Privacy

Privacy Code

Policy Objective

CAPR is committed to protecting the privacy and security of the personal and personal health information of individuals with whom it interacts, such as employees, clients, suppliers and contractors. This is achieved by embedding rigorous and consistent privacy and information protection strategies across corporate services and business units. CAPR’s Privacy Policy includes the strategies, tools, processes and reporting procedures necessary to support this. This Policy outlines how CAPR manages, monitors and reports on Privacy and Information Protection performance. This Policy also provides the accountabilities of Management and the Board related to the management of personal and personal health information.

CAPR’s purpose is to provide leadership and support to assist its members in fulfilling their public interest mandate through the following core business activities:

  • Administration and evaluation of the national Physiotherapy Competency Examination
  • Administration and evaluation of the national Credentialling program
  • Coordination and support of the development of national Regulatory Policy and Special Projects that represent the mutual interest of and are of high priority to member regulators.

CAPR collects, holds and uses personal and personal health information about identifiable individuals in the course of providing services.

Policy Scope

This Policy applies to all aspects of CAPR business operations.  References in this document to “CAPR Personnel” include directors, officers, employees, contract workers, consultants and agents of CAPR who collect, hold or use personal or personal health information.  CAPR Personnel will comply with the requirements of this Policy.  Failure to comply with privacy practices could expose CAPR to legal risk and may result in disciplinary action for CAPR Personnel.

Personal and personal health information refers to any information concerning an identifiable individual, but does not include the name, title, or business address or telephone number of an employee of an organization.  Some examples of personal information collected by CAPR include:

  • National origin, age or marital status
  • Educational and employment history
  • Correspondence with CAPR that is explicitly or implicitly of a private nature
  • Views or opinions concerning an employee’s or individual’s performance evaluation
  • Salary
  • Banking information
  • A person’s image (e.g., photographs, videos).

 Personal information is not restricted to the examples listed above. Personal information may be stored on paper, electronically or digitally, and includes videos, photographs, and/or tape recordings.

Some examples of personal health information collected by CAPR include:

  • Details regarding an applicant’s special needs accommodation
  • Health history of CAPR staff

Personal health information is not restricted to the examples listed above. Personal health information includes any information concerning an identifiable individual’s physical or mental health status; the provision of their health care; the eligibility of payment for their health care; the identity of the provider of their health care; and, where required for an authorized purpose, their health care number. Personal health information also includes information about an identifiable individual that is not personal health information but is contained in the same record or file as personal health information about the individual.

Legal Requirements

In Canada, the Personal Information Protection and Electronic Documents Act [PIPEDA], governs the legal requirements for the protection of personal information. While not directly subject to this legislation, CAPR has taken the position that business processes across the scope of roles within the organization will be designed to meet the inherent principles of the legislation. In Ontario, the Personal Health Information Protection Act [PHIPA] governs the legal requirements for the protection of personal health information. CAPR is subject to this legislation. In keeping with its legal requirements and best practices in the management of personal and personal health information:

  • CAPR Personnel must obtain informed consent from individuals before they collect personal and personal health information. This means open communication and transparency of CAPR’s information management practices.
  • CAPR Personnel need to be sensitive and rigorous in the handling of files, correspondence and other records containing personal and personal health information about individuals.
  • CAPR Personnel must understand and comply with information retention standards including the secure sharing and storage of all personal and personal health information.

Policy Principles

CAPR is responsible for personal and personal health information under its control and has designated the Chief Executive Officer as the Chief Privacy Officer who along with the management team is accountable for ensuring CAPR has processes, procedures and practices in place for the organization’s compliance with the following principles:

  • Identifying Purposes: The purposes for which personal and personal health information are collected will be identified by the organization at or before the time the information is collected.
  • Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal and personal health information, unless exceptions apply.
  • Limiting Collection: The collection of personal and personal health information will be limited to that which is necessary for the purposes identified by CAPR. Information will be collected by fair and lawful means.
  • Limiting Use, Disclosure, and Retention: Personal and personal health information will not be used or disclosed for purposes other than those for which it was collected, except

with the consent of the individual or as required by law. Personal and personal health information will be retained only as long as necessary for fulfillment of these purposes.

  • Accuracy: Personal and personal health information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  • Safeguards: Security safeguards appropriate to the sensitivity of the information will protect personal and personal health information.
  • Openness: CAPR will make available to individuals specific information about its policies and practices relating to the management of personal and personal health information. The Privacy Policy and related information management practices will be posted on CAPR website.
  • Individual Access: Upon request, an individual will be informed of the existence, use and disclosure of his or her personal and personal health information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  • Challenging Compliance: An individual will be able to address a challenge concerning compliance with the above principles to the Chief Privacy Officer/Chief Executive Officer of CAPR. Appeals will be forwarded to the Executive Committee of the Board.  Where necessary, the Executive Committee will seek consultation with the Privacy Commissioner(s) to inform investigation processes and/or validate decisions.

Privacy Roles

Board

CAPR’s Privacy Policy is owned and approved by the Board via recommendations from the Governance and Nominations Committee. The Board is responsible for assuring the establishment and operation of prudent and effective personal and personal health information controls and a secure information management environment associated with CAPR’s operations. The Board delegates ‘day-to-day’ management including privacy and information management to the Chief Executive Officer, who delegates operational aspects to management personnel within CAPR.

Chief Privacy Officer

CAPR’s Chief Executive Officer or delegate serves as the Chief Privacy Officer. The Chief Privacy Officer is responsible for monitoring CAPR-wide application of the Privacy Policy and for monitoring changes in relevant legislation. The Chief Privacy Officer also serves as a resource for management and may coordinate and support the efforts of management in CAPR Personnel training and awareness. The Chief Privacy Officer will assist in the development of business processes and procedures across programs. The Chief Privacy Officer also manages all complaints and is responsible for responding on behalf of CAPR to internal and external request for personal and personal health information and inquiries about CAPR’s Privacy Policy for personal and personal health information management.

CAPR Personnel

Managers and designated CAPR Personnel are the custodians of the personal and personal health information collected, retained and used within their respective business units and organizational roles. CAPR Personnel are responsible for ensuring that:

  1. Consent has been obtained prior to collection of information, and processes to manage exceptions are in place;
  2. Only personal and personal health information necessary for the business purpose is collected, retained and used;
  3. Appropriate controls are in place to physically secure both hard copy (including external computer readable media) and electronically stored personal and personal health information;
  4. Electronic files that contain personal and/or personal health information will not be stored in the generally accessible electronic file system, directories or databases;
  5. Appropriate system access controls including “business-related need to know” restrictions are in place and kept up-to-date;
  6. Personal and personal health information is appropriately updated and accurate, having regard for the purpose of such information;
  7. Personal and personal health information is destroyed or made anonymous when it is reasonable to conclude that it is no longer required for any of the purposes for which it was collected. Management and Personnel will consistently adhere to CAPR record retention standards;
  8. Contracts with third parties for processing, using or storing personal and personal health information will contain appropriate clauses guaranteeing that the third party will comply with CAPR Privacy Policy and related privacy legislation, safeguard the information, and will only use the information provided for the contractual purposes. Similar privacy clauses will also be included in any agreement that the third party has with subcontractors they may engage to conduct work on their behalf for CAPR;
  9. Contracts with third parties who provide CAPR with personal and personal health information will include appropriate clauses asserting that they have obtained the required consent from their staff; and,
  10. Appropriate resources will be assigned to retrieve information requested by an individual.

CAPR Management is responsible for ensuring that all CAPR Personnel have received appropriate training and support to understand and comply with CAPR’s Privacy Policy and applicable privacy laws.

CAPR Management is also responsible for ensuring that appropriate safeguards are in place for the physical security of personal and personal health information stored in offsite archiving facilities, and for ensuring that such personal and personal health information is appropriately destroyed within a reasonable time following the destruction date established by the document owner.

Corporate Information Services Personnel are responsible for ensuring that appropriate safeguards are in place to protect the personal and personal health information stored electronically by CAPR, and for ensuring that all CAPR Personnel are sufficiently familiar with the availability and application of such safeguards to make appropriate use of them in complying with the Privacy Policy.

If required, CAPR will engage legal counsel to provide legal advice and support in relation to matters arising out of CAPR’s Privacy Policy.

All CAPR Personnel are individually responsible for the personal and personal health information about others that they collect, use, retain or disclose. In the course of performing their duties for CAPR, Personnel will ensure that their activities with respect to that information are carried out only in accordance with CAPR Privacy Policy.

Consent

Before collecting information about individuals, CAPR Personnel will explain the purpose for collection. Consent forms or verbal explanations will contain sufficient information about the use of such information. “Sufficient” means that an ordinary person should be able to make the link between the data requested and its relationship with the process. Where an individual’s consent is required, it must constitute informed consent. This means that the individual must understand why the information is being collected and how CAPR intends to use the information.  Therefore, CAPR Personnel collecting consent must be sufficiently knowledgeable to explain the processes.

Consent may be either implicit (for example, if information is requested for a specific purpose and the information is provided, that would generally constitute implied consent) or explicit, depending on the circumstances and the nature of the information being collected. Explicit consent may be obtained either in writing or verbally. Where verbal consent is obtained, however, the verbal consent must be documented by those who collected it and retained in a relevant file for future reference, along with a summary of the information provided to the individual to ensure the individual’s verbal consent was give on an informed basis. Where the collection, use, and/or disclosure of sensitive personal or personal health information are concerned (e.g., medical information or personal financial information such as salary), the consent must be explicit. Guidance on the classification of data by level of security can be obtained from the Chief Privacy Officer.

Explicit Consent

CAPR Personnel who are responsible for obtaining consent need to be familiar with the type of information collected and how it is used, to be able to explain and answer questions from the individual. The following are some examples of common situations requiring explicit consent:

  • Human Resources gather a broad range of consent from employees when they start at the company.
  • CAPR obtains consent from examination applicants requesting specific accommodations before disseminating accommodation plans to test sites for implementation.
  • CAPR gathers explicit consent from credentialling and examinations candidates to release personal information to its member regulatory bodies if, in the course of conducting its business, CAPR becomes aware of circumstances or actions related to regulatory issues. All releases of this sort will be done with the knowledge of the affected applicant.

Implied Consent

The following are some examples of common situations involving implied consent:

  • Individuals providing their resumes are deemed to consent for CAPR to use their personal information for employment and contracting purposes. CAPR’s practice is to retain and use resumes for six months after receipt.  In order to circulate or use the resume information of an unsuccessful candidate, his or her consent is required.  CAPR implements practices to ensure this obligation is met.
  • CAPR provides information on its external web site about the information collected when a user accesses an CAPR web page. Users of CAPR’s web site are deemed to consent to the collection and use of such information for the purpose of monitoring website activity.
  • CAPR publishes aggregate data in written performance reports and individual data for registration purposes. Applicants and candidates are deemed to consent to the use of such information for organizational reporting and professional registration purposes.

Consent Process Exceptions

Some external parties, such as law enforcement agencies, have a lawful or investigative need to collect, use and disclose personal information without having to obtain the consent of the concerned individuals.

Withdrawing Consent

Individuals have the right to withdraw consent to the collection, use or disclosure of personal or personal health information in whole or in part, at any time, upon providing reasonable written notice.  The individual must be informed about any potential consequences that may result from the withdrawal of their consent, prior to making such a decision (e.g., closure of applications, associated administrative fees).  If an individual withdraws their consent, it is not retroactive and does not apply to personal and personal health information already collected, used or disclosed by CAPR.

Collecting and Using Personal and Personal Health Information

Personal and personal health information may only be collected if it relates to CAPR programs or business activities, if the information is reasonably necessary for the carrying out of such programs or activities, and if appropriate consent has been obtained.  Personal and personal health information may only be used for the purpose for which it was collected and access to such information must be restricted to those CAPR Personnel who have a need for access to administer CAPR programs or business activities.  All CAPR Personnel authorized to access personal and personal health information are required to maintain confidentiality of the information in accordance with the Privacy Policy.

CAPR may use personal and personal health information without the knowledge and consent of an individual only:

  • For specific regulatory purposes;
  • If there are reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
  • For an emergency that threatens an individual’s life, health or security; or
  • If the information is publicly available.

Disclosure of Personal and Personal Health Information

Personal and personal health information concerning an individual may only be disclosed to others when the purpose for the disclosure is consistent with the purpose for which the information was collected.  This includes internal disclosure when there is a business-related need to know.  It also includes external disclosure if the information is given to CAPR’s third party service providers to assist CAPR and/or regulatory bodies in carrying out their programs or business activities.

Disclosure Process Exceptions

There are specific situations in which exceptions to disclosure procedures are permitted:

  1. For the purposes of a business transaction between two or more organizations (e.g., joint venture or partnership), the parties to the transaction may collect, use or disclose employee information without the consent of the individual, under certain circumstances.
  2. CAPR may disclose personal information without the individual’s knowledge and consent only:
    • To a lawyer representing CAPR.
    • To collect a debt the individual owes to CAPR.
    • To comply with a subpoena, warrant or an order made by a court or other body with appropriate jurisdiction.
    • To a regulatory body or government institution that has requested the information, identified its lawful authority and indicates that disclosure is for the purpose of carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security or the conduct of international affairs, or is for the purpose of administering a federal or provincial law.
    • In an emergency threatening an individual’s life, health or security. (CAPR must then inform the individual of the disclosure).
    • If is publicly available.
    • If required by law.

All other disclosure process exceptions require the approval of the Chief Privacy Officer.

Transmission / Sharing of Personal and Personal Health Information

CAPR Personnel will demonstrate extreme care when transmitting personal and personal health information internally or externally to ensure that:

  • The persons who have requested the information and those to whom CAPR Personnel are sending it have been authenticated; and
  • The method of transmission (whether by telephone, mail, fax, electronically or otherwise) is appropriate to protect the confidentiality of the information in light of its sensitivity.

Retention and Disposal of Personal and Personal Health Information

The retention and disposal of personal and personal health information will comply with CAPR Records Management Policy.  Personal and personal health information no longer required to fulfill the purposes for which it was collected will be destroyed, erased or made anonymous. CAPR will maintain a secure centralized filing system with appropriate access and retrieval controls for both employee and client information data. Care will be used in the disposal or destruction of personal and personal health information to prevent unauthorized parties from gaining access to the information. When disposal of hard copy information is authorized, shredding will be used to maintain confidentiality.

If mailed, the information will be enclosed in a securely sealed envelope and stamped “Private and Confidential”.  In all instances, the name of the intended recipient must be clearly identified. Email flags will be used to denote personal or confidential information in email communications. Because of the ease with which email is transmitted, and issues relating to control over storage of multiple copies of email, the use of email to transmit personal and personal health information is discouraged where a reasonable alternative is available except with the expressed consent of the individual.

Accuracy – Updating Personal and Personal Health Information

Personal and personal health information will be updated to fulfill the purpose for which it was collected.  CAPR information management processes will minimize the possibility of using incorrect information when making decisions about the individual, or when disclosing information to third parties.

Protection of Personal and Personal Health Information

CAPR’s corporate and business practice standards specify operating procedures that protect electronically stored personal and personal health information. The physical security of such information will be managed through office security practices, records management practices and individual discretion, based on the sensitivity of the information.  When developing safeguards for personal and personal health information, CAPR will consider loss, theft, alteration, unauthorized access, copying and use. If an incident occurs where personal or personal health information is inadvertently disclosed, lost, corrupted, or transmitted contrary to CAPR standards, CAPR Personnel will contact the Chief Privacy Officer immediately to report the incident and develop an appropriate remediation plan.

Open and Transparent Practices

CAPR will inform clients, employees and other individuals about the Privacy Policy and its information management practices on CAPR website and intranet sites. CAPR will also publish the contact information for the Chief Privacy Officer.

An Individual’s Access to Their Personal and Personal Health Information

Any individual has the right to request access to their information. Access to specified information is given by allowing an individual to view CAPR documentation, or by providing them with a reproduced copy of the information. Under no circumstances will documents that are the property of CAPR be given to the individual requesting access.

Requests for access may be made verbally or may be written. Documents or files provided to an individual will be reviewed to ensure that no personal or personal health information about another individual is disclosed. If so, that information must be masked, or made anonymous before the person making the request views the document. Personal or personal health information to which an individual has requested access cannot be removed or destroyed under any circumstances.

CAPR has the right to charge an individual a reasonable amount to recover the cost of producing and delivering documents requested by the individual. The Chief Privacy Officer in consultation with managers will be responsible for assessing related costs based on compliance with CAPR policy and determining the reason ability of charging the individual. If CAPR plans to charge, the individual must be informed, and the individual must accept the charge before the documents are produced.

Access Process Exceptions

Access shall be subject to any prohibitions, exceptions or exemptions in applicable privacy laws.  If access is denied, then the requesting individual shall be informed in writing of the reason for the denial.  CAPR must refuse access to personal and personal health information that it has disclosed to a government institution for law enforcement or national security reasons.  In some cases, the fact that such information was disclosed must also be withheld.  The Chief Privacy Officer should be contacted if CAPR Personnel require direction on the refusal of access.  It is also CAPR policy to refuse access, as permitted under applicable law, if:

  • The information falls under solicitor/client privilege
  • The information contains confidential commercial information
  • Disclosure could harm an individual’s life, health or security
  • It was collected to investigate a breach of an agreement or contravention of a law
  • It was generated in the course of a formal dispute resolution process,

Unless the Chief Privacy Office specifically authorizes access to any of the foregoing.

Complaint Process

Individuals whose personal and personal health information has been collected, used, disclosed and/or disposed of by CAPR may make complaints about CAPR’s policies and practices relating to the handling of their personal and personal health information. A complaint may be made in writing to the Chief Privacy Officer specifying the nature of the complaint. In the case of a complaint, the Chief Privacy Officer will undertake an investigation. The Chief Privacy Officer will provide a written response to the complainant outlining the results of the investigation and the actions, if any, taken or to be taken by CAPR in respect of the complaint. Appeals regarding a complaint decision will be escalated to the Executive Committee. The Executive Committee may seek consultation with Federal Privacy Commissioner or applicable provincial counterpart to inform the investigation process, seek advice and/or validate decisions. CAPR will not penalize, sanction nor discriminate against any individual who has made a complaint or inquiry.

Third Party Service Providers

From time to time, CAPR retains third party service providers to assist CAPR in administering its programs or conducting its business (e.g., service providers that keep records relating to our employee insurance and benefit plans). In some cases, to perform the services, CAPR must disclose personal and personal health information about its employees. CAPR Personnel entering into these contracts with third party service providers will ensure that:

  • Use of the personal and personal health information by the third party service provider is limited to the purposes specified to exercise the contract;
  • All use of the personal and personal health information will be in accordance with the Privacy Policy;
  • The third party service provider refers any individuals looking for access to their personal and personal health information to CAPR;
  • The third party service provider uses appropriate safeguards to protect the personal and personal health information;
  • The personal and personal health information is destroyed or returned to CAPR upon termination or completion of the contract; and,
  • CAPR has the right to audit the third party service provider’s compliance with the contract.