CMPA Privacy Policy

Published: April 2021

At the Canadian Medical Protective Association (“CMPA”), we understand the importance of privacy and the protection of personal information. We place the highest value on ensuring the privacy and confidentiality of personal information entrusted to us.

To provide you with a privacy policy that is easy to follow, clear, and comprehensive, we have divided the policy into sections. Each section also has a summary or short explanation in plain English (starts with ‘In short...’). The summaries make our policy easy to understand, but they are not legally binding.

Overview

This privacy policy governs the CMPA’s collection, use, and disclosure of personal information and personal health information (together, “personal information”).

The CMPA collects, uses, and discloses personal information for reasons that are consistent with the purposes described in this policy (see section 3 below), or as otherwise permitted or mandated by law. Personal information is kept securely by the CMPA and its service providers. It is retained only as long as necessary to fulfil the stated purposes. Except in limited circumstances, you have the right to access the information collected about you, within a reasonable time frame, in accordance with existing legislation.

The CMPA will regularly revise its privacy practices and this privacy policy. Policy changes will apply to the information collected from the date of the revised privacy policy, as well as to existing information held by the CMPA at the time of the amendment. Updates to this privacy policy will be published on our website. Members will be reminded of our privacy policy and any updates with their annual billing reminder. Should you have any questions or concerns, you are invited to contact the CMPA Privacy Office at privacyofficer@cmpa.org

When you provide personal information, you agree that the CMPA may collect, use, and disclose your personal information in accordance with this privacy policy. The CMPA does not sell, trade, barter, exchange, or disclose for consideration any personal information. You are free to withdraw your consent at any time. However, if you choose not to provide us with consent to collect, use, or disclose personal information, we may not be able to offer some of the services requested.

What personal information does the CMPA collect?

Personal information is any information, whether recorded or not, about an identifiable individual, or an individual whose identity may be inferred or determined from the information. Examples of personal information include age, name, ID numbers, income, opinions, evaluations, comments, or disciplinary actions.

Personal information also includes personal health information about an identifiable individual such as:

  • physical or mental health;
  • any health service provided to the individual;
  • information that is collected in the course of providing health services to the individual and any testing results from that collection; or
  • information that is collected incidentally to the provision of health services to the individual and any testing results from that collection.

Personal information collected by the CMPA

The CMPA collects the following personal information. The table below describes the categories of personal information collected, the specific types of personal information collected, as well as the source of collection. The CMPA aims to be as complete and transparent about its collection practices as possible. It may be, however, that certain types of personal information are collected, but not listed here.

Personal information collected by the CMPA
CategoryDescriptionSource of Information
Profile Data First name, surname, date of birth, username and password for member portal, and any other information contained in the CMPA membership application. You
Contact Data Personal address including city, province and postal code, telephone number, email address, and fax number.


We also collect professional contact information including work address and phone number.
You
Professional Data CMPA membership number, Medical Identification Number of Canada, registration with local college of physicians and surgeons, and file information by local college of physicians. You


We may collect this information from applicable provincial or territorial medical regulatory authorities, with your consent
Financial Data Payment information to process membership fees, including banking information and bank reports of transfers. You
Survey Data If you choose to participate in one of our surveys or research initiatives, we collect your answers and use the information and survey results to help us understand our members and tailor our service offerings. You
Browsing Data Webpages you visited, internet browser, access dates and times, which features you used, duration of visit, crashes and other system activity, and third-party sites you were interacting with before visiting our site. Third party sources
Technical Data Your Internet Protocol (IP) address, Device ID or MAC address, information about the manufacturer, model, settings, and operating system of your mobile device, and application version. Third party sources
Medico-Legal Data Services to CMPA members include support with medico-legal matters. As part of this service, the CMPA collects personal information, including personal health information that forms part of legal or regulatory proceedings.


To support medico-legal matters, we also collect the CMPA member name, nature of inquiry/complaint, nature of practice, advice/request member is seeking, patient information.
You

Third party sources
Communications We collect your consent to receive communications from the CMPA, and opinions and comments about the CMPA, its services, solutions, and events.

We also collect your communication preferences.
You


De-identified or Aggregated Data

Personal information does not include information that is aggregated or de-identified such that it cannot identify an individual. We may use de-identified and/or aggregated data for purposes including to safeguard it, improve our services, test our systems, develop new services, and conduct research or data analysis. We may share this anonymized and aggregated information with third parties. By using our services, you agree that the CMPA may de-identify your personal information for the purposes consistent with this policy.

The CMPA conducts a number of member surveys for various purposes related to service design and delivery. We take steps to mitigate risks associated with the re-identification of personal information due to small sample sizes, included in such surveys. For example, where the CMPA issues a report on medico-legal cases involving a rare condition or a small population, the CMPA has developed procedures to ensure sufficient data features to prevent the risk of re-identification. The CMPA is consistently assessing its collection, use, and disclosure practices to protect personal information, even if the personal information has been de-identified or aggregated.

In short, any information collected by the CMPA that is about an identifiable individual is detailed above and treated in compliance with applicable Canadian privacy laws. In addition to identifying the types of personal information we collect, we’ve also indicated the source of the information. “You” is used as a generic term to indicate the reader (which may include CMPA member or other individuals). Third party means that we’ve collected the information from someone other than you.

Why does the CMPA collect personal information?

The CMPA collects personal information to fulfill its mandate. This includes:

  • processing applications and confirming eligibility for CMPA membership;
  • responding to requests for assistance from members;
  • delivering assistance to members or conducting service-related surveys, including assistance with medico-legal matters and providing risk management / reduction advice and other practice solutions;
  • registering members for CMPA-sponsored education events;
  • developing and delivering practice related solutions and risk analytics;
  • communicating with members, including for direct marketing purposes;
  • providing support to members with provincial or territorial reimbursement programs, and provincial or territorial medical regulatory authorities (e.g. Colleges);
  • facilitating the use of the national physician identification system known as the Medical Identification Number for Canada (“MINC”);
  • providing marketing and other information about the services offered by CMPA, as well as other service providers;
  • responding to inquiries received from individuals who are not members of the CMPA; and
  • meeting legal or regulatory requirements.

The CMPA’s collection, use, and disclosure of personal information is limited to these purposes or is consistent with them, as permitted by law. The CMPA generally collects personal information directly from the individual, but may also collect information indirectly on behalf of CMPA members with consent, or where otherwise permitted or required by law.

In short, the CMPA collects your personal information to fulfill its mandate. For example, we may collect personal information to manage your membership, provide you with medico-legal advice, or meet legal or regulatory requirements, among others. We only collect personal information for one of the reasons listed in this policy, for purposes consistent with them or as otherwise permitted by law.

With whom does the CMPA share personal information?

Unless otherwise permitted or required by law, the CMPA shares your personal information only for a purpose consistent with this policy and with third parties discussed below:

Professional Entities

The CMPA may disclose personal information to confirm or support your membership with third parties, including:

  • medical associations, and provincial or territorial governments responsible for administering CMPA fee reimbursement programs;
  • Colleges with whom you have registration;
  • hospitals, universities, and clinics with whom you work; and
  • the Medical Identification Number for Canada

At your direction and with your consent, the CMPA will also provide information to other organizations, with whom you interact in the course of your practice, that seek to confirm your CMPA membership.

When the CMPA confirms or supports membership with third parties, medico-legal information will not be released. A list of medical associations, provincial or territorial governments, and Colleges with whom the CMPA exchanges personal information may be obtained from the CMPA website or by contacting the CMPA.

CMPA’s Subsidiary, Saegis

As stated in the Overview section of this policy, the CMPA shares personal information with its subsidiary Saegis to offer particular services that may benefit you. The CMPA may also share information with Saegis to confirm membership with the CMPA or to update contact or member information. For example, if you are a CMPA member and a client of Saegis, when you inform us of an address change, this information may be changed for both organizations. The CMPA will not share members’ personal medico-legal information with Saegis without member consent.

Service Providers to the CMPA

The CMPA may employ third party service providers (e.g. for data analysis, data security monitoring and assessment, member support and management services, etc.) in Canada, and other locations around the world, such as the United States and Ireland. These service providers may be retained to facilitate or provide certain services on our behalf, such as to assist us in analyzing how our services are used, and how best to communicate with and support our members.

Your personal information will be kept at our offices, on our servers, or on the servers of our service providers. Our employees and those of our service providers who require your information to fulfil their duties will have access to your information only when and as required. Access to your personal information is only granted to perform specific tasks on our behalf and is restricted using contractual arrangements that bind third parties from disclosing or using your information for any other purpose. For additional information about the way in which our service providers treat your personal information, contact us as set out below.

Disclosing Information without Consent

There are some circumstances where the CMPA may disclose personal information without consent. Such circumstances include where the CMPA:

  • is permitted or required by law, including by order of a court or tribunal;
  • believes, on reasonable grounds, that it is necessary to protect the safety of an identifiable person or group;
  • believes it is necessary to establish or collect fees;
  • believes it necessary to permit us to provide approved services, pursue or investigate available remedies (including legal remedies through a civil or criminal court process), or limit any damages that we may have or are likely to sustain;
  • believes the information is public; and
  • as otherwise permitted by law.

Where obliged or permitted to disclose information without consent, the CMPA will not disclose more information than is required. The CMPA retains the right to use de-identified or aggregated information in any way that it determines appropriate.

In short, the CMPA may share your personal information to confirm or support your membership with third parties. We may also share your personal information with our subsidiary, Saegis, and with service providers we engage to deliver various organizational functions or services. When we do, we’ll make sure to put in place a contract with the service provider that restricts their use of the information only as instructed by us and to delete or return information once the provider’s work for the CMPA is complete.

Sometimes the CMPA will disclose your information without your consent. We will only do so when permitted by law or for specific reasons, such as when we reasonably believe the information is necessary to protect the safety of a person or group.

How long is personal information retained by the CMPA?

The CMPA retains personal information as long as necessary to fulfil the purpose for which it was collected or as otherwise permitted by law. Once this purpose has been fulfilled, subject to any legal exceptions, the CMPA destroys the information in a secure manner that protects the privacy of the individual to whom the information relates. The CMPA’s retention and disposition policy is reviewed and updated regularly.

In short, the CMPA will hold onto your personal information to satisfy the purpose for which it was collected, in accordance with our retention and disposition policy, as permitted by law, or to comply with our legal requirements.

How is personal information safeguarded by the CMPA?

The CMPA endeavours to maintain adequate physical, administrative, and technical security safeguards with respect to our offices and information storage capabilities so as to prevent any loss, misuse, unauthorized access, disclosure, or modification of personal information. This commitment also applies to the disposal or destruction of personal information.

As part of these precautions, we restrict access to personal information to those employees and, under appropriate contractual arrangements, third party service providers we determine need to know that information in order that the CMPA may provide its services. The CMPA treats employee misuse of personal information as a serious offence for which disciplinary action may be taken. The CMPA is also prepared to take all appropriate steps to enforce the provisions of confidentiality agreements with external parties.

As noted, the CMPA may rely on external service providers who are located in the United States and other countries. Some personal information collected by the CMPA may therefore be retained in countries other than Canada where privacy laws may offer different levels of protection, and personal information may be subject to access by, and disclosure to, law enforcement agencies in those jurisdictions.

The CMPA audits its procedures and security measures, as appropriate, to ensure that they remain effective and reasonable. We take reasonable steps to confirm service providers adhere to accepted standards of information privacy and security.

Your Responsibilities

The safety and security of your information also depends on you. Where we have given you (or you have chosen) a password to access certain parts of our website, you are responsible for choosing a unique password and for keeping this password confidential.

While we take the security of your personal information seriously, and we maintain a rigorous privacy program, we cannot guarantee the security of your information, and you provide us your information at your own risk. There are certain precautions you should take to maximize the security of your information. For example, you should regularly apply available security and application/system updates to your browser and operating system software, and protect your computers with up-to-date anti-virus and firewall software.

Monitoring Network Activities

Among our security initiatives, the CMPA employs software programs to monitor network traffic, to identify unauthorized attempts to upload or change information, and to prevent denial of service attacks or other attacks intended to cause damage.

Unauthorized attempts to defeat or circumvent security features; to use the CMPA system for other than intended purposes; to deny service to authorized users, to access, obtain, alter, damage, or destroy information or to otherwise to interfere with the system or its operation are not permitted and may result in loss of membership. Evidence of such acts may also be disclosed to law enforcement authorities and result in criminal prosecution under the laws of Canada or such other jurisdictions as may apply.

In short, data security is a priority for the CMPA. We make significant investments into the technical, administrative, and physical safeguards to protect the personal information we hold. You also have a role to play in the protection of personal information you give to the CMPA. For example, protect your password, don’t share it with others, and don’t reuse the same password. Some of our service providers are located outside Canada, which means your data may be stored in a country whose privacy laws are not as strict as ours in Canada. By giving us your personal information, you understand and agree to this transfer of data.

How can I access personal information held about me?

Where applicable, certain categories of personal information can be accessed by you through your CMPA account. The CMPA strives to provide access to personal information in keeping with all applicable legislation. The CMPA may decline to provide access to personal information in accordance with existing legislation. We will provide information from our records in a form that is easy to understand and will also endeavour to provide explanations for any abbreviations or codes used. When possible, the CMPA will also provide a list of organizations that may have received such information. We may charge a reasonable cost (e.g. photocopying, mail charges) to the individual making the request.

The CMPA reserves the right to decline to provide access to personal information where the information requested:

  • would disclose personal information about a third party;
  • would reveal confidential commercial information;
  • could reasonably result in serious harm to an individual;
  • may harm or interfere with law enforcement activities, and other investigative or regulatory functions of a body authorized by law to perform such functions;
  • was generated in the course of a formal dispute resolution process;
  • is subject to solicitor-client or litigation privilege, or a professional privilege or obligation;
  • is not readily retrievable and the burden or cost of providing would be disproportionate to the nature or value of the information;
  • does not exist, is not held, or cannot be found by the CMPA; or
  • as otherwise permitted by law.

Where information will not or cannot be disclosed, the individual making the request will be provided with the reason for non-disclosure.

The CMPA will not respond to repetitive or vexatious requests for access and, in doing so, will consider such factors as the frequency with which information is updated, the purpose for which the information is used, and the nature of the information. To guard against fraudulent requests for access, the CMPA may require sufficient information to allow it to confirm the identity of the person making the request before granting access or making corrections.

In short, there are several ways you can access the personal information we hold on you. For example, if you have an online account with the CMPA, you can access your account and make changes to your profile and contact data. Alternatively, you can write us at privacyofficer@cmpa.org and we will help you. If we decline to give you access to your personal information, we will let you know our reason for declining.

Cookies and similar technologies

The CMPA website uses "cookies." A cookie is a small text file that is stored on your browser. The CMPA uses both session and persistent cookies.

Session cookies:The CMPA website uses session cookies to track website usage. Session cookies track a user's progression through our website(s) in a single visit. These cookies enable our web server to remember things as you progress from one page to another. Session cookies are deleted as soon as you close your browser. If you leave your browser open for a prolonged period, the cookies on our website are not set to erase themselves automatically after a short period of time. They will, however, be deleted when you shut down your browser.

Persistent cookies: The CMPA website uses persistent cookies in limited circumstances, namely to maintain specific information related to an authorized user's access to the CMPA's Good Practices Guide and other similar resources, where required. Persistent cookies remain on your computer until you erase them using your browser settings.

You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it. You can also set your browser to block cookies.

In short, our website uses session and persistent cookies to track and understand user browsing behaviour and for internal analytics purposes. You can delete or block cookies from your browser. You can also set a notification to receive an alert when a cookie is placed on your browser.

Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to our information practices. If we make any material changes to this policy, we will notify you by email and/or by means of a notice on the Website. We encourage you to periodically review this page for the latest information on our privacy practices.

Contact us about our Privacy Program

The CMPA consistently aims to address all privacy issues to your satisfaction. If you have questions about the collection, use, or disclosure of your personal information by the CMPA, or the CMPA’s CASL procedures, or if you would like to correct or access your information, please visit our website or contact us:

Phone
1-800-267-6522 or 1-613-725-2000

Email
privacyofficer@cmpa.org

Online
Contact us

Address
P.O. Box 8225
Station T, Ottawa ON
K1G 3H7

The CMPA will address challenges concerning compliance with this policy. The CMPA maintains procedures for addressing and responding to all inquiries and complaints about the CMPA’s privacy practices.

You may also seek advice from the Office of the Privacy Commissioner of Canada or the Privacy Commissioner in your jurisdiction.