Are You Ready for the New Privacy Scheme under the Child, Youth and Family Services Act, 2017?
Date: September 24, 2019
The new Child, Youth and Family Services Act, 2017 (Act) which largely came into force on April 30, 2018 constituted a significant overhaul of the legislative and regulatory framework for children’s services.
One of the key changes is the introduction of a detailed legislative privacy scheme to regulate the handling of personal information of individuals receiving or participating in the provision of services governed by the Act. These provisions are due to come into force on January 1, 2020.
Learn more in this edition of Reaching Out.
Overview of Changes Relating to Privacy
The provisions set out new rules as to when personal information can be collected, used and disclosed, with or without consent of an individual or their substitute decision-maker, including disclosures without consent between Children’s Aid Societies. There are also express provisions for the disclosure of personal information to the Ministry of Children and Youth Services to permit it to exercise its oversight functions. The legislation is modelled on provisions in the Personal Health Information and Protection Act, 2004.
Collection, Use and Disclosure of Personal Information
The Act creates specific rules as to when clients’ personal information can be collected, used and shared. Specifically, with the exception of personal information that is required to be collected, used or disclosed by law, the collection, use and disclosure of an individual’s personal information from the person to whom the information pertains will only be permitted if:
- consent is provided
- the collection, use or disclosure is necessary for a lawful purpose
- other information is not available that will serve the purpose of that collection, use or disclosure; and
- the collection, use or disclosure is limited to what is reasonably necessary
There are some exceptions to the rules surrounding collection. Service providers may collect personal information without consent if it is reasonably necessary for the provision of a service and obtaining consent is not reasonably possible or, if collection is reasonably necessary to assess, reduce or eliminate the risk of serious harm to a person or a group of persons.
Exceptions to the Requirement for Consent
The Act also sets out certain exceptions to the requirement of consent when personal information is shared or disclosed. Personal information may be disclosed without consent in the following circumstances:
- to law enforcement to aid an investigation
- to a proposed litigation guardian
- for the purposes of contacting a relative or potential substitute decision-maker if the individual is injured, incapacitated, otherwise not capable or deceased
- if it is necessary to assess, reduce or eliminate risk of serious harm to a person or group of persons; or
- to another Children’s Aid Society or child welfare authority.
Collection of Personal Information from a Third Party
The Act outlines rules regarding the collection of an individual’s personal information from a source that is not the person to whom the information pertains. Indirect collection of personal information is permitted if the individual to whom the information relates consents. In the absence of consent, indirect collection is permitted where:
- the collection is necessary to assess, reduce or eliminate a risk of serious harm to a person or a group of persons and it is not reasonably possible to collect the information directly from the individual to whom it relates
- the collection is by a Children’s Aid Society from another Children’s Aid Society or a child welfare agency outside Ontario and the information is reasonably necessary to assess, reduce or eliminate a risk of harm to a child
- it is authorized by the Information and Privacy Commissioner, or
- it is required by law.
Right to Access Personal Information
The new provisions of the Act will provide clients with the right to request access to their records of personal information in addition to the right to request that their information be corrected.
There are additional requirements in the Act regarding the protection of clients’ personal information and the need to ensure that information is accurate and up-to-date. This includes an obligation to ensure that personal information is protected against theft, loss and unauthorized access. Further, in the event that personal information is stolen, lost, used or disclosed without authority, service providers are obligated to notify the affected individual at the first reasonable opportunity. In certain circumstances, the Information and Privacy Commissioner and the Minister of Children and Youth Services will also need to be notified.
The Act creates a complaint procedure whereby any individual who has reasonable grounds to believe that the Act has been contravened may make a complaint to the Information and Privacy Commissioner. Additionally, the Commissioner has the authority to conduct a review of any matter, even in the absence of a formal complaint.
The complaint procedure provides the Commissioner with broad inspection powers, including the right to access premises to inspect books, records or other documents relating to complaint. After assessing any complaint, the Commissioner may make orders regarding the collection, use, disclosure or disposal of personal information. Service providers have a right to appeal orders made by the Commissioner. However, once an order has become final as a result of there being no further right of a appeal, individuals may commence proceedings in the Superior Court of Justice for damages for actual harm suffered as a result of any contravention of the Act.
The new legislative privacy scheme regulating the handling of personal information reflects a move towards greater oversight by the Ministry of Children and Youth Services and a greater emphasis on accountability within the sector. As such, service providers should be in the process of auditing their current compliance protocols and accountability safeguards to ensure that they are prepared to comply with the provisions of the Act that will come into force on January 1, 2020.
Hicks Morley is uniquely situated to assist you in the development of policies and protocols in relation to these new privacy initiatives. Please contact any member of our Information, Data Security & Privacy group for more information.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©