All Centre for Community, Clinical and Applied Research Excellence (CCCARE) Program and UW Fitness Service fees are non-refundable. Refunds will only be considered on a case-by-case basis for medical or compassionate grounds, and must be communicated to, and approved by, the Research and Operations Manager.
This privacy document applies to the Centre for Community, Clinical and Applied Research Excellence (CCCARE) in the Department of Kinesiology at the University of Waterloo.
At CCCARE, information is collected, used, and disclosed in a manner consistent with provincial legislation, such as the Freedom of Information and Protection of Privacy Act (FIPPA), R.S.O. 1990 and the Personal Health Information Protection Act (PHIPA), 2004, S.O. 2004.
In keeping with Ontario legislation, the University of Waterloo has a consistent approach to protecting personal information, including health information, within the service named above. Ontario legislation requires anyone that provides you with health care to protect your personal health information. Personal health information means identifying information about an individual in oral or recorded form that relates to things such as:
- the physical or mental health of the individual (including information that consists of the health history of the individual’s family)
- the providing of health care to the individual (including the identification of a person as a provider of health care to the individual)
- the processing and collecting of fees for programs or services and/or issuing tax receipts
- any other information about an individual that is included in a record containing personal health information that is maintained for the purpose of providing health care or health services
Individuals who work at CCCARE are required to advise you of how your personal health information is used, stored, and shared. CCCARE Staff who collect, use, access, and disclose your personal health information must be approved by the current Department of Kinesiology Chair and Associate Chair of Applied Research, Partnerships and Outreach. In certain situations, we must ask your permission before we collect, use, or disclose it. We are not permitted to collect personal health information that is not relevant to your health needs or to collect, use, or disclose more information than is necessary. With some exceptions, privacy legislation also gives you the right to view your personal health information and to ask for it to be changed or corrected if you think it is inaccurate or incomplete.
As part of our privacy program, we have this Privacy Statement and have designated a Privacy Contact Person. This Privacy Statement describes our privacy practices and tells you how you can exercise your rights.
Who can use and see your personal health information
Implied consent to collect, use, and disclose your information
When you seek programs and services from CCCARE we assume that we have your permission to collect, use, and disclose your personal health information among individuals who provide or assist in providing health care to you at CCCARE. Although the primary purpose for collecting, using, and sharing personal health information is to provide care, we also use your information for administrative purposes and to comply with our legal and regulatory requirements. With your permission, we may also use these data for research purposes.
For the purpose of providing direct care or assisting in providing care, your personal health information is stored securely by CCCARE in a password protected database on a secure server at the University of Waterloo. Personal health information in our database is accessed only by authorized CCCARE Fitness Staff, supervisors, and administrative staff and only on a need-to-know basis, meaning that the information accessed is reasonably necessary to provide care at CCCARE. Those accessing your personal health information are required to abide by the applicable provisions of the following: Ontario privacy legislation; CCCARE privacy, confidentiality, and security of information policies; the Kinesiology Act (2007); all other relevant national and provincial professional Associations.
The personal health information in your CCCARE health record is accessible by individuals who provide direct care or who may be consulted as necessary in the provision of your care. As well, personal health information in your health record is accessible to support staff in order to perform authorized services such as scheduling appointments and facilitating payments.
Ontario privacy legislation (i.e., PHIPA) allows for your personal health information to be disclosed to your other health care providers outside of CCCARE programs and services so they can provide you with ongoing care and follow-up. When such a decision is made, legislative requirements within PHIPA are followed. In general, however, information on your health care will not be shared with anyone outside CCCARE without your explicit consent.
You should let us know if you do not want us to collect, use, or share some or all of your personal health information. This can be done when you sign your programs or services Consent Form at CCCARE. You are free to withdraw consent at any time for the collection, use, or disclosure of your personal health information by providing notice to us.
Please note that any restrictions that you place on your personal health information do not apply to uses or disclosures required by law, professional, or institutional practice, or when disclosure of that personal health information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to an individual or group of persons.
Express consent to disclose your information
Except as outlined above or as required by law, your personal health information in your health record at CCCARE will not be disclosed to people who do not provide you with health care, such as:
- your insurance company or your employer;
- a health care professional for reasons other than providing you with health care; or
- your academic advisors, professors, university administration, family, or friends.
In cases where you would like us to disclose personal health information about you to others, your express consent is required. This consent may be obtained verbally, in writing, or by electronic means.
Exceptions to consent requirements
There are certain situations in which personal health information can be disclosed without consent. CCCARE staff may be legally required or professionally obligated to use and/or disclose some of your personal health information without consent in a limited number of situations in accordance with Mandatory Reporting Guidelines of the College of Kinesiologists of Ontario and including the following:
- In order to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons or in compelling circumstances affecting the health or safety of an individual;
- When there is reasonable grounds to suspect that a child (under age 16) or a resident of a long-term care home is or may be in need of protection;
- We may also report when there are reasonable grounds to suspect that a person age 16 or 17 years old is or may be in need of protection;
- For the purpose of a legal proceeding or complying with a court order, or for the purpose of administration and enforcement of various Acts by professional Colleges, Associations, and other regulatory bodies;
- Reported sexual abuse by a regulated health professional/regulated professional;
- To report certain information, such as a health condition that makes you unfit to drive or to report certain diseases to public health authorities;
- To identify a person who has died;
- To give the spouse or child of the person who has died personal health information to assist them in making decisions about their own care;
- To give information to certain registries or planning bodies that use personal health information to improve health care services or health system management, as long as strict privacy protections are in place;
- To assist health researchers for approved research studies, as long as strict privacy requirements are met;
- To improve or maintain the quality of care or the quality of any related program or service offered by CCCARE programs and services;
- For risk management and legal purposes;
- To allocate resources to our programs and services;
Disclosure of personal health information when your consent is not required is referenced in Your Health Information and Your Privacy in Our Office (PDF) and occurs in accordance with the following guidelines: Practice Tool for Exercising Discretion: Emergency Disclosure of Personal Information by Universities, Colleges and other Education Institutions (PDF) and Fact Sheet: Disclosure of Information Permitted in Emergency or other Urgent Circumstances (PDF).
A final limit to personal health information and privacy is as follows: in order to provide health care to CCCARE members, we use a computerized schedule which is accessible to authorized individuals from CCCARE. This system is password protected and is located on a password-protected network at the University of Waterloo. When you access programs or services at CCCARE your name is entered into this computerized schedule.
Marketing, research, evaluation and planning
The law protects you by making sure your personal health information is never shared for marketing purposes unless you expressly consent.
CCCARE may be involved in research projects designed to improve our programs and service, and may invite you to consider participating in one of these research projects. We abide by the guidelines for research involving human participants established by the Office of Research Ethics (ORE) at the University of Waterloo. Any human research must first be reviewed and receive ethics clearance by either the ORE or the University of Waterloo Human Research Ethics Committee. Their review involves a number of things such as evaluating the goals and benefits of the research in relation to risks associated with the procedures; ensuring safeguards are in place to mitigate the risks; determining how the consent process is to occur (which includes considering whether obtaining consent directly is impracticable); confirming that the informed consent document (as applicable) is complete and understandable; and determining whether adequate safeguards are in place to protect the privacy of individuals and the confidentiality of their personal health information.
In certain instances (for example, when research involves collection of information through interviews, focus groups, questionnaires, and surveys) your consent is required. In other instances (for example, when research involves analysis of previously collected data or file information where identifiable information has been removed) your consent may not be required. In cases where your consent may not be required, additional requirements as outlined in PHIPA are followed. For example, researchers shall use your personal health information only for the purpose set out in the research plan, not publish information in a form that could identify you, and not contact you unless you have said they can. If you are invited to participate in research, you should keep in mind that it is voluntary. Your decision to take part or not take part in research will have no impact on the services you receive from us.
Evaluation and planning
CCCARE programs and services are continually seeking to improve the quality of care offered to community members, students, staff, and faculty at the University of Waterloo. In order to help us improve, we invite feedback, both orally and/or in writing, from those who access our services. Any information gathered, including ratings and/or written comments, is used only for administrative, statistical, or report-writing purposes. At no time will identifying personal health information be used, shared, or given out.
Protecting personal health information
We have taken the following steps to ensure that your records (paper or electronic) are secure and protected against theft, loss, unauthorized use or disclosure and unauthorized copying, modification or disposal:
- Paper records containing personal health information are either under supervision or secured in a locked or restricted area.
- Electronic records containing personal health information are located on a password-protected network and are accessed on hardware (e.g., computer, laptop, cell phone, USB flash drive) that is password protected and is under supervision or is secured in a locked or restricted area at all times. In addition, electronic records containing personal health information on any mobile device (e.g., laptop, cell phone, USB flash drive) are encrypted.
- If paper or electronic records containing personal health information are removed from the office they are transported via secure means and are under the constant control of CCCARE Staff or are secured in a locked or restricted area at all times.
- Each CCCARE staff member is trained to collect, use and disclose personal health information only as necessary to fulfil their duties and in accordance with privacy legislation.
- In the event of any unauthorized use or disclosure of personal health information: individuals will be informed at the first reasonable opportunity, a note will be made in the individual’s record of personal health information, and the note will be kept as part of the records or in a form that is linked to the records.
- Personal health information is protected in accordance with:
- CCCARE guidelines for working outside the office, for example: Personal Information and Privacy: Guidelines for Working Outside the Office (PDF).
- University of Waterloo policies and guidelines, for example: Electronic media disposal guidelines.
- Information and Privacy Commissioner Ontario guidelines and requirements, for example: Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office (PDF), Fact Sheet: Encrypting Personal Health Information on Mobile Devices (PDF), and Fact Sheet: Health-Care Requirement for Strong Encryption (PDF).
Retention and destruction of personal health information
CCCARE need to retain personal health information for some time to ensure that we can answer any questions you might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect your privacy, we do not want to keep personal health information for too long.
In order to decide how long to keep your personal health information, each Service follows the guidelines established by the various professional organizations to which clinicians belong, as well as according to University of Waterloo guidelines: Policy 46 – Information Management and University of Waterloo Information and Privacy. Unless otherwise required by law, CCCARE keep records in accordance with the longest applicable retention requirements.
We destroy confidential paper files and electronic information securely according to University of Waterloo guidelines (confidential shredding and media disposal) as well as according to guidelines set out by the Information and Privacy Commissioner Ontario (Fact Sheet: Secure Destruction of Personal Information (PDF) and Get rid of it Securely to keep it Private: Best Practices for the Secure Destruction of Personal Health Information (PDF))
Your rights and choices
Seeing your information
You have the right to see and to get a copy of the personal health information that CCCARE holds about you. Often, all you have to do is ask (orally or in writing) and confirm your identity. CCCARE will follow requirements for access as outlined within PHIPA and in accordance with University of Waterloo guidelines and policies. We will identify what records we might have about you and try to help you understand any information you do not understand (short forms, technical language, etc.). We may need to charge a nominal fee to cover the costs of retrieving the documentation and copying.
There may be situations where we are unable to provide you with access to some or all of your record. For example, when the personal health information relates to another individual, law enforcement, legal proceedings, or is subject to legal privilege you may not get to see or obtain a copy of the record. Similarly, when the personal health information could reasonably be expected to result in a risk of serious harm to the treatment or recovery of yourself or a risk of serious bodily harm to yourself or another person, you may not be able to have access to or to obtain a copy of some or all of the information in the record.
We will respond to your request for access to your record as soon as possible. If we are not able to respond within 30 days, we will contact you and let you know in writing the reason for the delay. If we cannot give you access for reasons such as those outlined above, we will notify you within 30 days, if at all possible. A written notice will explain why we cannot give you access to some or all of your record.
Correcting your record
If you believe that your record of personal health information is inaccurate or incomplete, you have the right to ask for it to be corrected. Depending on the corrections you are requesting, a written request showing how our files are inaccurate or incomplete is often required. We will respond to your request as soon as possible. If we are not able to respond within 30 days, we will contact you and let you know in writing the reason for the delay.
Requests for corrections apply to factual information and not to any professional opinions or observations made in good faith. We are obligated to correct personal health information where it is demonstrated, to our satisfaction, that the record is in fact inaccurate or incomplete and where the necessary information to correct the record is provided. Any changes will be done carefully so the original record remains visible or by ensuring that the corrected version is readily available.
In some situations (e.g., in matters of professional opinion and observation, or with respect to information created by others), we may not be able to make a correction and will let you know the reason. If you choose, you can attach a statement of disagreement to your record indicating any correction you requested that was not made. You can also ask to have this statement made available to those who see the record.
Who you can talk to about your decisions or concerns
If you have any questions or concerns, or if you would like to see or correct any of your personal health information, then please speak directly to the staff person who has been involved in the provision of your care. We want to resolve concerns directly with you.
University of Waterloo privacy contact persons
If you are not satisfied with the response to your request, you may contact either of the Privacy Contact Persons designated for CCCARE. These individuals are available to assist you with any concerns or decisions regarding privacy.
University of Waterloo privacy officer
Sometimes we may be unable to resolve all your concerns about how your personal health information has been handled, even after you have worked to resolve your concern with the staff involved in the provision of your care and the designated privacy contact person for the service with which you’re involved. In that case, you may choose to contact the University of Waterloo privacy officer.
The Information and Privacy Commissioner of Ontario
Alternatively, or in the event you are dissatisfied with how University of Waterloo has responded, you can contact the Information and Privacy Commissioner of Ontario. The Commissioner is the person who has general responsibility for ensuring requirements of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and PHIPA are followed.
You can contact the Commissioner about any decision, action or inaction that you believe is not in compliance with the Act, including:
- if you are unable to resolve with us a concern about how your personal health information has been handled;
- if you are unable to see all of your personal health information, or have concerns about a delay in responding to your request;
- if you feel your personal health information in your record is incorrect and you have been unable to persuade us to correct the information; or
- if you disagree with the fee that we charged to see or get a copy of your personal health information.
You must express your concerns in writing within specific time frames designated by the Commissioner, who will try to resolve the matter through mediation. If your concerns cannot be resolved in this way, the Commissioner has the power to investigate and to make an order that sets out what must happen.
Information and privacy contact persons
Centre for Community, Clinical and Applied Research Excellence privacy contact person
University of Waterloo Privacy Officer
If you have any comments or concerns resulting from your participation in a CCCARE research study, please contact the Chief Ethics Officer in the Office of Research Ethics at 1-519-888-4567, ext. 36005 or email@example.com.
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
Toll-free: 1-800-387-0073 (within Ontario)
Text Tel. (TTY)/Tel. Device for the Deaf (TDD): (416) 325-7539
Fax: (416) 325-9195
This document provides general information only and is not legal advice as to all rights and obligations under Ontario legislation.
This document is based on the following legislation:
- Freedom of Information and Protection of Privacy Act (R.S.O. 1990)
- Municipal Freedom of Information and Protection of Privacy Act (R.S.O. 1990)
- Personal Health Information Protection Act (2004)
- Personal Information Protection and Electronic Documents Act (PIPEDA, 2004)
- Kinesiology Act, 2007, S.O. 2007, c. 10, Sched. O
In conjunction with materials from the Information and Privacy Commissioner Ontario:
- Information and Privacy
Information and Privacy Commissioner Ontario (2005). Your Health Information and Your Privacy in Our Office (PDF)
Information and Privacy Commissioner Ontario (2015). Frequently Asked Questions: Personal Health Information Protection Act (PDF)
- Working Outside the Office
Information and Privacy Commissioner Ontario (1998). Privacy and Confidentiality When Working Outside the Office
Information and Privacy Commissioner Ontario (2001). Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office (PDF)
- Security of Personal Health Information
Information and Privacy Commissioner Ontario (2007). Fact Sheet: Encrypting Personal Health Information on Mobile Devices (PDF)
Information and Privacy Commissioner Ontario (2010). Fact Sheet: Health-Care Requirement for Strong Encryption (PDF)
Information and Privacy Commissioner Ontario (2012). Fact Sheet: The Secure Transfer of Personal Health Information (PDF)
- Disclosure of Personal Health Information
Information and Privacy Commissioner Ontario (2018). What to do When Faced with a Privacy Breach: Guidelines for the Health Sector (PDF)
Information and Privacy Commissioner Ontario (2008). Practice Tool for Exercising Discretion: Emergency Disclosure of Personal Information by Universities, Colleges, and other Educational Institutions (PDF)
Information and Privacy Commissioner Ontario (2005). Fact Sheet: Disclosure of Information Permitted in Emergency or Other Urgent Circumstance (PDF)
- Destruction of Personal Health Information
Information and Privacy Commissioner Ontario (2009). Fact Sheet: Get Rid of it Securely: Keep it Private: Best Practices for the Secure Destruction of Personal Health Information (PDF)
Information and Privacy Commissioner Ontario (2005). Fact Sheet: Secure Destruction of Personal Information (PDF)
University of Waterloo guidelines and policies:
- General Information and Privacy
- Security of personal health information: Policy 46 - Information Management
- Record retention and destruction of personal health information: Policy 46 - Information Management
- Confidential shredding procedures
- Electronic media disposal guidelines
And in conjunction with other relevant materials, such as:
- Canadian Institute of Health Research, Natural Sciences and Engineering Research Council of Canada, and Social Sciences and Humanities Research Council of Canada (2014). Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans.
- Mandatory Reporting Guidelines of the College of Kinesiologists of Ontario