The purpose of this Policy is to set out how the Condominium Management Regulatory Authority of Ontario (CMRAO) will effectively protect and provide access to personal information and records held by it. In carrying out its mandate, the CMRAO will comply with all applicable privacy legislation.
(a) The Authority will collect personal information only where it is required for its legitimate purposes in the administration of the Delegated Provisions. Personal information shall be collected only by lawful means. Regulatory functions which may require the collection of personal information include, but are not limited to:
(b) Subject to subsection 3.1(c), personal information will be collected with written consent directly from the person to whom it relates, not from a third party, and the purpose of the collection and how personal information will be used will be explained at or before the time the information is collected.
(c) Subsection 3.1(b) may not apply to information that is being collected as part of an inspection, investigation or response to a complaint.
(a) The Authority must have the written consent of the individual to whom the personal information relates before it can be used, or disclosed to a third party for a purpose other than that for which it was collected, except as set out in section (c) below.
(b) In addition, third party access to personal information should only be provided where it can be demonstrated that the third party has put in place means to protect personal information which are comparable to those of the Authority. If personal information is made available to a third party on an ongoing basis, any revised information will be regularly provided.
(c) Personal information that has been collected by the Authority in accordance with this Policy may be used or disclosed without the consent of the individual only in the following circumstances:
The Authority recognizes the importance of protecting the personal information and records in its care. To prevent the unauthorized disclosure, use, copying or modification of personal information in the custody and under the control of the CMRAO, access to such information shall be restricted using appropriate security mechanisms. The Authority will:
The Authority will retain information for as long as is necessary to fulfill the purpose for which it was collected or for its use in accordance with this Policy, and for 12 months thereafter in order to provide an opportunity for the individual to access their own personal information. A record of personal information may be retained beyond this time period in the following circumstances:
Any records that are retained for historical research or permanent preservation must be made anonymous.
For all records that have fulfilled the purposes for which they were collected or further use and are not to be further retained, the record will be destroyed in a manner that is appropriate given its medium:
The Authority will confirm the existence of, and provide an individual access to, their own personal information held by the Authority, except where such access and disclosure would:
To request such access, the individual must submit a request in writing to the Access and Privacy Officer of the Authority. The Authority will, in the normal course, respond to such a request within 5 business days and at no cost, unless such response involves the review of a large number of records or meeting the request would unreasonably interfere with the operations of the Authority.
Where an individual disagrees with the accuracy of their personal information on file with the Authority, the individual has the right to challenge its accuracy and demand its amendment.
Following the confirmation of proof of identity and upon request of any corrections or updates by an individual, the Authority shall amend the individual’s personal information on file with the Authority to reflect either:
Amendments to the personal information or records shall be made as soon as practicable, but no later than 30 days from the time that the Authority makes the determination to amend the personal information or record.
The Authority will provide public access to records in its possession unless the release of information would:
To request such access, a member of the public must submit a request in writing to the Access and Privacy Officer of the Authority. The Authority will, in the normal course, respond to such a request within 5 business days and at no cost, unless such response involves the review of a large number of records or meeting the request would unreasonably interfere with the operations of the Authority.
If an individual who requested access to information is not satisfied with the Authority’s response, the requester may ask the Authority to review the decision. This request for review must be in writing, addressed to the Registrar, and must describe what aspect of the response the requester wishes to have reviewed. A final decision on the request will be provided within 30 days of receipt of the review request.
If the Authority is unable to respond within 30 days, the Authority shall advise the requester of the date a response can be expected.
This Policy will be reviewed at regular intervals by the senior officers or Board of Directors of the Authority to ensure that it continues to serve its intended purpose. This may include reviewing: