Statement of Information Practices
To fulfill our mandate, CCO requires access to personal health information (PHI) and personal information from across Ontario. This page explains our information practices, including how we collect, store, use and disclose PHI, and what authority we have to do so.
CCO’s information practices must be reviewed and approved every 3 years by Ontario’s Information and Privacy Commissioner. Our information practices were last reviewed and approved in 2014.
CCO may collect personal information under the authority of s. 38(2) of the Freedom of Information and Protection of Privacy Act (FIPPA) for the administration of an activity authorized by the Cancer Act. The Cancer Act permits the collection of information for the purpose of study and reporting on cancer in Ontario.
CCO is a designated as a prescribed entity under Section 45 of the Personal Health Information Protection Act, 2004 (PHIPA), which means that we have the authority to collect personal health information without consent for purposes related to planning and managing the health system.
CCO is also designated as a prescribed registry under section 39(1)(c) of PHIPA in relation to our role in compiling and maintaining screening information for colorectal, cervical and breast cancer in the Ontario Cancer Screening Registry. This designation grants CCO the authority to collect, use and disclose personal health information for the purposes of facilitating or improving the provision of healthcare for colorectal, cervical and breast cancer. For more information, see Get Checked for Cancer
For several programs, we collect personal health information under additional PHIPA authorities. In providing information technology services (e.g., computer applications or network services), we may operate as an information technology service provider under PHIPA. This role strictly limits our use of personal health information to that which is required to support electronic services to healthcare providers.
For information about CCO’s mandate, see What We Do.
Where CCO Gets Personal Health Information
CCO collects personal health information from different sources depending on the data holding but, in general, we collect most of our information from facilities such as hospitals, clinics, independent health facilities and laboratories, classified under PHIPA as “health information custodians.”
We also get data from the Ontario Ministry of Health and Long-Term Care, and other organizations, such as the Canadian Institute for Health Information and the Institute for Clinical Evaluative Sciences.
CCO collects personal information directly from individuals in relation to our Cancer Screening Program. This includes:
- date of birth
- personal health information (e.g., health insurance number)
This information is collected to verify the identity of people who contact CCO to stop receiving cancer screening letters or to correct their personal information.
Types of Personal Health Information CCO Collects
We collect mostly cancer-related personal health information. We also collect data related to the access to care strategy and the Ontario Renal Network.
Types of cancer-related personal health information we collect include:
- expenditures for clinics or services
- clinical information:
- type of cancer diagnosed,
- location and size of the tumour
- treatment or services provided
- confirmed cases of cancer
- cancer screening data, which may include data about early detection or the risks of developing cancer
Access to Care Information
For the purposes of the Access to Care Strategy, we collect personal health information related to 5 initiatives designed to reduce wait times and to improve patients’ access to healthcare services:
- Surgery and Diagnostic Imaging Wait Times (WTIS)
- Surgical Efficiency Targets Program (SETP)
- Emergency Room National Reporting System Initiative (ERNI)
- Alternate Level of Care (ALC)
- Mental Health and Addictions Access to Care
Find out more about these initiatives on the Access to Care website.
Ontario Renal Network Information
For the purposes of the Ontario Renal Network, we collect personal health information to help manage and coordinate the province’s chronic kidney disease program. We use the information collected from chronic kidney disease service providers to effectively organize and manage the delivery of services in Ontario.
Find out more about chronic kidney disease services in Ontario on the Ontario Renal Network website.
We collect patient reported outcomes data about orthopedic services from the hospitals that provide those services. The information supports local quality improvement and research initiatives. We also use it to evaluate the appropriateness and effectiveness of orthopedic surgery.
CCO’s Authority to Collect Personal Health Information
CCO is permitted to collect personal health information without consent under PHIPA as a prescribed entity and as a prescribed registry. These designations also come with special obligations under the Act: for example, CCO’s information management and privacy practices are reviewed by the Information and Privacy Commissioner of Ontario every 3 years to maintain our special designation.
An individual cannot choose to withhold their information, as it is needed to conduct reliable analysis of cancer and cancer-related care in Ontario. For example, with respect to the New Drug Funding Program or the Ontario Cancer Registry, CCO collects the data to administer a payment program, or plan and manage the health system.
In the case of the ColonCancerCheck Program, the Ontario Cervical Screening Program and the Ontario Breast Screening Program, individuals may choose to stop receiving correspondence about these programs by:
- calling our toll-free number 1-866-662-9233
- completing the appropriate sections of the Cancer Screening Programs: Participant Information Form and mailing or faxing it to us at:
Cancer Screening Contact Centre
Cancer Care Ontario
18-505 University Ave
Toronto, Ontario M5G 1X3
Using and Storing PHI
How CCO Uses Personal Health Information
CCO uses the information we collect to:
Plan and manage the cancer system in Ontario
- Studying and reporting on patterns of cancer in the province. For example, using data collected over many years, we are able to report on:
- whether the incidence of cancer in general, or any specific type of cancer, is increasing, decreasing or remaining stable
- survival rates for different types of cancer, i.e., how long people with certain types of cancer can expect to live and if survival is changing over time
- the prevalence of cancers, i.e., how many people are living with cancer in Ontario
- relationships between sex, age, environmental factors or geographic locations and cancer
- Evaluating the effects of early diagnosis and treatment
- Studying service delivery and utilization
- Estimating current and future needs for cancer services
- Studying wait times for cancer surgery
Operate Ontario’s cancer screening program
CCO’s cancer screening program offers certain groups in Ontario the opportunity to get regularly tested (screened) for 3 types of cancer:
- breast cancer
- colorectal cancer (cancer of the lower parts of the bowel)
- cervical cancer (cancer of the cervix)
CCO sends letters about cancer screening to the following groups of people:
- men and women ages 50 to 74 (to get screened for colorectal cancer)
- women ages 50 to 74 (to get screened for breast cancer)
- women ages 21 to 69 ( to get screened for cervical cancer)
Develop and test information technology solutions
CCO develops and test technology solutions (e.g., computer applications, web portals) related to health system projects and programs we manage.
Support health research
Manage Access to Care initiatives
- Wait Time Information System (WTIS) – Reduce wait times by providing clinicians and healthcare decision makers with the information they need to more effectively manage wait times at the organizational, regional, and provincial level.
- Surgical Efficiency Targets Program (SETP) – Enable Ontario hospitals to compare their performance with that of their peers and identify areas of surgical improvements.
- Emergency Room National Ambulatory Initiative (ERNI) – Improve the performance and timeliness of access to emergency rooms in Ontario.
- Alternate Level of Care (ALC) – Analyze near real-time wait time data in acute care and post-acute care hospitals in Ontario.
Manage the Ontario Renal Network Program
CCO provides aggregate reports based on the analysis of renal personal health information collected from the chronic kidney disease service providers. Reports are disclosed to the kidney disease community, which includes the Ministry of Health and Long-Term Care, Local Health Integration Networks, nephrologists and dialysis centres.
Operate CCO’s Provincial Drug Reimbursement Program (PDRP)
Personal health information collected for the New Drug Funding Program, the Evidence Building Program and the Case-by-Case Review Program is used to reimburse hospitals for patients who have met the eligibility criteria. This allows funding decisions to be made for patients requiring treatment with unfunded drugs due to rare circumstances, and to evaluate the clinical and cost effectiveness of cancer drugs.
How CCO Stores Personal Health Information
CCO stores information collected from healthcare service providers across the province in its data holdings. This information enables us to plan and fund cancer and other healthcare services, develop guidelines, and monitor and manage the performance of the cancer and renal care systems. The best known of our data holdings is the Ontario Cancer Registry.
The Ontario Cancer Registry contains information on all diagnosed adult cancers in Ontario. It collects information from different sources. Here are some examples:
- Potential cases of cancer are identified from hospital records collected by the Canadian Institute for Health Information.
- Reports on the site and stage of cancer come from pathology reports collected by pathology laboratories in hospitals and private laboratories.
- Deaths related to cancer are identified by the Ministry of Government Services.
A list of our data holdings is available on the Privacy page.
How CCO Protects Information
CCO uses industry-standard security information technologies and controls to protect the confidentiality, integrity and availability of information during transfer, storage and use. Data is encrypted during transmission to CCO and stored on secured servers. Regular security reviews ensure our computer systems remain secure. Our computer systems are tested and backed-up regularly, and we have an active disaster recovery plan.
CCO does not release personal health information with identifiers unless we are required or permitted to do so under the Personal Health Information Protection Act, 2004 (PHIPA). For example, we may disclose personal health information to researchers who comply with the research requirements set out in PHIPA, and if the research meets our scientific standards and is consistent with our mission and objectives.
Any personal health information that is disclosed must comply with CCO’s Data Use and Disclosure Policy.
In operating Ontario’s cancer screening program, CCO discloses your personal health information to:
- determine if you need to be screened for cancer
- send letters inviting or reminding you to be screened, telling you about your test (e.g., Pap test) results or telling you to get more tests done
- make sure your doctor knows whether or not you have been screened or need more tests
- connect you with a doctor if you don’t have one and need to get more tests done
- help research studies on cancer screening
- improve the management of healthcare in Ontario
If you do not want to receive letters from Cancer Care Ontario about cancer screening, call us toll-free at 1-866-662-9233. You may change your decision at any time.
How CCO Supports External Cancer Research
CCO supports cancer research and the research needs of the health sector. All requests by non-CCO researchers for access to CCO data must meet the requirements set out in Section 44 of the Personal Health Information Protection Act, 2004 (PHIPA). This could involve submitting a Research Ethics Board approved protocol along with the data request application. When reviewing a data request, our Data Disclosure Subcommittee considers compliance with the requirements under Section 44 of PHIPA.
Access to Personal Health Information Held by CCO
Only a limited number of staff have access to the data within CCO. The data we collect is stored in a data holding. A data steward is assigned to each holding, and that person is responsible for controlling access to the data holding. Access is limited to those staff who need it to carry out their job at CCO, such as analysts and information technology support staff. Their access is audited regularly and reviewed annually to make sure it remains appropriate.
All CCO staff must attend annual privacy and security training and sign a confidentiality agreement as a condition of employment.
Release of Personal Health Information by CCO
CCO does not release personal health information with identifiers unless it is required or permitted to do so under the Personal Health Information Protection Act, 2004 (PHIPA). E.g., CCO may disclose personal health information to researchers who comply with the research requirements set out in PHIPA.
CCO does not share your information with insurance companies or employers.
Any personal health information disclosed to any party must comply with PHIPA and CCO’s Data Use and Disclosure Standard. Aggregate (i.e., summed or categorized) data we release in tables or reports is reviewed to minimize the risk of identifying an individual.
Requesting Personal Health Information
Generally, people requesting access to their personal health information will be directed to those who originally collected the information — health information custodians who are directly involved in the care and treatment of patients (e.g., your doctor or other healthcare provider). Exceptions may be made in particular circumstances, such as when an individual is researching their family’s cancer history.
Contact the Information and Privacy Commissioner
To ask questions about how our information practices are reviewed, contact:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Phone: 416-326-3333 or 1-800-387-0073
Email: [email protected]
Contact the Legal & Privacy Office
Contact us for information about CCO’s data holdings, information practices or privacy program: