The College of Nurses of Ontario (“the College”) is committed to protecting the privacy of the personal information collected and maintained on applicants, members, the public and stakeholders. To highlight this commitment the College has developed this Privacy Statement. It is based on the Canadian Standards Association’s Model Code for the Protection of Personal Information. The College strives to comply with applicable requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA).

The Ten Privacy Principles Followed by the College

Accountability

The College is responsible for personal information under its control and has designated an individual who is accountable for compliance with the following principles.

1.1. Responsibility for ensuring compliance with the provisions inherent in this policy rests with the Privacy Officer for the College, being the Manager, Information Management. The Privacy Officer may delegate responsibilities to one or more College employees to act on his or her behalf, and to oversee the day-to-day management of personal information handling practices and procedures.

1.2. The College uses contractual or other means to ensure that third parties with whom personal information is shared provide a comparable level of protection while information is being processed by them.

1.3. To give effect to the principles of privacy, in addition to developing this policy, the College has:

1. Developed and implemented internal procedures to protect personal information;
2. Established procedures to receive and respond to privacy inquiries or complaints; and
3. Established a training program and regular staff communications regarding privacy best practices.

Identifying Purpose

The College identifies the purposes for which personal information is collected at or before the time the information is collected.

2.1. The primary purposes for the College’s collection of personal information are to fulfil its regulatory functions, (i.e., enforcement, entry to practice, quality assurance, standards), support governance and carry out operations, conduct research and compile aggregate statistics for reporting purposes and meet legal and regulatory requirements.

2.2. The College will identify the purpose for collection at or before the time of collection and any College staff that collects personal information will be able to explain the purposes for which the personal information is being collected. The purpose will be clearly and narrowly defined to ensure understanding of how the information will be used or disclosed.

2.3. Unless required by law, the College shall not use or disclose for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining consent.

Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

3.1. The College ensures that the consent of the individual is obtained for the collection, use and/or disclosure of personal information, except in situations where the collection, use and/or disclosure is mandated by the Regulated Health Professions Act (RHPA) or a consent exemption applies under PIPEDA and PHIPA.

3.2. In determining the appropriate form of consent, the College shall take into account the sensitivity of the personal information and the reasonable expectations of the individual.

3.3. The College will make every effort to make consent meaningful by clearly stating the purpose(s) for which the information is to be collected, used or disclosed. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified to the individual(s) prior to use, and consent will be obtained.

Limiting Collection

The College limits the collection of personal information to that which is necessary for purposes identified by the College. Personal information is collected by fair and lawful means.

4.1. The College collects and records only such personal information as is required to fulfil the purposes identified in s. 2.1 of this Privacy Statement.

4.2. Where permitted or required by law, the College may collect personal information indirectly, from third parties other than the individual whom the information is about.

Limiting Use, Disclosure and Retention

The College does not use or disclose personal information for purposes other than those for which it is collected, except with the consent of the individual or as required by law. The College retains personal information only as long as necessary for the fulfilment of those purposes, or as required by law.

5.1. The College ensures that personal information is accessible only to those individuals who need the information for the performance of their duties.

5.2. Under certain circumstances, the College has a legal duty or right to disclose personal information without consent. In all cases when disclosure of this type is made, the College shall ensure that the requirement to disclose complies with the appropriate law and that the disclosure is limited only to the information that is legally required.

5.3. In addition, the College has been designated as an investigative body under PIPEDA (Canada Gazette – Vol. 138, No. 8 – April 21, 2004). Section 7(3)(d) of PIPEDA therefore allows the disclosure of personal information to the College without the consent of the individual if there are reasonable grounds to believe that the information relates to a contravention of the Nursing Act (1991) or the RHPA. Similarly, section 43(1) of PHIPA allows a disclosure of personal health information to the College for the purpose of administering or enforcing the RHPA.

5.4. The College does not and will not sell any personal information to third parties for marketing or any other commercial purposes.

5.5. The College retains personal information only as long as it is deemed necessary, as set out in College’s corporate retention schedule, and ensures secure destruction when that period has expired.

Accuracy

The College makes reasonable efforts to keep personal information as accurate, complete and up-to-date as is necessary to fulfil the purposes for which the information is to be used.

6.1. The College makes every effort to keep the personal information of an individual accurate and complete. The College also relies on the individual to keep certain personal information (e.g., home and business addresses and phone numbers) accurate and complete and shall provide mechanisms to allow for updates and corrections to personal information.

6.2. The College may not always revise personal information as requested and in such an event shall notify the individual of the rationale and provide him/her with a mechanism to challenge the decision. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file.

Safeguards

The College protects personal information with security safeguards appropriate to the sensitivity of the information.

7.1. With the use of appropriate physical, administrative and technical security measures, the College protects personal information against a variety of risks, such as, loss, theft, unauthorized access, disclosure, copying, use, modification or destruction of such information.

7.2. The College uses commercially reasonable efforts to ensure the protection of personal information it discloses to third parties. For example, contracts with third parties stipulate responsibilities to protect personal information and only use it for specific purposes.

7.3. College staff with access to personal information are required, as a condition of employment, to respect the privacy of personal information.

Openness

The College makes readily available information about its policies and practices relating to the management of personal information.

8.1. This information will be made available upon request in a form that is generally understandable.

8.2. This information includes:

1. the name, title and address of the Privacy Officer to whom inquiries or complaints can be forwarded;
2. the means of gaining access to personal information held by the College;
3. a description of the type of personal information held by the College, including a general account of its use and disclosure; and
4. a copy of any brochures or other information that explains the College’s policies or information handling practices.

Individual Access

Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information, unless a relevant exception applies. An individual can challenge the accuracy and completeness of the information and have it amended as appropriate.

9.1. An individual may request access to the personal information maintained by the College in order to review, update or correct this information. All requests for access shall be made in writing and the College shall provide access in a reasonable timeframe and may charge a reasonable fee for such access.

9.2. Prior to granting access, the College will verify the identity of the requestor, and may request sufficient identification information from the requestor.

9.3. Upon request, the College will provide an account of the use and disclosure of the individual’s personal information, and where reasonably possible, will state the source of the information.

9.4. In the event the College denies an access request, the College will provide a written rationale, except where prohibited by law. In such an event, the College shall also provide information on how a requestor can challenge the denial.

Challenging Compliance

An individual can address a challenge concerning compliance with this policy to the College’s Privacy Officer.

10.1. The College maintains procedures for addressing and responding to all inquiries and complaints regarding the College’s handling of personal information.

10.2. All complaints concerning compliance with this Privacy Statement shall be investigated by the College. If a complaint is found to be justified, the College shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures.

If you have any questions or comments about this privacy statement, please contact the Privacy Officer of the College at:

Manager, Information Management
College of Nurses of Ontario
101 Davenport Rd.
Toronto, ON
M5R 3P1
Tel: 416 928-0900 ext. 7557