The College of Nurses of Ontario (“the College”) is committed to protecting the privacy of the personal information collected and maintained on applicants, members, the public and stakeholders. To highlight this commitment, the College has developed this Privacy Statement based on the Canadian Standards Association’s Model Code for the Protection of Personal Information. The College also strives to comply with applicable requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA).
The Ten Privacy Principles Followed by the College
The College is responsible for personal information under its control and has designated an individual who is accountable for compliance with the following principles.
1.1. Responsibility for ensuring compliance with the provisions inherent in this statement rests with the Privacy Officer for the College, being the Manager, Information Management. The Privacy Officer may delegate responsibilities to one or more College employees to act on his or her behalf, and to oversee the day-to-day management of personal information handling practices and procedures.
1.2. The College uses contractual or other means to ensure that third parties with whom personal information is shared provide a comparable level of protection while information is being processed by them.
1.3. To give effect to the principles of privacy, in addition to developing this statement, the College has:
- Developed and implemented internal procedures to protect personal information;
- Established procedures to receive and respond to privacy inquiries or complaints; and
- Established a training program and regular staff communications regarding privacy best practices.
2. Identifying Purpose
The College identifies the purposes for which personal information is collected at or before the time the information is collected.
2.1. The primary purposes for the College’s collection of personal information are to fulfill its regulatory functions (i.e., enforcement, entry to practice, quality assurance, standards), support governance and carry out operations, conduct research and compile aggregate statistics for reporting purposes and meet legal and regulatory requirements.
2.2. The College will identify the purpose for collection at or before the time of collection and any College staff that collects personal information will be able to explain the purposes for which the personal information is being collected. The purpose will be clearly and narrowly defined to ensure understanding of how the information will be used or disclosed.
2.3. Unless required by law, the College shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining consent.
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, subject to limited exceptions.
3.1. The College ensures that the consent of the individual is obtained for the collection, use and/or disclosure of personal information, except in situations where the collection, use and/or disclosure is mandated by the Regulated Health Professions Act (RHPA) or a consent exemption applies under PIPEDA or PHIPA.
3.2. Consent can be express or implied and the manner in which the College seeks consent will vary depending on the circumstances and the type of information collected. In determining the appropriate form of consent, the College shall take into account the sensitivity of the personal information and the reasonable expectations of the individual.
3.3. The College will make every effort to make consent meaningful by clearly stating the purpose(s) for which the information is to be collected, used or disclosed. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified to the individual(s) prior to use, and consent will be obtained.
4. Limiting Collection
The College limits the collection of personal information to that which is necessary for purposes identified by the College. Personal information is collected by fair and lawful means.
4.1. The College collects and records only such personal information as is required to fulfill the purposes identified in s. 2.1 of this Privacy Statement.
4.2. The College shall ensure that any third party that collects personal information on behalf of the College shall do so in accordance with this Privacy Statement.
4.3. Where permitted or required by law, the College may collect the personal information of an individual indirectly through a third party.
5. Limiting Use, Disclosure and Retention
The College does not use or disclose personal information for purposes other than those for which it is collected, except with the consent of the individual or as required by law. The College retains personal information only as long as necessary for the fulfillment of those purposes, or as required by law.
5.1. The College ensures that personal information is accessible only to those individuals who need the information for the performance of their duties.
5.2. Under certain circumstances the College has a legal duty or right to disclose personal information without consent. In all cases when disclosure of this type is made, the College shall ensure that the requirement to disclose complies with the appropriate law and that the disclosure is limited only to the information that is legally required.
5.3. In addition, the College has been designated as an investigative body under PIPEDA (Canada Gazette – Vol. 138, No. 8 – April 21, 2004). Section 7(3)(d) of PIPEDA therefore allows the disclosure of personal information to the College without the consent of the individual if there are reasonable grounds to believe that the information relates to a contravention of the Nursing Act or the RHPA. Similarly, section 43(1) of PHIPA allows a disclosure of personal health information to the College for the purpose of administering or enforcing the RHPA.
5.4. The College does not and will not sell any personal information to third parties for marketing or any other commercial purposes.
5.5. The College retains personal information only as long as it is deemed necessary, as set out in College’s corporate retention schedule, and ensures secure destruction when that period has expired.
The College makes reasonable efforts to ensure that personal information is accurate, complete and up to date as is necessary to fulfill the purposes for which the information is to be used.
6.1. The College makes every effort to keep the personal information of an individual accurate and complete. It is the responsibility of the individual to provide the College with up-to-date and accurate personal information (e.g. home and business addresses and phone numbers). The College shall provide mechanisms to allow for updates and corrections to personal information.
6.2. An individual is able to request a correction of what, in his or her view, is erroneous or incomplete information. The College will amend the information or refer the individual to the organization that created the record in order to challenge the accuracy or completeness of the information.
6.3. In the case of a dispute between the individual and the College as to the accuracy or completeness of the information, the College shall notify the individual of the rationale not to amend the information and update the individual's file with the details of the disagreement. The College will provide the individual with information on challenging the decision.
The College protects personal information with security safeguards appropriate to the sensitivity of the information.
7.1. With the use of appropriate physical, organizational and technical security measures, the College protects personal information against a variety of risks, such as loss, theft, unauthorized access, disclosure, copying, use and modification or unscheduled destruction of such information.
7.2. The College uses commercially reasonable efforts to ensure the protection of personal information it discloses to third parties. For example, contracts with third parties stipulate responsibilities to protect personal information and to only use it for specific purposes.
7.3. College staff with access to personal information are required, as a condition of employment, to respect the privacy of personal information and are informed of privacy best practices.
7.4. The College ensures that personal information that is no longer required to be retained is disposed of in a confidential and secure fashion.
The College makes readily available information about its policies and practices relating to the management of personal information.
8.1. Information on the College's personal information procedures are available to the public and its members via the College's website at www.cno.org or may be requested by phone at 416-928-0900 or by mail at 101 Davenport Road, Toronto, Ontario M5R 3P1.
8.2 This information includes:
- the name, title and address of the Privacy Officer to whom inquiries or complaints can be forwarded;
- the means of gaining access to personal information held by the College;
- a copy of any brochures or other information that explains the College’s policies or information handling practices.
8.3 Inquiries concerning the College's policies and practices for collection, use and disclosure of personal information may be directed to the Privacy Officer at 416-963-7557 or at firstname.lastname@example.org.
9. Individual Access
Upon written request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information, unless a relevant exception applies. An individual can challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1. An individual may request access to the personal information maintained by the College. All requests for access shall be made by completing the Request for Access to Personal Information form and the College will attempt to provide access in a reasonable timeframe and may charge fees for such access to cover any costs that will be incurred. The form is available through Customer Service or by contacting the Privacy Office.
9.2. Prior to granting access, the College will verify the identity of the requestor and may request sufficient identification information from the requestor.
9.3. Upon request, the College will provide an account of the use and disclosure of the individual’s personal information and, where reasonably possible, will state the source of the information.
9.4. In the event the College denies an access request, the College will provide a written rationale, except where prohibited by law. The College shall also provide information on how a requestor can challenge the denial. Examples of situations where access may be denied include:
- information contains references to another individual(s) that cannot be severed;
- disclosure may result in significant risk of harm to the requestor or a third party;
- information was collected or created in the course of an inspection, investigation, inquiry, assessment or similar procedure;
- disclosure may defeat the purposes for which the information was collected;
- information cannot be disclosed for legal, security or commercial proprietary reasons;
- information is subject to solicitor-client or other privilege;
- information was generated in the course of a dispute or resolution process;
- the request is frivolous, vexatious, made in bad faith or otherwise an abuse of process.
10. Challenging Compliance
An individual can address a challenge concerning compliance with this statement to the College’s Privacy Officer.
10.1. The College maintains procedures for addressing and responding to all inquiries and complaints regarding the College’s handling of personal information.
10.2. All complaints concerning compliance with this Privacy Statement shall be investigated by the College. If a complaint is found to be justified, the College shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures.
If you have any questions or comments about this privacy statement, please contact the Privacy Officer of the College at:
Manager, Information Management
College of Nurses of Ontario
101 Davenport Rd.
Tel: 416 928-0900 ext. 7557