1. Introduction

At the Canadian Post-M.D. Education Registry (CAPER), we take physician privacy very seriously. It is a long-established policy of CAPER and the Association of Faculties of Medicine of Canada (AFMC), of which Association CAPER is a component division, to deal with all physician information in a sensitive manner, in order to ensure that our collections, uses, disclosures, retention and disposals of physician information are carried out in accordance with best privacy practices.

This Privacy Policy has been designed to reflect the 10 Principles contained in the Canadian Standards Association's Model Code for the Protection of Personal Information. It deals with:

1. our accountability for our privacy practices;
2. the purposes for which we collect physician information and the sorts of physician information that we collect;
3. the manner in which consent is obtained for our dealings with physician information;
4. the manner in which we use physician information;
5. our security, retention and disposal processes relating to physician information;
6. accuracy: ensuring data are sufficiently accurate to achieve our purposes;
7. a physician's right to access his or her own information and to request corrections of same;
8. how physicians can get answers to questions or raise concerns about our dealings with physician information and/or our compliance with this Privacy Policy; and
9. amendments to this Privacy Policy
10. our privacy policy is available on our website and upon request.

2. Scope

This Privacy Policy applies to all physician information that is held by, or is under the control of, CAPER.

3. Definitions

The following definitions have been created to explain terms that are used extensively in this Privacy Policy:

• "Collect" or "Collection" means the act of gathering, acquiring or obtaining physician information from physicians or from third parties (the data providers as defined below), by any lawful means.
  
  
• "Consent" means voluntary agreement with what is being done or proposed. Consent can be either express or implied. Consent must always be informed. Express consent is given explicitly, in writing. In appropriate circumstances, consent may be implied from an individual's conduct such as the return of a completed questionnaire.
  
  
• "Data Provider" means a Canadian organization which collects information from physicians in the course of processing applications for membership, assessment, training or licensure. Data Providers include the provincial/territorial medical regulatory authorities, the Medical Council of Canada (MCC), the International Medical Graduates assessment centres, the Canadian Medical Association and the 17 Canadian faculties of medicine.
  
  
• "Disclose" or "Disclosure" means providing identifiable physician information to anyone other than to the physician who is the subject of that information, and to the data provider.
  
  
• "Physician Information" means information about an identifiable physician, other than his or her name, title, business address or business telephone number.
  
  
• "Use" means the treatment and handling of physician information.

4. Privacy Principles

• 4.1 Principle 1 - Accountability

  • 4.1.1 Our Director is responsible for our compliance with this Privacy Policy. The Director may be contacted at:

    Canadian Post-M.D. Education Registry
    c/o Association of Faculties of Medicine of Canada
    365 Carling Ave, Suite 800
    Ottawa ON K1S 2E1
    Attention: Director
    Telephone: (613) 730-1204
    Fax: (613) 730-1196
    E-mail: caper@afmc.ca

    While the Director is primarily responsible for our Privacy Policy, other CAPER personnel are responsible for day-to-day collection and processing of physician information or for acting on behalf of the Director from time to time.

  • 4.1.2 We are responsible for the physician information under our control.

  • 4.1.3 We have implemented policies and practices to give effect to our privacy commitment to physicians, including:

    1. physician information security processes (see Principle 4.7 below);
    2. enquiry and complaint procedures (see Principles 4.9 and 4.10 below);
    3. staff training regarding physician privacy; and
    4. development of documentary information to explain our privacy policy and procedures.

• 4.2 Principle 2 - Identifying Purposes

  • 4.2.1 We may collect some or all of the following information about physicians:

    1. identifier information (name, date of birth): this is used for matching records from multiple sources and will not remain on the file as described in section 4.5.3
    2. demographic information : gender, legal status, country of citizenship
    3. M.D. degree: university, country and date awarded
    4. post-M.D. training outside Canada: training field
    5. medical practice outside Canada : country - whether passed the MCC evaluating examination for graduates of foreign medical schools; whether passed the MCC qualifying examinations (LMCC I and II)
    6. post-M.D. training in Canada: faculty, field, rank level, source of funding
    7. licensure in Canada: data, category, province
    8. practice location in Canada: postal code of physicians' practice location
    9. practice activity in Canada: practice specialty, academic affiliation, activity level (hrs. worked/wk) and practice type (group, clinic, solo, etc)

  • 4.2.2 We collect the physician information referenced in Section 4.2.1 of this Privacy Policy in order to produce aggregated data for inclusion in publications such as the "CAPER Annual Census of Post-M.D. Trainees", the "CAPER Provincial Reports" and the "CAPER Individual Field of Training Tables". Data tables are also made available on the CAPER website: www.caper.ca. The aggregated data provide a basis for physician resource planning and analysis and are used by Health Canada, provincial and territorial ministries of health and national medical organizations as a component of the data required for physician resource planning and for educational planning related to future physician resources in Canada. The data published by CAPER pertain to all potential new physicians for Canada: those who earned the M.D. degree in Canada and those who earned the M.D. degree outside Canada. Data are also used in a de-identified form for research projects which are in compliance with the mandate of CAPER.

  • 4.2.3 We make every reasonable effort to ensure that any Data Provider that collects physician information on our behalf is able to adequately explain to physicians the purposes for which their information is collected.

• 4.3 Principle 3 - Consent

  • 4.3.1 Subject to all applicable legal rights and obligations, Data Providers will obtain physicians' consent (express or implied as appropriate) for the collections and uses of physician information identified in Principle 4.2 above prior to disclosing physician information to us.

• 4.4 Principle 4 - Limiting Collection

  • 4.4.1 We will collect only that physician information that we require in order to achieve the purposes identified in Section 4.2.2 of this Privacy Policy. We collect physician information only by fair and lawful means.

• 4.5 Principle 5 - Limiting Use, Disclosure and Retention

  • 4.5.1 Physician information is used by a limited number of our personnel, on a "need to know" basis, while they are performing their functions. The sole use made by CAPER of the identifiable physician data received by CAPER from the Data Providers involves the aggregation of that data for utilization in the CAPER reports and research activities described in Section 4.2.2 of this Privacy Policy.

  • 4.5.2 CAPER does not disclose identifiable physician information to third parties.

  • 4.5.3 We retain and dispose of physician information in accordance with our physician information retention and disposal policy. Physician information that is no longer required in order to meet our identified purposes will be destroyed, erased or otherwise rendered anonymous.

• 4.6 Principle 6 - Accuracy

  • 4.6.1 We will seek to ensure that physician information under our control is sufficiently accurate, complete and up-to-date to permit us to achieve our purposes as identified in Section 4.2.2 of this Privacy Policy.

• 4.7 Principle 7 - Safeguards

  • 4.7.1 We protect physician information under our control with safeguards that are appropriate to the sensitivity of that information. These safeguards are designed to protect physician information in all formats against loss or theft, as well as against unauthorized access, disclosure, copying, use or modification.

• 4.8 Principle 8 - Openness

  • 4.8.1 Additional information about our privacy-related policies and procedures is available upon request and on our website.

• 4.9 Principle 9 - Individual Access

  • 4.9.1 Subject to our legal rights and obligations, we will, upon receipt by our Director of a written request for access, inform a requesting physician about our possession and use of his or her information, if any, and permit the physician to access his or her information if it is held or controlled by us. If a physician requests such information or access, the physician must provide sufficient information with his or her request to permit us to provide an account of the existence and use of his or her information. Any physician information provided by us to a physician as a result of a request for access shall be in a generally understandable form.

  • 4.9.2 We will respond to a request within a reasonable time and in any event within thirty (30) days of receipt of the request. We may extend this response deadline for up to an additional thirty (30) days if replying within thirty (30) days would unreasonably interfere with our operations, or if the time required to undertake any consultations necessary to respond to the request would make it impractical to meet that time limit. We will provide written notice to a requesting physician of any response period extension within thirty (30) days of his or her request.

  • 4.9.3 If a physician demonstrates to our satisfaction that any of his or her information that is held or controlled by us is inaccurate or incomplete, we will make appropriate amendments. These amendments may involve the correction, deletion, or addition of physician information.

• Principle 10 - Challenging Compliance

  • 4.10.1 In the event that a physician wishes to enquire or complain about our physician information practices or our compliance with this Privacy Policy, a written enquiry or complaint should be sent to the attention of the Director at the co-ordinates provided in Section 4.1.1 of this Privacy Policy. The Director will inform the Chairman and will investigate all complaints and respond to all written enquiries. If deemed necessary by the Chairman, an independent third party may be asked to respond to the complaint. If a complaint is found to be justified, we will take all reasonable steps to amend our relevant privacy-related policies or procedures and to remedy and rectify the process.

5. Changes to CAPER's Privacy Policy

We reserve the right to modify or supplement this Privacy Policy upon reasonable published notice concerning the change and the reasons therefore.