Privacy
Introduction
From January 1, 2004, all businesses engaged in commercial activities must comply with the Personal Information Protection and Electronic Documents Act (The Act), and the Canadian Standards Association Model Code for the Protection of Personal Information, which it incorporates. These obligations extend to not for profit corporations. The Act gives individuals rights concerning the privacy of their personal information. Individuals are encouraged to familiarize themselves with The Act which is available on The Government of Canada, Department of Justice website http://canada.justice.gc.ca/en/news/nr/1998/attback2.html.
OEBC is responsible for the personal information it collects, uses and stores. This policy has been developed to ensure accountability and adherence to Canadian Privacy Legislation. OEBC’s Board of Directors, staff, administration and volunteers are familiar with its policies and practices.
Policy
OEBC recognises the importance of privacy and the sensitivity of personal information. As a not-for-profit examining organization, OEBC acknowledges its obligation to serve a number of constituencies while ensuring that matters of privacy are adhered to and recognized. OEBC is committed to protecting any personal information it stores. This Privacy Policy outlines how OEBC manages an individual’s personal information and safeguards his or her privacy.
Storage of Personal Information
OEBC mandate is to examine future optometrists. In carrying out its functions, OEBC produces and maintains candidate information.
OEBC does not use Social Insurance Numbers as a way of identifying or organizing its information databases.
Personal Information Definition
Personal information is any information that identifies an individual, or by which an individual’s identity could be deduced.
Collection of such information is integral to the function and business of OEBC. It is necessary for qualifying candidates, and staff, ensuring that candidate’s information is sent to regulatory boards.
Method of Collecting Personal Information
Personal information is collected in a lawful and fair means that is not unreasonably intrusive. Wherever possible, personal information is collected directly from an individual at either the commencement of the application process or at the time of hiring staff.
Information may at times be obtained from other sources, for example:
With respect to Candidates:
(a) educational institutions which a student may have attended.
With respect to Job Applicants:
(a) references for potential employees.
Consent
In most cases, OEBC will ask an individual to specifically consent to collection, use, or disclosure of their personal information. Normally, consent is obtained in writing, but oral consent may be accepted under certain circumstances. Consent may also be implied as a result of conduct.
Use of Information
OEBC respects the individual’s rights and wishes to receive or cancel receipt of information about its services, developments and programs. When an individual informs the OEBC that he or she no longer wishes to receive information about services with respect to the OEBC, such information will no longer be sent.
Personal information will not be disclosed to any third party to enable them to market their products and services. For example, mailing lists of candidates, staff or volunteers will not be provided to other parties without the expressed permission from the individual. Permission to obtain and use information may be implied unless specified to the contrary, provided that an individual may “opt out” of such consent by so indicating in writing.
Disclosure of Personal Information
Personal information will be disclosed under the following circumstances:
(a) when consent to the disclosure is received;
(b) when required or authorized by law to do so, for example if a court issues a subpoena;
(c) when the services provided to an individual requires OEBC to give information to third parties (for example a regulatory board to whom a student has applied for licensing purposes) consent will be implied, unless specified otherwise;
(d) where it is necessary to establish or collect fees;
(e) if OEBC engages a third party to provide administrative services (like computer back-up services or archival file storage), where the third party is bound by OEBC privacy policy;
(f) when undergoing an audit and/or review process
(g) for the purposes of continuing to carry out the services provided;
(h) if the information is already publicly known.
Updating Personal Information
OEBC uses personal information to provide services. As such, it is important that the information be accurate and up-to-date. If during the course of an individual’s examination process, any information changes, it is the individual’s responsibility to provide OEBC with the information necessary to ensure that the records are correct and up to date.
Correcting Errors
If OEBC is made aware that it has information that it is not accurate, complete or up-to-date, it will take reasonable steps to correct it.
Security of Personal Information
All reasonable precautions will be taken to ensure that personal information is kept safe from loss, unauthorized access, modification or disclosure. Personal information will be protected by the following means:
(a) premises security;
(b) restricted file access to personal information;
(c) deploying technological safeguards, where possible, such as security software and firewalls to prevent unauthorized computer access; (e.g. hacking); and
(d) internal password and security policies.
Access to Personal Information
Access to a summary of an individual’s personal information held by OEBC is available upon that individual’s written request. Requests for more detailed information requiring archival or other retrieval may be subject to usual professional and disbursement fees.
Requests for Access
Individuals having any questions, or wishing to access personal information, should write to:
Privacy Officer
Optometry Examining Board of Canada
37 Sandiford Drive
Suite 403
Stouffville, Ontario
L4A 3Z2
If individuals are not satisfied with the response they received from OEBC, they are directed to contact:
Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3
1-800-282-1376
Denial to Access
The right to access personal information is not absolute.
Access to personal information may be denied, in the following circumstances:
(a) when required or authorized by law (for example, when a record containing personal information is subject to a claim of legal professional privilege);
(b) when information relates to existing or anticipated legal proceedings;
(c) when it would have an impact on other persons’ privacy;
(d) when it would prejudice negotiations with an individual;
(e) to protect OEBC’s rights and property;
(f) where the request is frivolous or vexatious; and
(g) when it is deemed detrimental or perilous to the person to be informed.
If OEBC denies a request for access to, or refuses a request to correct information, OEBC will explain in writing its reasons for the refusal.
Communicating with OEBC
It is understood that the internet and e-mail are not a 100% secure medium and individuals should be aware of this when contacting OEBC to send personal or confidential information.
Employment Inquiries
If an individual applies to OEBC for a job, personal information is considered a part of OEBC’s review process. OEBC normally retains information from candidates after a decision has been made.
Website
The OEBC website contains links to other sites, which are not governed by this privacy policy. Like most other websites, OEBC may monitor traffic patterns, site usage and related site information in order to optimise its web services. Aggregated information about such use may be provided to third parties but such information will not include any identifiable personal information.
Changes to this Privacy Policy
Since OEBC regularly reviews all of its policies and procedures, changes may be made to this Privacy Policy from time to time.
Appendix
The privacy principles developed by the federal government as found on their website (http://canada.justice.gc.ca/en/news/nr/1998/attback2.html) are printed below for convenience.
Privacy Principles
The privacy provisions are based on the Canadian Standards Association’s Model Code for the Protection of Personal Information, recognized as a national standard in 1996. The Standard addresses the ways in which organizations collect, use and disclose personal information. It also addresses the rights of individuals to have access to their personal information and to have it corrected if necessary.
The code’s 10 principles are:
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
- Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.
- Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfilment of those purposes.
- Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance.
Exceptions
Some groups, such as law enforcement agencies and journalists, have a lawful or investigative need to collect, use and disclose personal information without having to obtain the consent of the concerned individuals. For these reasons, certain exemptions are included:
(a.) Personal information collected, used or disclosed solely for journalistic, artistic or literary purposes;
(b.) if the action clearly benefits the individual or if obtaining permission could infringe on the information’s accuracy;
(c.) where such data can contribute to a legal investigation or aid in an emergency where people’s lives and safety could be at stake; and
(d.) if disclosure aids, in times of emergency, matters of legal investigation, or facilitates the conservation of historically important records.