ABOUT US
Touchstone Institute Privacy Policy
Please note: Touchstone Institute exam policies do not necessarily apply to assessments conducted on behalf of other organizations.
Objective
Touchstone Institute is committed to protecting the privacy and security of personal information and personal health information of individuals with whom we interact, such as employees, clients, suppliers and contractors. This is achieved by embedding rigorous and consistent privacy and information protection strategies across all corporate services and work units.
Touchstone Institute’s Privacy Policy includes the strategies, tools, processes and reporting procedures necessary to support this. This Policy outlines how Touchstone Institute manages, monitors and reports on Privacy and Information Protection performance. This Policy also provides the accountabilities of Management relating to the management of personal and personal health information.
Touchstone Institute collects, holds and uses personal information and personal health information about identifiable individuals in the course of providing its core services.

Index
Policy Scope
This Policy applies to all aspects of Touchstone Institute’s business operations. Reference to Touchstone Institute’s staff include the CEO, directors, employees, contract workers, consultants and agents of Touchstone Institute who collect, hold or use personal or personal health information. Touchstone Institute staff will comply with the requirements of this Policy. Failure to comply with privacy practices could expose Touchstone Institute to legal risk and may result in disciplinary action for Touchstone Institute staff.
Personal or personal health information refers to any information concerning an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization. Some examples of personal information collected by Touchstone Institute include:
- National origin, age, marital status
- Education and employment history
- Correspondence with Touchstone Institute that is explicitly or implicitly of a private nature
- Views or opinions concerning an employee’s or individual’s performance evaluation
- Salary information
- Banking information
- A person’s image (e.g. photograph, videos)
Personal information is not restricted to the examples listed above. Personal information may be stored on paper, electronically or digitally, and includes videos, photographs, and/or tape recordings.
Some examples of personal health information collected by Touchstone Institute include:
- Details regarding a candidate’s special needs accommodation
- Health history of a Touchstone Institute staff member
Personal health information is not restricted to the examples listed above. Personal health information includes any information concerning an identifiable individual’s physical or mental health status; the provision of their health care; the eligibility of payment for their health care; the identity of the provider of their health care; and where required for an authorized purpose their personal health care plan numbers. Personal health information also includes information about an identifiable individual that is not personal health information but is contained in the same record or file as personal health information about the individual.

Legal Requirements
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the legal requirements for the protection of personal information. Touchstone Institute business processes within the organization will be designed to meet the principals of this legislation. In Ontario, the Personal Health Information Policy Act (PHIPA) governs the legal requirements for the protection of personal health information. In keeping with its legal requirements and best practices in the management of personal or personal health information:
- Touchstone Institute staff must obtain informed consent from individuals before they collect personal and personal health information. This means open communication and transparency of Touchstone Institute’s information management practices.
- Touchstone Institute employees must be sensitive and rigorous in the handling of files, correspondence and other records containing personal health information about individuals.
- Touchstone Institute must understand and comply with information retention standards including the secure sharing and storage of all personal and personal health information.
Policy Principles
Touchstone Institute is responsible for personal and personal health information under its control and has designated the Director of Human Resources and Operations as the Chief Privacy Officer who along with the management team is accountable for ensuring Touchstone Institute has processes, procedures and practices in place for the organization’s compliance with the following principals:
Identifying Purpose: the purposes for which personal and personal health information are collected will be identified by the organization at or before the time the information is collected.
Consent: the knowledge and consent of the individual are required for the collection, use or disclosure of personal and personal health information, unless exceptions apply.
Limiting Collection: The collection of personal and personal health information will be limited to that which is necessary for the purposes identified by Touchstone Institute. Information will be collected by fair and lawful means.
Limiting Use, Disclosure, and Retention: Personal and Personal Health Information will not be used or disclosed for purposes other than those for which it was collected except with the consent of the individual or as required by law. Personal and personal health information will be retained only as long as necessary for fulfillment of these purposes.
Accuracy: Personal and personal health information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
Safeguards: Security safeguards appropriate to the sensitivity of the information will protect personal and personal health information.
Openness: Touchstone Institute will make available to individuals specific information about its policies and practices relating to the management of personal and personal health information. The Privacy Policy and related information about other practices will be posted on Touchstone Institute’s website.
Individual Access: Upon request, an individual will be informed of the existence, use and disclosure of his or her personal and personal health information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging Compliance: An individual will be able to address a challenge concerning compliance with the above principles to the Chief Privacy Officer/Director of Human Resources and Operations of Touchstone Institute. Appeals will be forwarded to Touchstone Institute’s Board of Directors. When necessary the Board of Directors will seek consultation with the Privacy Commissioner(s) to inform investigation processes and/or validate decisions.
Privacy Roles
Chief Privacy Officer
Touchstone Institutes Director of Human Resources and Operations serves as the Chief Privacy Officer. The Chief Privacy Officer is responsible for monitoring Touchstone Institute wide application of the Privacy Policy and for monitoring changes in relevant legislation. The Chief Privacy Officer also serves as a resource for management and may coordinate and support the efforts of management in Touchstone Institute’s employee training and awareness. The Chief Privacy Officer will assist in the development of business processes and procedures across programs. The Chief Privacy Officer also manages all complaints and is responsible for responding on behalf of Touchstone Institute to internal and external requests for personal and personal health information and inquiries about Touchstone Institute’s Privacy Policy for personal and personal health information management.
Touchstone Institute Staff
The Chief Executive Officer, Directors, Managers and designated Touchstone Institute staff are the custodians of the personal and personal health information collected, retained and used within their respective organizational units and organizational roles. Touchstone Institute staff are responsible for ensuring that:
- Consent has been obtained prior to collection of information, and processes to manage exceptions are in place;
- Only personal and personal health information necessary for the business purpose is collected, retained and used;
- Appropriate controls are in place to physically secure both hard copy (including external computer readable media) and electronically stored personal and personal health information;
- Electronic files that contain personal and/or personal health information will not be stored in the generally accessible electronic file system, directories or databases;
- Appropriate system access controls including “business related need to know” restrictions are in place and kept up to date.
- Personal and personal health information is appropriately updated and accurate, having regard for the purpose of such information;
- Personal and personal health information is destroyed or made anonymous when it is reasonable to conclude that it is no longer required for any of the purposes for which it was collected.
- Management and staff will consistently adhere to Touchstone Institutes record retention standards;
- Contracts with third parties for processing, using or storing personal and personal health information will contain appropriate clauses guaranteeing that the third party will comply with Touchstone Institute’s Privacy Policy and related privacy legislation, safeguard the information, and will only use the information provided for the contractual purposes. Similar privacy clauses will also be included in any agreement that the third party has with subcontractors that they may engage to conduct work on their behalf of Touchstone Institute.
- Contracts with third parties who provide Touchstone Institute with personal and personal health information will include appropriate clauses asserting that they have obtained the required consent from their staff; and,
- Appropriate resources will be assigned to retrieve information requested by an individual.
Touchstone Institute Management is responsible for ensuring that all staff have received appropriate training and support to understand and comply with Touchstone Institute’s Privacy Policy and applicable privacy laws.
Touchstone Institute Management is also responsible for ensuring that appropriate safeguards are in place for the physical security of personal and personal health information stored in offsite archiving facilities, and for ensuring that such personal and personal health information is appropriately destroyed within a reasonable time following the destruction date established by the document owner.
The Chief Privacy Officer/Director, Human Resources and Operations is responsible for ensuring that appropriate safeguards are in place to protect the personal and personal health information stored electronically by Touchstone Institute, and for ensuring that all Touchstone Institute employees are sufficiently familiar with the availability and application of such safeguards to make appropriate use of them in complying with the Privacy Policy.
If required, Touchstone Institute will engage legal counsel to provide legal advice and support in relation to matters arising out of Touchstone Institute’s Privacy Policy.
All Touchstone Institute staff are individually responsible for the personal and personal health information about others that they collect, use, retain or disclose. In the course of performing their duties for Touchstone Institute, staff will ensure that their activities with respect to that information are carried out only in accordance with Touchstone Institute’s Privacy Policy.
Consent
Before collecting information about individuals, Touchstone Institute staff will explain the purpose for collection. Consent forms or verbal explanations will contain sufficient information about the use of such information. “Sufficient” means that an ordinary person should be able to make the link between the data requested and its relationship with the process. Where an individual’s consent is required, it must constitute informed consent. This means that the individual must understand why the information is being collected and how Touchstone Institute intends to use the information. Therefore, Touchstone Institute staff collecting consent must be sufficiently knowledgeable to explain the processes.
Consent may be either implicit (for example, if information is requested for a specific purpose and the information is provided, that would generally constitute implied consent) or explicit, depending on the circumstances and the nature of the information being collected. Explicit consent may be obtained either in writing or verbally. Where verbal consent is obtained, however, the verbal consent must be documented by those who collected it and retained in a relevant file for future reference, along with a summary of the information provided to the individual to ensure the individual’s verbal consent was give on an informed basis. Where the collection, use, and/or disclosure of sensitive personal or personal health information are concerned (e.g., medical information or personal financial information such as salary), the consent must be explicit. Guidance on the classification of data by level of security can be obtained from the Chief Privacy Officer.
Explicit Consent
Touchstone Institute staff who are responsible for obtaining consent need to be familiar with the type of information collected and how it is used, to be able to explain and answer questions from the individual. The following are some examples of common situations requiring explicit consent:
- Human Resources gather a broad range of consent from employees when they start at the company.
- Touchstone Institute obtains consent from examination applicants requesting specific accommodations before disseminating accommodation plans to test sites for implementation.
- Touchstone Institute gathers explicit consent from credentialing and examinations candidates to release personal information to its member regulatory bodies if, in the course of conducting its business, Touchstone Institute becomes aware of circumstances or actions related to regulatory issues. All releases of this sort will be done with the knowledge of the affected applicant.
Implied Consent
The following are some examples of common situations involving implied consent:
- Individuals providing their resumes are deemed to consent for Touchstone Institute to use their personal information for employment and contracting purposes. Touchstone Institute’s practice is to retain and use resumes for three months after receipt. In order to circulate or use the resume information of an unsuccessful candidate, his or her consent is required. Touchstone Institute implements practices to ensure this obligation is met.
- Touchstone Institute provides information on its external web site about the information collected when a user accesses a Touchstone Institute web page. Users of Touchstone Institute web site are deemed to consent to the collection and use of such information for the purpose of monitoring website activity.
- Touchstone Institute publishes aggregate data in written performance reports and individual data reports as required in the course of it business activities. Applicants and candidates are deemed to consent to the use of such information for organizational and client required reporting.
Consent Process Exceptions
Some external parties, such as law enforcement agencies, have a lawful or investigative need to collect, use and disclose personal information without having to obtain the consent of the concerned individuals.
Withdrawing Consent
Individuals have the right to withdraw consent to the collection, use or disclosure of personal or personal health information in whole or in part, at any time, upon providing reasonable written notice. The individual must be informed about any potential consequences that may result from the withdrawal of their consent, prior to making such a decision (e.g., closure of applications, associated administrative fees). If an individual withdraws their consent, it is not retroactive and does not apply to personal and personal health information already collected, used or disclosed by Touchstone Institute.

Collecting Data
Collecting and Using Personal and Personal Health Information
Personal and personal health information may only be collected if it relates to Touchstone Institute business activities, if the information is reasonably necessary for the carrying out of such programs or activities, and if appropriate consent has been obtained. Personal and personal health information may only be used for the purpose for which it was collected and access to such information must be restricted to those Touchstone Institute staff who have a need for access to administer Touchstone Institute business activities. All Touchstone Institute staff authorized to access personal and personal health information are required to maintain confidentiality of the information in accordance with the Privacy Policy.
Touchstone Institute may use personal and personal health information without the knowledge and consent of an individual only:
- For contracted specific business purposes;
- For research purposes. Any data reported will be in aggregate format, with all identifiers removed.
- If there are reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- For an emergency that threatens an individual’s life, health or security; or
- If the information is publicly available.
Disclosure
Disclosure of Personal and Personal Health Information
Personal and personal health information concerning an individual may only be disclosed to others when the purpose for the disclosure is consistent with the purpose for which the information was collected. This includes internal disclosure when there is a business-related need to know. It also includes external disclosure if the information is given to Touchstone Institute’s third party service providers to assist Touchstone Institute and/or its clients in carrying out their business activities.
Disclosure Process Exceptions
There are specific situations in which exceptions to disclosure procedures are permitted:
- For the purposes of a business transaction between two or more organizations (e.g., joint venture or partnership), the parties to the transaction may collect, use or disclose employee information without the consent of the individual, under certain circumstances.
- Touchstone Institute may disclose personal information without the individual’s knowledge and consent only:
-
- To a lawyer representing Touchstone Institute.
- To collect a debt the individual owes to Touchstone Institute.
- To comply with a subpoena, warrant or an order made by a court or other body with appropriate jurisdiction.
- To a regulatory body or government institution that has requested the information, identified its lawful authority and indicates that disclosure is for the purpose of carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security or the conduct of international affairs, or is for the purpose of administering a federal or provincial law.
- In an emergency threatening an individual’s life, health or security. (Touchstone Institute must then inform the individual of the disclosure).
- If it is publicly available.
- If required by law.
All other disclosure process exceptions require the approval of Touchstone Institute’s Chief Privacy Officer.
Transmission
Transmission / Sharing of Personal and Personal Health Information
Touchstone Institute staff will demonstrate extreme care when transmitting personal and personal health information internally or externally to ensure that:
- The persons who have requested the information and those to whom Touchstone Institute staff are sending it have been authenticated; and
- The method of transmission (whether by telephone, mail, fax, electronically or otherwise) is appropriate to protect the confidentiality of the information in light of its sensitivity.
Retention
Retention and Disposal of Personal and Personal Health Information
The retention and disposal of personal and personal health information will comply with Touchstone Institute’s Records Management Policy. Personal and personal health information no longer required to fulfill the purposes for which it was collected will be destroyed, erased or made anonymous. Touchstone Institute will maintain a secure centralized filing system with appropriate access and retrieval controls for both employee and client information data. Care will be used in the disposal or destruction of personal and personal health information to prevent unauthorized parties from gaining access to the information. When disposal of hard copy information is authorized, shredding will be used to maintain confidentiality.
If mailed, the information will be enclosed in a securely sealed envelope and stamped “Private and Confidential”. In all instances, the name of the intended recipient must be clearly identified. Email flags will be used to denote personal or confidential information in email communications. Because of the ease with which email is transmitted, and issues relating to control over storage of multiple copies of email, the use of email to transmit personal and personal health information is discouraged where a reasonable alternative is available except with the expressed consent of the individual.
Accuracy
Updating Personal and Personal Health Information
Personal and personal health information will be updated to fulfill the purpose for which it was collected. Touchstone Institute information management processes will minimize the possibility of using incorrect information when making decisions about the individual, or when disclosing information to third parties.
Protection
Protection of Personal and Personal Health Information
Touchstone Institute’s corporate and business practice standards specify operating procedures that protect electronically stored personal and personal health information. The physical security of such information will be managed through office security practices, records management practices and individual discretion, based on the sensitivity of the information. When developing safeguards for personal and personal health information, Touchstone Institute will consider loss, theft, alteration, unauthorized access, copying and use. If an incident occurs where personal or personal health information is inadvertently disclosed, lost, corrupted, or transmitted contrary to Touchstone Institute standards, Touchstone Institute staff will contact the Chief Privacy Officer immediately to report the incident and develop an appropriate remediation plan.
Service Providers
Third Party Service Providers
From time to time, Touchstone Institute may retain third party service providers to assist Touchstone Institute in administering its programs or conducting its business (e.g., service providers that keep records relating to our employee insurance and benefit plans). In some cases, to perform the services, Touchstone Institute must disclose personal and personal health information about its employees. Touchstone Institute staff entering into these contracts with third party service providers will ensure that:
- Use of the personal and personal health information by the third party service provider is limited to the purposes specified to exercise the contract;
- All use of the personal and personal health information will be in accordance with the Privacy Policy;
- The third party service provider refers any individuals looking for access to their personal and personal health information to Touchstone Institute;
- The third party service provider uses appropriate safeguards to protect the personal and personal health information;
- The personal and personal health information is destroyed or returned to Touchstone Institute upon termination or completion of the contract; and,
- Touchstone Institute has the right to audit the third party service provider’s compliance with the contract.
Transparency
Open and Transparent Practices
Touchstone Institute will inform clients, employees and other individuals about the Privacy Policy and its information management practices on Touchstone Institute’s website and intranet sites. Touchstone Institute will also publish the contact information for the Chief Privacy Officer.
Access
An Individual’s Access to Their Personal and Personal Health Information
Any individual has the right to request access to their information. Access to specified information is given by allowing an individual to view Touchstone Institute documentation, or by providing them with a reproduced copy of the information. Under no circumstances will documents that are the property of Touchstone Institute be given to the individual requesting access.
Requests for access may be made verbally or may be written. Documents or files provided to an individual will be reviewed to ensure that no personal or personal health information about another individual is disclosed. If so, that information must be masked, or made anonymous before the person making the request views the document. Personal or personal health information to which an individual has requested access cannot be removed or destroyed under any circumstances.
Touchstone Institute has the right to charge an individual a reasonable amount to recover the cost of producing and delivering documents requested by the individual. The Chief Privacy Officer in consultation with management will be responsible for assessing related costs based on compliance with Touchstone Institute’s policy and determining the reasonability of charging the individual. If Touchstone Institute plans to charge, the individual must be informed, and the individual must accept the charge before the documents are produced.
Access Process Exceptions
Access shall be subject to any prohibitions, exceptions or exemptions in applicable privacy laws. If access is denied, then the requesting individual shall be informed in writing of the reason for the denial. Touchstone Institute must refuse access to personal and personal health information that it has disclosed to a government institution for law enforcement or national security reasons. In some cases, the fact that such information was disclosed must also be withheld. The Chief Privacy Officer should be contacted if Touchstone Institute staff require direction on the refusal of access. It is also Touchstone Institute policy to refuse access, as permitted under applicable law, if:
- The information falls under solicitor/client privilege
- The information contains confidential commercial information
- Disclosure could harm an individual’s life, health or security
- It was collected to investigate a breach of an agreement or contravention of a law
- It was generated in the course of a formal dispute resolution process,
Unless the Chief Privacy Office specifically authorizes access to any of the foregoing.
Complaint Process
Individuals whose personal and personal health information has been collected, used, disclosed and/or disposed of by Touchstone Institute may make complaints about Touchstone Institute’s policies and practices relating to the handling of their personal and personal health information. A complaint may be made in writing to the Chief Operating Officer specifying the nature of the complaint. In the case of a complaint, the Chief Operating Officer will undertake an investigation. The Chief Operating Officer will provide a written response to the complainant outlining the results of the investigation and the actions, if any, taken or to be taken by Touchstone Institute in respect of the complaint. Appeals regarding a complaint decision will be escalated to the Chief Executive Officer. The Chief Executive Officer may seek consultation from legal experts or governmental authorities to inform the investigation process, seek advice and/or validate decisions. Touchstone Institute will not penalize, sanction nor discriminate against any individual who has made a complaint or inquiry.
For more information please contact:
Chief Operating Officer
Touchstone Institute
145 Wellington Street West, Suite 600
Toronto, ON M5J 1H6