CDA is responsible for all Personal Information under its control.
CDA is responsible for Personal Information in its possession or custody, including information that has been transferred to a third party for processing. It will use contractual or other means to provide a comparable level of protection for information being processed by a third party.
2. Identifying Purpose
CDA will identify and document the purposes for which it collects, uses or discloses Personal Information at or before the time of collection.
CDA collects, uses and discloses Personal Information concerning its members and all dentists in Canada for the following purposes:
- Providing products, services and information of interest to its members and dentists in Canada;
- Providing the Canadian Dental Association Journal and other information or media containing information of interest to all dentists in Canada;
- Exchanging information with dental-related organizations and institutions in order to facilitate the provision of products, services and information of interest to dentists and dental-related organizations and institutions in Canada and internationally.
CDA will make a reasonable effort to specify the identified purposes, orally or in writing, to the individual from whom the Personal Information is collected either at the time of collection or after collection but before use. CDA will state the identified purposes in such manner that an individual can reasonably understand how the information will be used or disclosed.
CDA will identify any other purposes which may arise for the collection, use or disclosure of Personal Information at or before the time the Personal Information is collected.
If a new purpose arises in respect of Personal Information already collected, CDA will identify the new purpose prior to the use or disclosure of the Personal Information.
CDA collects and uses Personal Information concerning its employees to provide them with information which is relevant to their work or terms of employment or other employment related activities. CDA does not disclose Personal Information of employees for non-employment related activities.
Personal Information will only be collected, used, or disclosed with the knowledge and consent of the individual, except in emergencies and on other occasions permitted or required by law.
The way in which CDA seeks consent, including whether it is express or implied, may vary depending upon the sensitivity of the information and the reasonable expectations of the individual. An individual can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. CDA will inform individuals of any implications of withdrawing consent.
Typically, CDA will seek consent for the use or disclosure of information at the time of collection. In certain circumstances, such as a proposed use of information for new purposes not previously identified, consent may be sought after the information has been collected but before use.
CDA will not require an individual, as a condition of the supply of its services, to consent to the collection, use or disclosure of Personal Information beyond that required to fulfill legitimate purposes.
In certain circumstances, as permitted or required by law, CDA may collect, use or disclose Personal Information without the knowledge or consent of the individual. These circumstances include Personal Information:
- which is subject to solicitor-client privilege;
- which is publicly available;
- where collection or use is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- which is required to investigate a breach of an agreement or a contravention of a law;
- required to act in an emergency that threatens the life, health or security of an individual; or
- for debt collection; or to comply with a subpoena, warrant or court order.
4. Limiting Collection
CDA will limit the amount and type of Personal Information collected to that which is necessary for identified purposes and will only collect Personal Information by fair and lawful means.
5. Limiting Use, Disclosure and Retention
Personal Information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal Information will be retained only as long as necessary to fulfil the identified purposes.
Personal Information which has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made and, in the event of an access request or a challenge, long enough to exhaust any recourse an individual may have under the law. Where Personal Information is no longer required to fulfill the identified purposes, it will be destroyed, erased, or made anonymous.
CDA will use its best efforts to ensure that Personal Information is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
CDA will use its best efforts to ensure that Personal Information that is used on an ongoing basis, including information that is disclosed to others, and information that is used to make a decision about an individual is accurate, complete, and up-to-date.
CDA will protect Personal Information with safeguards appropriate to the sensitivity of the information.
CDA will protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification regardless of the format in which the information is held. CDA will make its employees aware of the importance of maintaining the confidentiality of Personal Information, and will exercise care in the disposal or destruction of Personal Information to prevent unauthorized parties from gaining access to the information.
Depending on the format of the Personal Information, security measures may include physical precautions such as locking file cabinets and restricting access to cabinets, offices and files, organizational measures such as security clearances and limiting access on a need-to-know basis and technological measures including passwords and encryption.
CDA will make specific information about its policies and practices regarding the management of Personal Information readily available, except to the extent that it is confidential commercial information.
Specifically, CDA will publicize information about:
- how to obtain details of the Personal Information held on file for identified individuals;
- the type of Personal Information held by CDA, including a general account of its use;
- what Personal Information is made available to related companies; and
- how to make requests or complaints to CDA's Chief Privacy Officer.
9. Individual Access
Upon receipt of a written request, CDA will inform an individual of the existence, use and disclosure of his or her Personal Information and will give the individual access to that Personal Information, which may be challenged and corrected, depending on the circumstances.
CDA will respond to all individual written requests within a reasonable time, usually about ten (10) business days, depending upon the complexity of the request and the information, and will assist any individual who informs CDA that he or she needs assistance in preparing a request. CDA may require an individual to provide additional information which will assist it in providing an account of the existence, use, and disclosure of Personal Information.
CDA will usually provide the requested information without charge. However, CDA reserves the right to impose a charge, depending on the extent of the request and retrieval of information required. CDA will inform the individual of the approximate amount of any charge to respond to the request and will not retrieve the information until payment is made. Requested information will be provided in a form that is generally understandable. Where possible, CDA will indicate the source of the information.
If an individual successfully demonstrates the inaccuracy or incompleteness of Personal Information, CDA will amend the information as required. If a challenge is not resolved to the satisfaction of the individual, CDA will record the substance of the unresolved challenge. CDA will advise third parties having access to the information of any amendments, or unresolved challenges, as the case may be.
In certain situations, CDA may refuse a request or restrict access to all the Personal Information it holds about an individual. Exceptions to the access requirement will be limited and specific, as permitted or required by law. The reasons for denying or restricting access will be provided to the individual upon request, where permitted by law, and may include:
- information containing references to other individuals;
- confidential commercial information;
- information which by its nature must remain confidential;
- information collected in the course of investigating a breach of an agreement;
- information collected in the course of a dispute resolution process;
- information that is subject to solicitor-client privilege; or
- any portion of information which for, one or more of these reasons may not be readily severable from the information as a whole.
10. Challenging Compliance
Canadian Dental Association
1815 Alta Vista Drive
Ottawa, Ontario, Canada K1G 3Y6
Attention: Chief Privacy Officer
Fax: (613) 523-7736
CDA will investigate all written complaints. Should it find that a complaint is justified, CDA will take all appropriate steps to correct the information and amend the policy or practice as required.
Approved by CDA Board of Directors September 3, 2003