Main menu

Your privacy is paramount

By: Ashley McKiver, Manager, Compliance and Operational Services

At CaRMS, the stewardship of your personal information is a responsibility we take seriously. CaRMS’ core service is matching applicants to postgraduate residency training positions across the country. This involves the collection of a great deal of applicants’ personal information for the purposes of building an application. It is our responsibility to keep this sensitive information safe and ensure it is disclosed appropriately based on express applicant consent.

The inherent privacy of the information CaRMS collects is not something we take lightly. By entering into a CaRMS match, applicants are placing their trust in us. They are counting on us to run an application and matching service that is fair, objective and transparent—and to run it in a way that safeguards their personal information. For that reason, we do our best to be open and transparent to ensure our users are well-informed about our policies surrounding the collection, use, disclosure and retention of their sensitive personal information.

We are proud of the protocols we have in place to ensure we meet our clients’ expectations and mitigate risks. But what exactly do our privacy protocols entail?

CaRMS has a comprehensive privacy policy, user-based contracts, user-specific consent acknowledgments, tiered user access and staff training programs. We also employ a certified information privacy professional to oversee all aspects of our privacy policies and protocols.


CaRMS’ privacy policies and operational practices were developed based on the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Although we are not a commercial enterprise, CaRMS follows PIPEDA legislation because we consider it best practice and a due diligence we owe to our clients.

Contracts and consent

Each of our clients who provides, receives or utilizes the personal information collected through CaRMS Online enters into a contract with us. These CaRMS contracts stipulate parameters for the use of personal information and outline relevant security and privacy standards.

We never assume consent to use your data. Our application platform routinely collects express user consent at several stages of the match process as a way to reinforce the importance of privacy to our entire user community.

Limited access

Employees of CaRMS often require access to our clients’ personal information in order to resolve issues and carry out day-to-day operational activities. For this reason we have implemented a number of procedures to ensure the ongoing protection of personal information by tracking and limiting access. For example, staff cannot view social insurance numbers within our system, nor can they see or reset user passwords. We also employ a tiered access model, providing system access on an as-needed basis.

All CaRMS staff also undergo privacy training. Our customer service agents are trained to verify users when they receive calls for specific user help, and users are required to input security questions when accessing our online system. These are just a few ways in which we are prioritizing user privacy and security.

Privacy Impact Assessment

Privacy Impact Assessments (PIAs) are one of the tools CaRMS has introduced to prioritize privacy considerations across the entire organization.

PIAs are done at the outset of any project that will involve the handling of personal information. These systematic assessments tell the full story of a project from a privacy perspective. An integral part of our project planning process, these assessments go beyond compliance to consider the broader privacy implications and risks, including whether the planned uses of personal information in a project will be acceptable and ethical. They also set out recommendations for managing, minimizing or eliminating any potential risks identified. Quite simply, PIAs act as an early warning system by enabling us to spot a privacy problem before it occurs.

Proactive updates

CaRMS routinely revisits our policies in order to ensure they reflect ongoing updates to privacy legislation and the residency application process.

One of the ways we keep on top of emerging privacy-related issues is through our privacy committee, which comprises external stakeholders and sister organizations within the medical education community. The committee meets once a year to benchmark our policies and processes in comparison to other organizations.

We are committed to upholding the highest standards for accountability, accuracy, fairness and transparency in all of our services. Our comprehensive privacy policies are one of the ways we are contributing to the excellence of a world-class medical education system.

You can learn more about privacy and CaRMS here.