CNO takes full responsibility for the protection of personal information, including personal health information it collects. Personal information and personal health information is collected and managed under the general authority of the Regulated Health Professions Act, 1991, S.O. 1991, c. 18 (RHPA); the Nursing Act, 1991, S.O. 1991, c. 32; their regulations; and CNO’s by-laws.

In fulfilling its mandate as a regulatory body, CNO follows the privacy best practice principles contained in the Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96

CNO has an appointed Privacy Officer who oversees information-handling practices and CNO’s Privacy Office. The Privacy Officer’s duties include:

• developing and reviewing internal procedures to protect personal information,
• ensuring all staff are trained on privacy best practices and are aware of the importance of safeguarding any personal information that they are privy to,
• ensuring all inquiries and complaints relating to privacy are appropriately handled and
• ensuring the appropriate contractual commitments are in place for third-party service providers with which CNO shares personal information.

"Personal information” is any factual or subjective information about an identifiable individual, whether it is recorded or not. This includes your name, contact information, birth date, educational background, and work history as well as any sensitive information such as financial or health data. Personal information does not include aggregate information that cannot be linked to a specific individual.

Personal health information is identifying information about an individual in oral or recorded form that relates to health care, health history, providers, eligibility, payments, or coverage.

Personal Information and personal health information will be referred to as ‘Personal Information’ for the duration of this policy.

CNO collects personal information with your knowledge and consent in several ways, for example, we collect personal information:

• from members of the public when they inform us of concerns about a nurse’s practice or conduct or submit a “Make a Complaint” form;
• from nurse registrants and applicants through application and renewal forms, and member learning plans and assessments;
• about nurse registrants and applicants from records provided by third parties; for example, with your authorization, licensing exam providers and educational institutions provide personal information to CNO.

There are instances where CNO has the legal authority to obtain records and collect, use, and disclose personal information and personal health information without consent. For example, we may do this in the course of a professional conduct investigation or to protect the interests or safety of the public.

We identify when providing information is optional and when it is necessary in order to fulfill our obligations as a regulatory health college. Your consent can be withdrawn at any time, subject to legal or contractual restrictions, by providing us with written notice. When we receive a notice to withdraw consent, we will inform you of the consequences of withdrawing your consent, which may include the inability to remain a member of CNO.

To fulfill our mandate and duties under the RHPA, we use personal information for the following purposes:

• to maintain the public register: the “Find a Nurse” service is available to the public at https://registry.cno.org/;
• to assess conformance to entry-to-practice competencies;
• to assess eligibility for registration, renewal or reinstatement with CNO;
• to respond to requests for examination accommodation;
• to process applications and payments;
• to assess registrants’ continued competence through CNO’s Quality Assurance Program;
• to enforce standards of practice and conduct;
• to address risks to the public when we are alerted that there is a concern about a nurse’s practice or conduct;
• to verify a person’s identity and respond to requests or specific inquiries;
• to carry out CNO’s operations, including selecting members for appointment to Committees and contacting potential volunteers and focus group participants;
• to support all activities of Council and Committee members;
• to inform you about CNO initiatives or important updates;
• for data analytics and to compile aggregate statistics for internal reporting purposes;
• to assess and manage risk, including detecting and preventing fraud or error; and
• to meet auditing, legal and regulatory processes, and requirements.

CNO takes all reasonable steps to protect the interest of individuals when disclosing personal information. We do not disclose personal information for purposes other than those for which it was collected unless you have provided consent to do so or if we are required or permitted by law to disclose the information.

When CNO is notified about a nurse’s practice or conduct, we contact the nurse to inform them of the complaint. We may be required or permitted by law to disclose a limited amount of personal information without explicit consent.

CNO members may consent to releasing their name, email and/or mailing address to the following external parties:

• educational institutions conducting research in nursing,
• entities providing information on continuing education opportunities, 
• government organizations providing information from government health entities and agencies,
• health care organizations providing information from hospitals and other health care planning and/or delivery organizations and
• nursing organizations (for example, unions and professional associations).

Without your explicit consent, we also share the personal information of CNO registrants with:

• government entities as required for specific programs such as the federal Canadian Institute for Health Information Nursing Database, the Ontario Ministry of Health’s Health Professions Database and eHealth Ontario (Ontario Health); 
• a body that governs a profession inside or outside of Ontario and
• third-party service providers who assist us in fulfilling our mandate, including outsourced IT partners.
  

We take reasonable steps to ensure that any third-party service providers who we entrust with your personal information are reputable and have safeguards in place to protect this information. When we work with service providers, your personal information may be transferred to a foreign jurisdiction to be processed or stored. Additionally, personal information may be provided to law enforcement or national security authorities of that jurisdiction upon request, in order to comply with foreign laws.

When you visit CNO’s website, we automatically receive and record information on our server logs from your browser or mobile platform, including the date and time of your visit, as well as your IP address, unique device identifier, browser type and other device information (such as your operating system version and mobile network provider) by using cookies. CNO uses cookies to enhance a user’s online experience (for example, once you are logged in to the member portal, you can move between webpages without having to re-enter your credentials). You can disable cookies through your website browser, but this may affect how the website works for you.

The information we collect when you visit CNO’s website helps us analyze and improve the performance of our digital services. CNO uses Google Analytics for web statistical analysis. You can opt out of being tracked by Google Analytics by disabling or refusing the cookies, by disabling JavaScript within your browser, or by using the Google Analytics Opt-Out Browser Add-On.

CNO makes no effort to personally identify you based on your visit to our website unless we must do so for the protection of the public or for an ongoing investigation.

CNO has implemented physical, organizational and technical security measures to guard against unauthorized or unlawful access to the personal information we manage and store. We have also taken steps to avoid accidental loss or destruction of, or damage to, your personal information. While no system is completely secure, the measures implemented by CNO significantly reduce the likelihood of a data security breach.

Here are some examples of the security controls we have in place: 

• secure office premises with key card access;
• the use of encryption, such as a secure portal for document transfers and encrypted mobile devices;
• robust authentication processes, including multifactor authentication and complex passwords;
• limited access to personal information by employees who need the information to perform their work-related duties;
• the use of data centres with effective physical and logistical data security controls;
• a requirement for third-party service providers to contractually commit to protecting the personal information entrusted to them;
• locked filing cabinets and secure printing and shredding bins for paper records and
• annual privacy and data security training for all employees to provide education on their data protection responsibilities.

Further, we recommend that you do your part to protect yourself from unauthorized access to your personal information. For example, never share your member portal login credentials with anyone. CNO is not liable for any unauthorized access to your personal information that is beyond our reasonable control.

Upon your written request, CNO will allow you access to your personal information (contact, education, membership details and/or provided documentation) unless providing access could be reasonably expected to interfere with the administration or enforcement of the RHPA, the Nursing Act or their regulations. 

Exclusions from the right to access your personal information include (but are not limited to):

• The information was collected or created during an investigation or assessment, or authorized by law.
• Access may result in risk of harm to the requestor or others.
• Providing access may interfere with the purposes for which the information was collected.
• Access is restricted for legal or proprietary reasons.

If access is refused, or only partially granted, we will tell you the reasons.

Requests for access must be submitted in writing by completing the Request for Access to Personal Information Form. This form is also available through Customer Service or by contacting the Privacy Office. CNO will make every effort to respond to requests within 30 days unless more time is required due to extenuating factors.

You may also request a correction of your personal information. You can make a correction request by contacting the Privacy Office. Corrections will be made when you have satisfactorily demonstrated that the information is incorrect or inaccurate. CNO will not correct information that is the subject of investigation or proceedings under the RHPA and its regulations. 

CNO retains personal information for as long as necessary to fulfill legal or business purposes and in accordance with our retention schedules. Once your information is no longer required by CNO to meet legal or regulatory requirements, it is securely destroyed, erased or made anonymous. However, that information may be retained for longer due to an ongoing investigation or legal proceeding, and that residual information may remain in data back-ups for a period of time after its destruction date.

CNO takes privacy complaints very seriously. We have a procedure in place for managing any privacy-related concerns to ensure that we respond in a timely and effective manner. CNO’s Privacy Officer oversees the containment, investigation and corrective actions for all privacy breaches and incidents.

We may offer links from our website to the sites of third parties who can provide services to you. CNO cannot guarantee or control these third parties’ privacy practices. We recommend that you review their privacy policies before providing your personal information to any such third parties.

CNO’s use of social media serves as an extension of our presence on the internet and helps us build a positive brand image and provide useful information to the public. Social media accounts, such as CNO’s Facebook and Instagram accounts, are not hosted on CNO’s servers. Users who choose to interact with CNO via social media should read the terms of service and privacy policies of these services and platforms.

CNO may update this Privacy Policy from time to time to better reflect our current personal information handling practices. We encourage you to review this document frequently. The “last reviewed” date at the bottom of this Privacy Policy indicates when changes to this policy were published and went into force.