The Child Youth Family Services Act (CYFSA) is an Ontario law that governs certain programs and services for children, youth, and families. The CYFSA is divided into parts and Part X sets the rules that service providers must follow to protect your privacy and controls who is able to access your personal information. This law came into effect on Jan 1, 2020.
Why is Part X important?
Prior to the enactment of Part X, the law regarding your personal information and privacy rights when you received services from organizations under the CYFSA was unclear.
Part X creates new rules that service providers must follow to protect your privacy.
What information does Part X apply to?
Part X applies to “personal information” collected to provide a service to a child or youth.
Personal information means “recorded information about an identifiable individual.” It does not apply to records that contain no personal information.
Information is about an “identifiable individual” if:
- it is about the individual in a personal capacity, and
- the individual can be identified from the information (either alone or by combining it with other information)
This includes information you may give a service provider verbally. It also doesn’t matter when the record was created; even if your information was recorded many years ago, you have a right to access your record and they must protect it against privacy breaches.
What does “collected for” or “relating to” the provision of a service mean?
For Part X to apply, the personal information must be “collected for or related to the provision of a service” that is provided or funded under the CYFSA and includes services related to:
- child protection / Children’s Aid Societies
- residential care
- community support and prevention
- physical or mental disabilities
- mental health
- services or programs under the Youth Criminal Justice Act or Provincial Offences Act
What are my Rights under Part X?
- The right to request access and correction to your records of personal information,
- More control over how your personal information is shared among service providers, with the ability for you to provide consent based on capacity, not age,
- The right to a complaints process and an independent review mechanism related to the collection, use and sharing of personal information, and
- More transparency in how your personal information is handled by service providers.
What are the consent requirements?
If your personal information is collected to provide a service, it can only be used for that purpose or for one of the additional purposes set out in Part X or with your consent. Any other use of the information is not allowed.
When your personal information is being shared (“disclosed”), your consent is needed unless Part X permits the disclosure without your consent. Your consent must be written or verbal, but verbal consent is only valid if a written record is made.
When can information be shared without my consent?
There are some situations where your information can be shared without your consent. For example: there is a reasonable suspicion that you or another child may be in need of protection; risk of serious harm to a person or group; or under an investigation by the police.
Can I access my records?
Yes, you have a right to access your information at any age. There are some exceptions.
You have a right to all information in the service provider’s custody or control, regardless of where the information came from. The right of includes records that were not created by that service provider but was provided to them.
Service providers must respond to your access request within 30 calendar days and they are not allowed to charge fees.
What are the exceptions to my right of access?
Some exceptions include a legal privilege restricting your access; another law or a court order that prohibits it being shared with you; or the information was collected or created primarily in anticipation of or for use in a legal proceeding which has not ended.
You also do not have a right to access if giving you access could reasonably be expected to:
- result in a risk of serious harm to any individual,
- lead to the identification of an individual who was required by law to provide information in the record to the service provider, or
- lead to the identification of an individual who provided the information either explicitly or implicitly in confidence – if the service provider considers it appropriate to keep their identity confidential.
If there is some information in the record that can be shared, then they must do so. Either in part or with some parts covered up.
What if there are mistakes in my records?
You have the right to ask for corrections. Service providers must respond to your request for changes within 30 calendar days and are not permitted to charge fees.
What can I do if my records have been shared without my consent?
You can file a complaint, in writing, to the independent Office of the Information and Privacy Commissioner (IPC). The IPC provides oversight of Ontario’s access and privacy laws.
Any person may file a complaint with the IPC about another person who has or is about to contravene Part X. This could include complaints about:
- refusal of an access or correction request, or failure to respond,
- privacy breaches, or
- failure to comply with any Part X requirement.
In response to complaints, or on its own initiative, the IPC may choose to conduct a review of any matter involving a possible rights violation under Part X. Where possible, the IPC promotes informal and early resolution of complaints, and often does this through mediation.
Is there a deadline to file complaints?
Yes, complaints about access and correction decisions must be filed within six months after the service provider refused the request (or failed to respond).
All other complaints must be filed within one year after the subject of the complaint first came or should have come to the complainant’s attention.