Overview

Colleges collect and hold confidential information that must be retained securely and used appropriately in the course of administering their regulatory activities and legislative duties and objects. Colleges must ensure that they have policies and processes in place to govern the collection, use, disclosure, and protection of information that is of a personal (both health and non-health) or sensitive nature.

Collective strengths

The majority of colleges reported that they have policies and processes to govern the collection, use, disclosure, and protection of sensitive information. Colleges used a variety of methods to achieve this, including the use of privacy codes, confidentiality undertakings signed by staff, data protection policies for information collected through websites, and data retention and safeguarding. The majority of colleges noted that the disclosure of data was done in accordance with requirements set out in the Regulated Health Professions Act, 1991 (RHPA) and was limited to the information posted on the Public Register.

The working group noted the Royal College of Dental Surgeons of Ontario (RCDSO) had a notable practice regarding its implementation of a range of privacy and confidentiality policies intended to ensure the college’s legal obligations are met. Policies include a focus on information security, acceptable use of systems and related services, records management, and workplace social media conduct. The college also provides information technology (IT) security awareness training for staff and planning for the possibility of IT security breaches. Lastly, the RCDSO has a designated Privacy Officer and privacy lead who consults with staff regarding the management and disclosure of confidential and private information.

System improvement

Disclosure of information by colleges, within the existing legal framework, is a potential area of improvement for colleges. Since colleges are not subject to privacy legislation, it is important that they have formal and transparent policies and processes governing the disclosure of information. This includes the development of criteria for disclosure and actions in response to unauthorized disclosure. The development of robust formal policies regarding the disclosure of information is important to support public accountability.

Improvement commitments by colleges

Colleges made commitments to improve in the following areas:

  • development and implementation of formal policies and processes related to the collection, use, retention and disclosure of data where colleges reported informal policies and processes
  • development and implementation of formal policies and processes for managing any unauthorized disclosure of confidential or private information
  • processes for the regular collection of statistics regarding any unauthorized disclosure to support identification of patterns can be used to prevent further incidents wherever possible