The Child, Youth and Family Services Act, 2017 (CYFSA) came into force in 2018, aimed at putting children and youth at the centre of decision-making, supporting more accountable, responsive and accessible child, youth and family services, and strengthening oversight for children’s aid societies (CAS). The new legislation recognizes that in order to provide consistent and high-quality services essential to the well-being of children and families, an appropriate sharing of information is required. The regulation of this sharing of information, among other privacy obligations, is set out in Part X of the CYFSA, which came into force January 1, 2020.
Part X provides a legislative framework detailing the privacy obligations for Ontario’s child and youth sector. This legislative framework establishes new rules for the collection, use, and disclosure of, and access to, personal information controlled by service providers that are funded and licensed by Ontario’s Ministry of Children, Community and Social Services (the “Ministry”). Part X was intended to fill in the “legislative gap” in the child and youth sector regarding the personal information of children and youth, by establishing a consistent and integrated privacy regime. Broadly speaking, Part X details privacy rights for children, youth and families who are clients of CAS and other service providers, as well as obligations for service providers, while outlining the authority under which the Ministry can use personal information for research and service planning. It also establishes a system of oversight of service providers’ implementation and execution of these rights and obligations by the Information and Privacy Commissioner of Ontario (the “IPC”).
From the perspective of service providers in particular, Part X establishes clear rules for collecting, using and sharing clients’ personal information. With limited exceptions, service providers must have consent to collect, use or disclose personal information. These exceptions include circumstances where an investigation or potential investigation by a law enforcement agency requires disclosure, or if there is a formal request for information through a summons or similar legal request. Further, there are requirements to protect clients’ privacy and to improve transparency and accountability. For example, service providers must promptly respond to clients’ requests to access or correct their personal information, and must notify affected individuals if a breach of personal information has occurred.
In the health context, although Part X applies generally to all service providers in the child and youth sector, there are some organizations that are exempt from the provisions of Part X, namely those that are already addressed within the Personal Health Information Protection Act (PHIPA). In particular, health information custodians (“HICs”) under PHIPA are exempt from most of Part X when collecting, using or disclosing personal health information, as HICs’ collection, use and disclosure of personal health information (“PHI”) is governed by PHIPA. However, a HIC who collects, uses and discloses personal information that is not personal health information must comply with the provisions of Part X with respect to that information. The only sections of Part X which always apply, regardless of the relevant information, are those relating to: the Minister’s powers to collect, use and disclose personal information; disclosure for planning and managing services; and records of mental disorders.
Part X of the CYFSA provides children, youth, and families in Ontario with stronger legal protections regarding the collection, use, and disclosure of their personal information. While the CYFSA’s confidentiality provisions relating to hearings and orders prevail over its privacy provisions, these provisions establish a much more transparent privacy protection environment than which previously existed in the child and youth sector. In furtherance of this goal, the IPC is granted a broader mandate to oversee and facilitate the appropriate sharing of personal information. As health care providers had to do with the enactment of PHIPA in 2004, service providers will have to adopt to a new regulatory regime – one that requires not only confidentiality (a longstanding obligation) but a requirement to obtain consent to collect, use or disclose personal information, a commitment to transparency, and demands accountability in all aspects of information handling. Service providers now have a legal – in addition to professional – obligation to adhere to privacy principles and to help clients to exercise their rights under Part X. While there are sure to be challenges ahead (not to mention complaints and actions), the implementation of Part X will bring much needed strengthening of safeguards of personal information and a more robust system of information sharing in the child and youth sector.
For more information regarding how the new legislation may impact you or your organization, please do not hesitate to contact us.
Posted in: Blog