College does not use or disclose personal information that has been collected for any new purpose that has not been identified in Section 2.1, without first identifying and documenting the new purpose and obtaining consent.
2.5. Members of the College should also visit eHealth Ontario’s website to review their Notice of Collection and privacy practices.
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
3.1. The College ensures that the consent of the individual is obtained for the collection, use and/or disclosure of personal information, except where otherwise authorized or required by statute, regulation or common law.
3.2. In determining the appropriate form of consent, the College takes into account the sensitivity of the personal information and the reasonable expectations of the individual.
3.3. The College makes every effort to highlight this Privacy Code at the time of collecting personal information, in order for individuals to review the purposes for the collection.
3.4. When an individual provides personal information to the College in the context of an investigation, inquiry or complaint, consent to the use of such information, strictly to address the issue, is implied.
4. Limiting Collection
The College limits the collection of personal information to that which is necessary for purposes identified by the College. Personal information is collected by fair and lawful means.
4.1. The College collects and records only such personal information as is required to fulfill the purposes identified in Section 2.2 of this Privacy Code.
4.2. Where permitted or required by law, the College may collect the personal information of an individual indirectly through a third party.
4.3. The College requires any third party that collects personal information on behalf of the College to do so in accordance with this Privacy Code.
4.4. When the College is provided with more personal information than is required, or when personal information is provided but not required at all, the College takes reasonable steps to inform the provider of the personal information that such information should not be provided to the College. The College also takes reasonable steps to securely destroy such personal information that is not needed.
5. Limiting Use, Disclosure and Retention
The College does not use or disclose personal information for purposes other than those for which it is collected, except with the consent of the individual or as required by law. The College retains personal information only as long as necessary for the fulfillment of those purposes, or as required by law.
5.1. Only College representatives with a business-related need to know are granted access to personal information about individuals.
5.2. The College may disclose personal information to:
a) an agent or third party retained by the College in order to assist the College fulfill the purposes set out in Section 2.2, provided the third party commits to protecting personal information in accordance with this Privacy Code;
b) a member or witness in the context of a complaint if disclosure of the identity of an individual is necessary in order for the College to administer the Regulated Health Professions Act, 1991, S.O. 1991, c. 18;
c) a third party who makes a reasonable request for personal information, if the individual who the information is about consents to such disclosure; or
d) the government or regulators upon request to facilitate their provision of important information to members that is related to the practice of nursing; or
e) comply with any legal obligation that requires or permits the disclosure of personal information (for example, in the context of an investigation of any contravention of a law).
5.3. Where any personal information is stored or processed outside of Canada, it is subject to the laws of that foreign jurisdiction and may be accessible to that jurisdiction’s governments, courts, law enforcement and regulatory agencies.
5.4. In all contexts where the College discloses personal information, the College shall ensure that the disclosure is limited only to the information that is required to be shared.
5.5. The College retains personal information only as long as it is deemed necessary, to fulfill the identified purposes for which the information was collected, or longer if required due to an on-going investigation or legal proceeding. Retention timelines are documented in the College’s corporate retention schedule.
5.6. Personal information no longer necessary or relevant for the identified purposes, or no longer required to be retained by law, shall be securely destroyed, erased or made anonymous.
The College makes reasonable efforts to ensure that personal information is as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used.
6.1. The College relies upon individuals to ensure accuracy and completeness of the personal information provided to it, for example, home and business addresses and phone numbers). The College provides mechanisms to allow for updates and corrections to personal information.
6.2. Reasonable efforts are made to ensure that data is accurately entered into the College’s information systems.
6.3. An individual is able to request a correction of what, in his or her view, is erroneous or incomplete information. The College will amend the information or refer the individual to the organization that created the record in order to challenge the accuracy or completeness of the information.
6.4. In the event of a dispute between the individual and the College as to the accuracy or completeness of personal information, the College will notify the individual of the rationale not to amend the information and update the individual's file with details of the disagreement. The College will provide the individual with information on challenging the decision.
The College protects personal information with security safeguards appropriate to the sensitivity of the information.
7.1. With the use of appropriate physical, organizational and technical security measures, the College protects personal information against a variety of risks, such as loss, theft, unauthorized access, disclosure, copying, use and modification or unscheduled destruction of such information.
7.2. The College uses commercially reasonable efforts to ensure the protection of personal information it discloses to third parties. For example, contracts with third parties stipulate responsibilities to protect personal information and to only use it for specific purposes.
7.3. College staff with access to personal information are required to respect privacy, and are regularly reminded of their obligations to protect the personal information they view or handle.
7.4. Safeguards are regularly reviewed to ensure that they remain appropriate, and continue to mitigate new threats and vulnerabilities.
The College makes readily available information about its policies and practices relating to the management of personal information.
8.1. Information on the College's personal information handling practices are available to the public and its members via the College's website at www.cno.org or may be requested by phone at 416-928-0900 or by mail at 101 Davenport Road, Toronto, Ontario M5R 3P1.
8.2 This information includes:
- the name, title and address of the Privacy Officer to whom inquiries or complaints can be forwarded;
- the means of gaining access to personal information held by the College;
- a description of the type of personal information held by the College, including a general account of its use and disclosure; and
- a copy of any College policies or procedures that can be made available to the public, and that explain the College’s personal information handling practices.
9. Individual Access
Upon written request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information, subject to limited exceptions. An individual can challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1. An individual may request access to their personal information as maintained by the College. All requests for access shall be made by completing the Request for Access to Personal Information form. The form is also available through Customer Service or by contacting the Privacy Office.
9.2. Prior to granting access, the College will verify the identity of the requestor, and may request sufficient identification information to ensure the requestor is entitled to the information being sought.
9.3. When the College is in a position to provide access to personal information, access will be provided in an understandable form and within a reasonable time period. The College may charge fees for such access to cover any costs that will be incurred.
9.4. Upon request, the College will provide an account of the use and disclosure of the individual’s personal information and, where reasonably possible, will state the source of the information.
9.5. In the event that the College denies an access request, the College will provide a written rationale for the refusal, except where prohibited by law. The College shall also provide information on how a requestor can challenge the denial. Examples of situations where access may be denied include:
- information contains references to another individual(s) that cannot be severed;
- disclosure may result in significant risk of harm to the requestor or a third party;
- information was collected or created in the course of an inspection, investigation, inquiry, assessment or similar procedure;
- disclosure may defeat the purposes for which the information was collected;
- information cannot be disclosed for legal, security or commercial proprietary reasons;
- information is subject to solicitor-client or other privilege;
- information was generated in the course of a dispute or resolution process; or
- the request is frivolous, vexatious, made in bad faith or otherwise an abuse of process.
10. Challenging Compliance
An individual can address a challenge concerning compliance with this Privacy Code to the College’s Privacy Officer.
10.1. The College maintains procedures for addressing and responding to all inquiries and complaints regarding the College’s handling of personal information.
10.2. All complaints concerning compliance with this Privacy Code are taken seriously and investigated in a timely manner. If a complaint is found to be justified, the College shall take appropriate measures to resolve the complaint and implement corrective actions, as well as amend existing policies and procedures as necessary.
If you have any questions or comments about this Privacy Code, please contact the Privacy Officer of the College at:
Director, Information Systems
College of Nurses of Ontario
101 Davenport Rd.
Tel: 416-928-0900 or 1-800-3875526 (toll-free in Canada), Ext. 7523