Program Recap: New Privacy Obligations under the Child, Youth and Family Services Act

  • 07 juillet 2020
  • Bridget McInnis, JD (Certificate in Aboriginal Legal Studies), MSW

On January 1, 2020, Part X of the Child, Youth, and Family Services Act (“CYFSA”) came into effect. Its provisions govern the collection, use, and disclosure of personal information by service providers and the Ministry of Community and Social Services (“the Ministry”). On June 25, the OBA convened a webinar panel of legal practitioners in the field of child and youth law to discuss the impact that Part X will have on service providers, and the challenges that are likely to arise throughout its implementation across the province. Chaired by Kimberley Ishmael (Keel Cottrelle LLP) and Jane Stewart (Justice for Children and Youth), the panel also included Samira Ahmed (Justice for Children and Youth), Michelle Manning (Information & Privacy Commission of Ontario), Kristina Reitmeier (Children’s Aid Society of Toronto), and Ian Ross (Office of the Children’s Lawyer).

Michelle Manning of the IPC began the discussion with an overview of the salient features of Part X and the role that the IPC plays in ensuring that service providers are in compliance with its provisions. She began by noting that Part X represents a marked departure from the current practices of many service providers. For instance, individuals have a right under Part X to access the entirety of their records containing personal information, as long as the records relate to the provision of a service. Previous common practice of service providers involved redacting information in records that did not directly relate to the individual requesting access. Further, individuals have a right to request that information contained in their records be corrected. These two provisions point to the ideological shift from paternalism to individualism that underlines Part X – records of personal information belong to the individual, not to the service providers who create them.

Michelle also outlined how the collection, use, and disclosure of information can be done either with or without consent, depending on the circumstances. Whether personal information is collected, used, or disclosed with or without consent, there are identical “data minimization” requirements. Some examples of these requirements include the following: service providers must be fulfilling a legitimate purpose when dealing with personal information; service providers should only collect as much personal information as is necessary in the circumstances; and service providers should not disclose personal information in circumstances where non-personal information would serve the same purpose.