Statement of Information Practices
To fulfill our mandate, CCO requires access to personal health information (PHI) and personal information (PI) related to Ontario’s healthcare system. This page explains how we handle and manage personal health information and personal information, including our authority under the law to collect, use and disclose this information. To learn about our mandate, see What We Do.
Authority to Collect, Use and Disclose Personal Information and Personal Health Information
CCO generally derives its authority to collect, use and disclose personal health information and personal information from privacy laws, including the Personal Health Information Protection Act, 2004 (PHIPA), the Freedom of Information and Protection of Privacy Act (FIPPA), as well as the Cancer Act and CCO’s Memorandum of Understanding and Accountability Agreement with the Ministry of Health.
As a prescribed entity and prescribed person, CCO’s information practices must be reviewed and approved every 3 years by Ontario’s Information and Privacy Commissioner. Our information practices were last reviewed and approved in 2017. The following information describes the authorities under the law that permit CCO to collect, use and disclose this information.
Prescribed Entity (PE)
CCO is designated as a prescribed entity for the purposes of section 45 of PHIPA. In this capacity, we are permitted to collect personal health information without consent from health information custodians such as healthcare facilities, as well as from certain organizations and government institutions. We are permitted to use this information for the planning, management and analysis of the health system.
Prescribed Person (PP)
CCO is also designated as a prescribed person for the purposes of section 39(1)(c) of PHIPA with respect to our role in compiling and maintaining screening information for colorectal, cervical and breast cancer in the Ontario Cancer Screening Registry. This designation grants CCO the authority to collect, use and disclose personal health information, without consent, for the purposes of facilitating or improving the provision of healthcare with respect to Ontario Cancer Screening Registry.
CCO operates a research program to develop new knowledge through epidemiological, intervention, health services, surveillance, and policy research, as well as knowledge synthesis and dissemination. Under certain circumstances, with a research plan approved by a research ethics board, we are permitted to use personal health information that was collected for prescribed entity or a prescribed person purposes, for research.
Information Technology Service Provider
CCO provides information technology services to healthcare providers to enable them to collect, use, modify, disclose, retain or dispose of personal health information, or to exchange personal health information with one another. In providing these services, we are acting as an electronic service provider (ESP), a health information network provider (HINP), or both, pursuant to the regulations under PHIPA. These roles strictly limit our use of PHI to that which is required to support electronic services to providers.
CCO is an institution as defined in FIPPA, and is subject to its requirements. FIPPA governs how we manage and handle personal information and imposes requirements to protect the privacy of individuals. FIPPA has rules which are based on 2 assumptions:
- An individual has the right to control his or her own personal information.
- Rules governing the collection, use, disclosure, retention, security and disposal of personal information are necessary to protect privacy.
CCO will only collect personal information where the collection is specifically authorized by law, used for the purposes of law enforcement or necessary for the administration of a lawfully authorized activity. We will only use and disclose personal information as allowed or required by law.
Our authority to collect personal information is generally taken from the Cancer Act, PHIPA, and CCO’s Memorandum of Understanding and Accountability Agreement with the Ministry of Health.
Determining eligibility for funding of healthcare services
CCO also collects personal health information from health information custodians to determine or verify eligibility for reimbursement for healthcare or related goods, services or benefits, as set out under section 39(1)(a) and 49(6) of PHIPA.
Furthermore, CCO has the legal authority as an agency under section 38(1)(b) of PHIPA to collect personal health information from health information custodians to determine or provide funding or payment for the provision of health care. The purpose of such collection must be consistent with CCO’s authority under section 38(1)(b).
Sources of Personal Information and Personal Health Information
CCO collects personal information and personal health information from different sources depending on the data holding. Most of the personal information and personal health information comes from facilities such as hospitals, clinics, independent healthcare facilities and laboratories.
We also collect personal information and personal health information from other government organizations and data partners, such as:
- Ministry of Health
- Ministry of Labour
- Ministry of Government Services
- Pharmaceutical Manufacturers
- Workplace Safety and Insurance Board
- Health Shared Services Ontario
- Out-of-province cancer registries
- Trillium Gift of Life Network
- Canadian Institute for Health Information
- Institute for Clinical Evaluative Sciences
We collect personal information directly from individuals, if required, for our cancer screening, patient and family advisor programs, and Out-of-Country Hemodialysis Reimbursement Program.
Use of Personal Information and Personal Health Information
Generally, CCO uses personal information and personal health information for the following purposes:
- Study and report on the use, effects and patterns of healthcare diagnosis, services and treatment in the province
- Estimate current and future needs for healthcare services
- Study wait times for healthcare services
- Facilitate the delivery of healthcare through the Ontario Cancer Screening Program
- Determine eligibility for funding of healthcare services
The following describes the types of personal health information and personal information we collect and how we use it to support CCO programs.
CCO collects personal information and personal health information to support the planning and management of cancer services in Ontario or for Ontario residents.
- Information related to expenditures for clinics or services
- Clinical information, including images, that support diagnosis, treatment or services provided
- Screening information related to the early detection of cancer or the risks of developing cancer
- Patient-reported outcomes, satisfaction and experience to facilitate conversations with healthcare providers and increase patient involvement in care
We also collect personal health information for the purposes of the Ontario cancer screening programs, and use this information to send letters to eligible individuals to:
- invite them to participate in screening
- inform them of their screening test results
- inform them of what to do if they have an abnormal test result
- connect patients without family doctors to a doctor if more tests are required
- generate reports for primary care physicians to inform them of their cancer screening rates, their patients’ test results and follow-up needs
Individuals may choose to stop receiving correspondence about these programs from CCO by:
- calling our toll-free number 1-866-662-9233
- completing the appropriate sections of the Cancer Screening Programs: Participant Information Form and mailing or faxing it to us at:
Cancer Screening Contact Centre
Cancer Care Ontario
18-505 University Ave
Toronto, Ontario M5G 1X3
Access to Care information
CCO collects personal health information relating to initiatives to reduce wait times and improve patients’ access to healthcare services for the following program areas:
- Surgery Wait Times and Efficiencies – measure, manage and publicly report on surgical wait times for almost 3,300 surgeons across 121 healthcare sites; help capture and report on data about surgical efficiency in 850 operating rooms across Ontario
- Diagnostic Imaging Wait Times and Efficiencies – measure, manage and publicly report on magnetic resonance imaging (MRI) and computerized tomography (CT) wait times and efficiencies for 107 healthcare sites
- Emergency Room Information – use the National Ambulatory Care Reporting System (NACRS) to measure, manage and publicly report on emergency room performance at 126 sites
- Alternate Level of Care Information – measure, manage and report on patients occupying a hospital bed who do not need the intensity of resources or services provided in that care setting, across 186 healthcare sites
- Electronic Canadian Triage and Acuity Scale (eCTAS) – improve patient safety and quality of care by creating an electronic decision-support tool to standardize the way the scale is used
Find out more about these initiatives in the Access to Care Plan.
Ontario Renal Network information
The Ontario Renal Network is a division of CCO that advises the Ontario government on chronic kidney disease. For the purposes of the Ontario Renal Network, CCO collects personal health information for the management and coordination of the Provincial Chronic Kidney Disease program. We use renal personal health information to effectively organize and manage the delivery of renal services in Ontario. The aim is to reduce the burden of this disease on Ontarians and the healthcare system. The Ontario Renal Network provides evidence-based decisions and advice to government to help them effectively plan, program and fund services to support a continuously improving kidney care system in Ontario.
CCO provides reports based on the analysis of renal personal health information collected from chronic kidney disease. Reports are disclosed to the kidney disease community, which includes the Ministry of Health, nephrologists, and dialysis centres.
Find out more about chronic kidney disease services in Ontario on the Ontario Renal Network website.
Ontario Palliative Care Network Repository
CCO routinely links health administrative data to better understand the patient experience throughout the end-of-life phase of care. This data allows the Ontario Palliative Care Network team to review concepts related to health system use, disease identification, significant health events, treatments and other important health information.
Find out more about palliative care services in Ontario on the Ontario Palliative Care Network website.
CCO collects patient-reported outcomes data on orthopedic services from hospitals that provide those services. The information helps local quality improvement and research initiatives evaluate the appropriateness and effectiveness of orthopedic surgery.
Patient and family advisor information
CCO collects personal information directly from renal and cancer patient and family advisors who provide valuable insight. This is used to move forward a patient-centred approach to healthcare and improve the patient experience. This information is also used to respond to inquiries, administer the engagement program and achieve the goals of the organization.
Reimbursement program operation
CCO collects personal information and personal health information to determine or verify eligibility for reimbursement for healthcare or related goods, services or benefits in Ontario. CCO’s Reimbursement Programs include:
- New Drug Funding Program
- Evidence Building Program
- Case-by-Case Review Program
- Brachytherapy Program
- Out-of-Country Program
- Chimeric Antigen Receptor (CAR) T-Cell Therapy
- Home Hemodialysis Utility Grant
- Out-of-Country Hemodialysis Reimbursement Program
CCO uses the information gathered under these programs to determine eligibility for reimbursement for healthcare services provided to patients and to provide recommendations on eligibility to the Ministry of Health.
Information technology solution development and maintenance
CCO as an IT service provider may need to access information when developing, testing or providing IT support for technologies (e.g., computer applications, web portals) that are provided to health information custodians or other data partners.
Health research support
CCO collects high-quality data from healthcare facilities, patients and health system partners for research, and health system management and planning. Along with partners across the healthcare system, CCO’s team of experts use the data to help healthcare providers, health system administrators, policy-makers and researchers to improve Ontario’s health systems by delivering high-quality clinical care. We produce:
- evidence-based guidance, tools and advice on health services
- reports on cancer, renal and other health system topics
- information for health system planning to ensure Ontario can meet the growing demand for greater accountability, better outcomes and improved patient experiences
For more information about CCO’s research, see Data & Research.
Protection of Information
CCO has physical, administrative and technical systems in place to safeguard personal information and personal health information in our custody against loss, theft, unauthorized access, disclosure, copying, use or modification. The types of safeguards correspond to the sensitivity, amount, distribution and format of the information. The following describes some of the safeguards CCO implements to protect information.
- We have in place controls to secure physical premises, including controlled access to CCO offices.
- Some operational areas that process personal information and personal health information require restricted access with a secondary level of access controls.
- Employees are given appropriate identification.
- Visitors are appropriately screened and are authorized to be on the premises.
- Video surveillance is used for forensic purposes
- We use policies, agreements, and a privacy and security training and awareness program to reinforce employee and third-party understanding of the responsibility to protect personal information and personal health information.
- We do not use personal information or personal health information we have access to in the course of providing information technology services, except as necessary to provide the services.
- We have in place a privacy breach management program to identify, contain, investigate and report on privacy breaches. We notify the applicable health information custodian or data partner of any privacy breach at the first reasonable opportunity.
- We have a comprehensive privacy assessment and risk management program to ensure privacy risks are identified, mitigated and responsibly managed.
- We adopt industry standards and tests our systems to ensure the security of:
- personal information and personal health information in our custody
- the equipment and communication systems we use
- Data is encrypted during transmission to CCO and is stored on secured servers.
- We test and back-up systems regularly, and we have an active Disaster Recovery Plan.
- We put in place a logging, monitoring and auditing system to record when personal health information is accessed or transferred.
Who at CCO can Access Personal Information and Personal Health Information
Only a limited number of staff have access to personal information and personal health information within CCO. A data steward assigned to each holding is responsible for authorizing access to the data holding. Access is limited to those staff who need it to carry out their jobs at CCO, such as analysts and information technology support staff. Access permissions are reviewed regularly to ensure they remain appropriate.
Disclosure of Personal Information and Personal Health Information
CCO does not release personal health information and personal information with identifiers unless the individual consents and it is necessary for a lawful purpose, or where permitted or required by law.
We may also disclose personal health information that we collected for the purposes of a prescribed entity or prescribed person to:
- researchers who comply with the research requirements set out in PHIPA, and if the research meets our scientific standards and is consistent with our mission and objectives
- other prescribed entities, prescribed persons or certain organizations or government agencies as permitted under PHIPA
In operating Ontario’s cancer screening programs, CCO discloses your personal information and personal health information to:
- determine if you need to be screened
- send letters inviting or reminding you to be screened or informing you of the results
- ensure your doctor knows whether or not you have been screened or need more tests
- connect you with a doctor if you don’t have one and need to get more tests done
For the Reimbursement Programs, CCO may also disclose your personal health information to organizations such as the Ministry of Health, the Kidney Foundation of Canada and requesting physicians to determine eligibility for reimbursement.
Request Access to Your Personal Information and Personal Health Information
CCO provides individuals with a right of access to, and correction of, their personal information in accordance with the requirements of FIPPA.
To make a request, see Freedom of Information Requests.
Contact the Legal and Privacy Office
Contact us if you would like more information or have privacy concerns about CCO’s data holdings, information practices or privacy program:
Contact the Information and Privacy Commissioner
You have the right to submit any concern or complaint about CCO’s information practices to:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Phone: 416-326-3333 or 1-800-387-0073