This privacy and information access policy informs users of the types of personal information the CMRAO collects in order to fulfill its statutory responsibilities.

The CMRAO has developed this policy to reflect its core values of transparency and working in the best interest of the public, giving equal regard to compliance with privacy legislation and to the protection of personal information.


Personal information: Any information about an identifiable individual that is recorded in any form. This does not include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity.

Record: Any information created, received, and maintained as evidence and information, whether in printed form, film, by electronic means or otherwise in the custody and control of the CMRAO for administration of the Condominium Management Services Act, 2015.



The Condominium Management Regulatory Authority of Ontario (CMRAO) has designated an Access and Privacy Officer to be responsible for key components of this policy, including oversight and responsibility for CMRAO on:

  • protecting personal information
  • responding to privacy inquiries or complaints
  • responding to information access requests

Identifying Purpose and Use

The CMRAO collects certain personal information to respond to queries from the public, and better understand how its services are serving the condominium community.

For example, the CMRAO uses Google Analytics on its web server to collect basic demographic information (e.g. age, gender, geographic location), as well technical information from user devices or machines (e.g. user IP address, browser types, operating systems).

This information is needed to improve online system functionality and may be used to better understand which condominium communities in Ontario have the greatest needs. For information on how to opt out, please visit: How Google uses data when you use our partners' sites or apps.

The CMRAO collects information regarding the parties to an application filed through its online licensing system.

See Disclosure and Retention Principle below.


The CMRAO will collect personal information only with direct consent from the person to whom it relates, and not from a third party.

In certain circumstances, the CMRAO may disclose information to a third party without the consent of the individual, for example to respond to an emergency or if there is a legal requirement to do so.

Disclosure and Retention

At the time of collection, the CMRAO will notify users about the collection of their personal information and why it is needed.

CMRAO staff can view and download any documents provided to the organization. There is no obligation that any party return documents they have received through the CMRAO's licensing system.

The CMRAO can retain indefinitely, and take appropriate action around, any communication or documents that the CMRAO finds to be: abusive, threatening or in relation to a criminal act, or alluding to a future criminal act.

From time to time, the CMRAO may transfer personal information to third parties acting for or on its behalf. Examples include supporting application processing activities such as CMRAO service delivery, or evaluating the usefulness of CMRAO’s website. The CMRAO will only provide such access if the third party can demonstrate that it has information protection controls comparable to those of the CMRAO. See Safeguards Principle below. The CMRAO will eventually develop a records retention policy, and accompanying retention schedule, to address the requirements for disposing of information that has served its business purpose.

Information Access

The CMRAO is open about its information management practices, and will strive to respond to any request for information in manner that is permitted by law and in the public’s best interest.


The CMRAO has implemented policies and procedures to maintain the accuracy and integrity of the data contained within its online systems.

An individual who disagrees with the accuracy of their personal information on file with the CMRAO has the right to challenge its accuracy and request that the CMRAO update the file.

The CMRAO will strive to respond to all information access requests within 30 days.


The CMRAO has implemented privacy and information security controls to protect personal information from unauthorized access, disclosure, copying, and modification. Examples include:

  • encrypting all systems containing personal information
  • shredding paper documents
  • granting access to those whose duties reasonably require such information

Challenging compliance

Individuals not satisfied with the CMRAO’s response may ask the CMRAO to review the decision. That request must be in writing, addressed to the Access and Privacy Officer and describe what should be reviewed. Within 30 days, the CMRAO will respond with a final decision or a date when a final decision will be rendered.

Review of this policy

Senior officers or the CMRAO Board of Directors will review this policy annually to ensure that it continues to serve its intended purpose.