The legal powers and duties of the College are set out in:
- the Regulated Health Professions Act, 1991 (RHPA),
- the Health Professions Procedural Code (being schedule 2 of the RHPA), and
- the Occupational Therapy Act, 1991.
Collectively, these are referred to as “the Legislation.”
The activities of the College are subject to a number of oversight mechanisms including:
- the Ontario Ministry of Health,
- specific oversight by the Health Professions Appeal and Review Board,
- the Health Professions Regulatory Advisory Council,
- the Fairness Commissioner of Ontario and the Courts.
When fulfilling its mandate, the College may collect, use and disclose personal information regarding applicants for registration, registrants, registrants’ clients and persons employed, retained, elected or appointed for the purpose of the administration of the Legislation. The personal information being collected is critical to the College’s ability to effectively regulate the profession in the public interest. These regulatory activities are not of a commercial character. Accordingly, the performance of the College of its statutory duties is not covered by the Personal Information Protection and Electronic Documents Act (PIPEDA).
The College has adopted this Privacy Code voluntarily to provide appropriate privacy rights to individuals involved in the College's activities while still enabling the College to meet its statutory mandate. Personal information handled by the College is subject to the provisions of this Privacy Code. The Code has been summarized below.
Read the full version of the College Privacy Code, 2022
Principle 1 – Accountability
The Registrar or named designate is accountable for compliance with these policies and procedures. The College will provide orientation and training to all new employees and appointees as well as all members of Council, committees or working groups regarding their obligations.
Individuals who are employed, retained or appointed by the College as well as every member of College Council or a College committee are required by section 36(1) of the RHPA to maintain confidentiality with respect to all information that comes to their knowledge. Individuals who breach this provision face fines of up to $25,000 for a first- time offence and up to $50,000 for a second or subsequent offence1.
Principle 2 – Identifying Purposes
The purpose for which the College collects, uses and discloses personal information is to administer and enforce the Legislation. This includes gathering and retaining information for the purposes of the registration, quality assurance, and investigations and resolutions programs as well as for administering the operations of the College.
The College discloses personal information only as permitted by section 36 of the RHPA, as required by law, or as set out in its bylaws. This includes the information about registrants posted on the public register.
The College may obtain information from a registrant, their employer, colleagues, clients, or others involved in their services or role. The College may also obtain information regarding individuals who may be practising the profession of occupational therapy, using protected titles or holding themselves out as practising the profession, and / or who are retained, elected or appointed for the purpose of the administration of the Occupational Therapy Act, 1991 including committees, council and subcommittees.
Principle 3 – Consent
Where practicable, the College will make a reasonable effort to specify to the individual the identified purposes of the collection and use of their information. Personal information will only be collected, used and disclosed without the knowledge and consent of the individual for the purpose of the administration or enforcement of the Legislation.
Principle 4 – Limiting Collection
The College collects only the personal information that is required for the purposes identified in the Privacy Code. The College collects personal information using procedures that are fair and lawful.
Personal information regarding clients must be collected as part of the College’s regulatory function. This information is typically obtained by the College as part of an investigation or quality assurance program.
Principle 5 – Limiting Use, Disclosure or Retention
The RHPA Procedural Code and College bylaws clearly designate the information gathered regarding registrants. In addition, under the RHPA Procedural Code, the College is required to publish certain information regarding discipline hearings conducted by the Discipline Committee and certain outcomes about registrants, prescribed in the legislation, are also published.
Discipline hearings are open to the public and during these, information about a registrant, and their clients, employers and colleagues related to the allegations may be shared. The Discipline Panel has the discretion to close a hearing under certain prescribed circumstances and / or restrict the publication of personal information where appropriate.
The College has an information retention policy in place and conducts regular audits to ensure that personal information that is no longer required to be kept is destroyed, erased or made anonymous. Specific information regarding the record retention policy can be obtained by contacting the Registrar or named designate at the College via email to [email protected].
Principle 6 – Accuracy
It is in the best interest of the public that the College collects, uses and discloses only accurate personal information in regulating the profession.
Registrants are required to advise the College within thirty (30) days of any change to their personal information. This information is also updated annually when registrants renew their registration with the College. If someone is aware that a registrant’s information is not accurate, we encourage them to contact us.
Principle 7 – Safeguards
The College ensures that personal information it holds is secure.
The College ensures that personal information is stored in electronic and physical files that are secure. Security measures are in place to safeguard this information which include restricting access to personal information to authorized personnel, ensuring that physical files are under lock and key and ensuring that electronic files are password protected. The College reviews its security measures periodically to ensure that all personal information is secure.
As noted above, the College provides orientation and ongoing training regarding the information safeguards required for personal information and their importance.
The College ensures that personal information that is no longer required to be retained is disposed of in a confidential and secure fashion (i.e. shredding).
From time to time, the College uses external service providers. These service providers may store data outside of Canada. The College reviews the security measures used by these service providers to ensure that appropriate safeguards are in place.
Principle 8 – Openness
The College’s Privacy Code is available to the public and its registrants via the College’s website at: www.coto.org or can be requested by phone at 1-800-890-6570, email at [email protected], or by mail to 20 Bay St. Suite 900, Toronto, ON M5J 2N8.
Inquiries concerning the College’s policies and practices for collecting, using and disclosing personal information may be directed to the Registrar at: [email protected].
The full Privacy Code is available online.
Principle 9 – Information Access
Where the College holds personal information about an individual, upon written request, the College shall allow them access to the information, unless providing it could reasonably be expected to interfere with the administration or enforcement of the Legislation or it is impracticable or impossible for the College to retrieve the information.
The College aims to provide personal information to the individual within 30 days and at no cost, but timelines and costs may vary when the information is extensive. Individuals should send their written request for access, with their contact information or personal identifier to the Registrar or named designate at: [email protected].
If the College cannot, or will not, provide the information requested, the reasons for this will be explained, except if those reasons may compromise the ability of the College to administer and enforce the Legislation.
If the College has erroneous information, this will be corrected when appropriate and required.
Principle 10 – Questioning Compliance
Complaints or questions regarding the College's compliance with this Privacy Code should be directed to the Registrar or named designate who can be reached at: [email protected].
Upon receiving a concern, the College will acknowledge this, review the concern and any relevant policies, procedures or extenuating circumstances, provide a written decision and reasons, and take appropriate action if the concern is justified.
If the Registrar or designate cannot resolve the complaint, this will be reviewed by the College’s Senior Leadership Team or Executive Committee.
1 See the Regulated Health Professions Act (RHPA) 1991, Section 36(1)