Condominium Management Regulatory Authority of Ontario (CMRAO)
The purpose of this Policy is to set out how the Condominium Management Regulatory Authority of Ontario (the “CMRAO”) will effectively protect and provide access to personal information and records held by it. In carrying out its mandate, the CMRAO will comply with all applicable privacy legislation.
The CMRAO is a not-for-profit corporation funded primarily through licensing fees from
condominium managers and condominium management provider businesses.
a. “Personal information” means any information about a recognizable individual that is recorded in any form. This does not include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity;
b. “Authority” or “CMRAO” means the Condominium Management Regulatory Authority of Ontario;
c. “Delegated Provisions” means all provisions of the Act except for Part VII;
d. “the Act” means the Condominium Management Services Act, 2015;
e. “SCSAA” means the Safety and Consumer Statutes Administration Act, 1996
f. "record” means any record of information, however recorded, whether in printed form, film, by electronic means or otherwise in the custody and control of the CMRAO for administration of the Act.
2.0 Collection, Use and Disclosure of Personal Information
2.1 Collecting Personal Information
(a) The Authority will collect personal information only where it is required for its legitimate purposes in the administration of the Delegated Provisions. Personal information shall be collected only by lawful means. Regulatory functions which may require the collection of personal information include, but are not limited to:
- Issuance or renewal of a license;
- Information requests or complaints; and
- Inspections and investigations.
(b) Subject to subsection 2.1(c), personal information will be collected with written consent directly from the person to whom it relates, not from a third party, and the purpose of the collection and how personal information will be used will be explained at or before the time the information is collected.
(c) Subsection 2.1(b) may not apply to information that is being collected as part of an inspection, investigation or response to a complaint.
2.2 Using and Disclosing Personal Information
(a) The Authority must have the written consent of the individual to whom the personal information relates before it can be used, or disclosed to a third party for a purpose other than that for which it was collected, except as set out in section (c) below.
(b) In addition, third party access to personal information should only be provided where it can be demonstrated that the third party has put in place means to protect personal information which are comparable to those of the Authority. If personal information is made available to a third party on an ongoing basis, any revised information will be regularly provided.
(c) Personal information that has been collected by the Authority in accordance with this Policy may be used or disclosed without the consent of the individual only in the following circumstances:
- For the purpose of conducting an inspection or an investigation; or
- If the information is necessary to respond to an emergency.
2.3 Protecting Personal Information
The Authority recognizes the importance of protecting the personal information and records in its care. To prevent the unauthorized disclosure, use, copying or modification of personal information in the custody and under the control of the CMRAO, access to such information shall be restricted using appropriate security mechanisms. The Authority will:
- Take reasonable steps to prevent theft, loss or misuse of personal information and records, and protect them from unauthorized access, modification or destruction;
- Implement physical and organizational protections for paper records;
- Enable passwords and other technological protections for electronic records;
- Take reasonable steps to ensure that personal information held by the Authority is accurate and up-to-date, based upon the information provided to it; and
- Ensure that all employees, the Board of Directors and all consultants or contract workers employed by the Authority have received adequate training to comply with this Policy.
3.0 Retention and Destruction of Personal Information and Records
3.1 Retention of Personal Information and Records
The Authority will retain information for as long as is necessary to fulfill the purpose for which it was collected or for its use in accordance with this Policy, and for 12 months thereafter in order to provide an opportunity for the individual to access their own personal information. A record of personal information may be retained beyond this time period in the following circumstances:
- Another law requires or authorizes the retention;
- The record is reasonably required for the future regulatory actions of the Authority; or
- The record is transferred to storage or archives for historical research or permanent preservation, provided it is made anonymous of personal information as described in Section 4.2.
3.2 Destruction of Personal Information and Records
Any records that are retained for historical research or permanent preservation must be made anonymous.
For all records that have fulfilled the purposes for which they were collected or further use and are not to be further retained, the record will be destroyed in a manner that is appropriate given its medium:
- A paper record of personal information, and all copies, shall be shredded before it is destroyed;
- Electronic data containing personal information shall be deleted from hardware that hosted the data; and
- Before hardware that hosted electronic data is discarded or destroyed, all electronic data containing personal information shall be deleted.
4.0 Access to Information
4.1 Accessing Own Personal Information
The Authority will confirm the existence of, and provide an individual access to, their own personal information held by the Authority, except where such access and disclosure would:
- constitute an unjustified invasion of another individual’s personal privacy, unless that individual consents to the release and disclosure of the information;
- violate a legally recognized privilege;
- violate intellectual property law; or
- compromise ongoing inspection and enforcement activities of the Authority.
To request such access, the individual must submit a request in writing to the Access and Privacy Officer of the Authority. The Authority will, in the normal course, respond to such a request within 5 business days and at no cost, unless such response involves the review of a large number of records or meeting the request would unreasonably interfere with the operations of the Authority.
4.2 Corrections, Updates or Completeness of Personal Information
Where an individual disagrees with the accuracy of their personal information on file with the Authority, the individual has the right to challenge its accuracy and demand its amendment.
Following the confirmation of proof of identity and upon request of any corrections or updates by an individual, the Authority shall amend the individual’s personal information on file with the Authority to reflect either:
- the requested change; or
- if requested by the individual, a statement of disagreement if an amendment was requested but not made to be attached to the information and the individual’s file, which must also be transmitted to any third parties with access to the information.
Amendments to the personal information or records shall be made as soon as practicable, but no later than 30 days from the time that the Authority makes the determination to amend the personal information or record.
4.3 Public Access to Records
The Authority will provide public access to records in its possession unless the release of information would:
- constitute an unjustified invasion of personal privacy;
- violate a legally recognized privilege;
- compromise ongoing inspection and enforcement activities of the Authority;
- reasonably be expected to threaten the life, health or security of an individual;
- involve information that is the substance of deliberations by the Authority’s Board of Directors and its committees, including but not limited to agenda, minutes, policy options and analysis, internal advice, proprietary information and advice to government;
- involve commercial, proprietary, technical or financial information related to an individual or commercial enterprise who has supplied the records to the Authority in confidence, if disclosure would result in undue loss or gain, prejudice a competitive position, or interfere with contractual or other negotiations of such individual or commercial enterprise; or
- violate provisions of the Act.
To request such access, a member of the public must submit a request in writing to the Access and Privacy Officer of the Authority. The Authority will, in the normal course, respond to such a request within 5 business days and at no cost, unless such response involves the review of a large number of records or meeting the request would unreasonably interfere with the operations of the Authority.
4.4 Remedies for Access Requests
If an individual who requested access to information is not satisfied with the Authority’s response, the requester may ask the Authority to review the decision. This request for review must be in writing, addressed to the Registrar, and must describe what aspect of the response the requester wishes to have reviewed. A final decision on the request will be provided within 30 days of receipt of the review request.
If the Authority is unable to respond within 30 days, the Authority shall advise the requester of the date a response can be expected.
5.1 Access and Privacy Officer and Complaints
This Policy will be reviewed at regular intervals by the senior officers or Board of Directors of the Authority to ensure that it continues to serve its intended purpose. This may include reviewing:
- procedures in place to protect personal information;
- the effectiveness of procedures for handling complaints relating to this Policy;
- the effectiveness of procedures for addressing information requests; and
- any other amendments that should be made to improve the operation of this Policy and the protection of personal information.