Home Site Map Links Contact Us Français
 
Canadian Nurses Association Canadian Nurses Association Photo Collage
About CNANursing in CanadaNursing PracticeInternational ProgramsCNA on the IssuesNews and EventsPublications and Resources

Issued: 2000
Revised: March 2004
Reviewed: December 2003

CNA collects, uses and discloses personal information for purposes consistent with its mission, vision and values. In recognition that individuals have rights and interests with respect to their information, CNA issues this policy statement to ensure that the personal information it collects, uses and discloses is protected accordingly.

Definitions

Personal information: information about or pertaining to an individual, which may or may not identify the individual

Identifiable Personal Information: information that directly identifies an individual, or that forseeably can indirectly identify an individual if linked with other information

Non-identifiable personal information: information that cannot forseeably identify an individual

Privacy: the right or interest in controlling or limiting the access of others to oneself

Confidentiality: the duty of someone who has received confidential information in trust to protect that information and disclose it to others only in accordance with permissions, rules or laws authorizing its disclosure

Security: safeguards to ensure that information is processed (accessed, used, disclosed) only as authorized and to prevent unauthorized processing

Accountability

  • CNA is accountable to those whose personal information comes under its custody for ensuring that their information is protected in a manner consistent with this policy.

  • CNA will use reasonable means to hold its employees and those to whom it discloses personal information accountable for protecting personal information that comes under its custody in conformity with the provisions in this policy.

  • Accountability for CNA’s compliance with the policy rests with CNA’s executive director or his/her delegate.

  • As the executive director is accountable for CNA’s compliance, he or she has decision-making authority regarding the interpretation and application of the policy, subject to the Complaints section.

Identifying Purposes

  • CNA identifies the purposes for which it collects, uses and discloses personal information prior to the time CNA collects the information.

  • CNA only collects, uses or discloses personal information for purposes consistent with its mandate and core functions, such purposes include the provision of services and benefits, statistical analysis, research, reporting and policy developments, etc.

  • CNA supports the principle of data providers (i.e., registrars) informing individuals about the purposes at or before the time of collecting personal information.

Consent for Collection, Use or Disclosure

  • Knowledge and consent of the individual are required for the collection, use or disclosure of identifiable personal information, except where legally permissible.

  • Knowledge and consent of the individual is not required for the collection, use or disclosure of non-identifiable personal information.

Collection

  • CNA limits the collection of personal information to that which is necessary for the purposes it has identified.

  • CNA collects personal information by fair and lawful means.

Use and Retention

  • CNA does not use identifiable personal information for purposes other than those identified prior to collection, except with the consent of the individual or as required by law.

  • “Use” includes processing identifiable information in such a way that it is no longer identifiable.

  • CNA allows only authorized staff to access and use specific data holdings of personal information on a “need-to-know” basis, that is, when required to perform their duties.

  • Personal information is retained only as long as necessary for the fulfillment of purposes identified at collection. For purposes of long-term analysis and reporting, CNA retains personal information permanently.

  • Personal information that is no longer required to fulfil the identified purposes is destroyed, erased, or made anonymous in a secure manner.

Disclosure

  • CNA may disclose or publish non-identifiable (e.g., aggregated) personal information only having used reasonable precautions to ensure that individuals cannot forseeably be identified by linking this information with other information. CNA may also take into consideration the potential that even non-identifiable personal information can reflect upon groups or communities. This generally requires a minimum of five observations per cell.

  • CNA may disclose identifiable personal information only when:

    1. The recipient is the data provider that originally provided the identifiable personal information to CNA;
    2. The disclosure is required by legislation or an agreement or
    3. CNA has obtained the consent of the individuals concerned and the recipient has signed an agreement that:
      • prohibits linking the information received with other information, unless authorized to do so;
      • limits the purposes for which the identifiable personal information may be used or disclosed to those identified prior to its collection;
      • adequately safeguards the identifiable personal information;
      • limits publication or disclosure to aggregated data, which do not allow identification of any individual, unless authorized to identify the individual; and
      • permits CNA to conduct on-site compliance audits.

  • CNA may charge a cost-recoverable fee to fulfill requests for personal information.

Accuracy

  • Personal information will be as accurate, complete and up-to-date as necessary for the purposes for which CNA collects, uses or discloses it.

  • CNA updates personal information when necessary to fulfill the purposes for which the information is collected, used or disclosed.

  • CNA uses educational programs, data quality programs, data coding standards to foster the collection and use of quality personal information for its purposes. Data providers are responsible for ensuring the personal information they provide to CNA is accurate, complete and up-to-date for the purpose specified.

Safeguards

  • CNA protects personal information with security safeguards appropriate to the sensitivity and identifying nature of the information.

  • The security safeguards protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. CNA protects personal information that it holds or transmits regardless of the format in which it is held.

  • The nature of the safeguards depends on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. A higher level of protection safeguards more sensitive information.

  • Care is used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.

  • CNA makes its employees aware of the importance of maintaining the confidentiality of personal information.

Transparency and Openness

  • Those whose personal information CNA collects, uses and discloses are entitled to know what CNA’s practices and policies are in connection with this information and to challenge those practices and policies.

  • CNA is committed to ensuring that its practices and policies relating to personal information are transparent, explicit and open for scrutiny.

  • CNA makes readily available information about its practices and policies in order to promote transparency, explicitness and scrutiny.

Individual Access to and Amendment of Personal Information

  • Upon request, CNA informs an individual what identifiable personal information it has collected, used or disclosed about him or her, and from whom it has been collected and to whom it has been disclosed.

  • In providing an account of third parties from which it has collected or to which it has disclosed identifiable personal information about an individual, CNA will be as specific as possible.

  • An individual shall be able to access his or her personally identifiable information, to challenge its accuracy and completeness and to have it amended as appropriate, which may include the correction, deletion or addition of information.

  • CNA responds to an individual’s request to amend his or her identifiable personal information within a reasonable time and at minimal or no cost to the individual.

  • When a data provider notifies CNA that the individual has successfully demonstrated the inaccuracy or incompleteness of identifiable personal information, CNA amends the personal information as required.

Complaints Handling

  • An individual is able to address a challenge concerning compliance with CNA’s policy to CNA’s executive director, who is accountable for CNA’s compliance.

  • If CNA receives a concern or complaint by any person that a recipient of identifiable personal information has made false or misleading statements in the request for data or has violated one or more conditions in the signed agreement, CNA will investigate. When the concern or complaint is substantiated, CNA will impose sanctions, which may include:

    1. a written complaint to the recipient organization;
    2. recovery of data disclosed by CNA;
    3. a report to the relevant research ethics review body, funding body, data provider and ministry of health, as applicable;
    4. refusal of future access to data; or
    5. legal action.

  • CNA investigates all complaints. If a complaint is found to be justified, CNA takes appropriate measures, including, if necessary, amending its privacy policy.

Reference

Canadian Institute for Health Information. (2002). Privacy and confidentiality of health information at CIHI: Principles and policies for the protection of personal health information and policies for institution-identifiable information, 3rd edition. Ottawa: Author.

Canadian Standards Association. (1996). Model code for the protection of personal information. Toronto: Author.

July 2003

Print This Page    Email This Page
Copyright 2010 Canadian Nurses Association
comments@cna-aiic.ca   Protection of Personal Information