Indirect collection

Service providers may also collect information indirectly. Sometimes they do so with consent.29 For example, a parent may consent to the service provider obtaining information from a specialist who has assessed their child. In this case, the provider would need the parent’s explicit consent for the indirect collection, and cannot rely on implied consent.

As a service provider, there may be times when you need to indirectly collect information, without consent. Part X permits you to do so only in the following situations:

First, you can indirectly collect information without consent if it is permitted or required by law.30 For example, when a children’s aid society receives a call from a teacher about a child who may be in need of protection, the society can collect this information from the teacher without consent. Receiving reports about children in need of protection is part of the society’s mandate under the CYFSA and is permitted by law.

Second, service providers may indirectly collect personal information without consent if:

  • the information is reasonably necessary to provide a service or to assess, reduce or eliminate a risk of serious harm to a person or group and
  • it is not possible to collect personal information directly that can reasonably be relied on as accurate and complete, or in a timely manner.31

A community service provider is working with a youth who is struggling in school. The service provider wants to speak directly with the teenager’s teacher to help understand his classroom challenges.

Speaking with the teacher to gather information would be an indirect collection of the teenager’s personal information. In this case, the information would be helpful – but not reasonably necessary – to provide services or reduce a risk of serious harm. The provider must therefore get the youth’s consent before speaking with his teacher.


Finally, children’s aid societies can collect personal information from one another (or from child welfare authorities outside Ontario) if the information is reasonably necessary to assess, reduce or eliminate a risk of harm to a child.32 A children’s aid society would not require consent in this situation.

In summary, service providers may only collect personal information with consent, or in situations where collection without consent is specifically permitted by Part X.33 Any other collection is unauthorized and contravenes the CYFSA. Providers must take reasonable steps to prevent unauthorized collection of personal information.34 These steps might include developing clear policies and procedures for collecting information, and regularly training staff.


29. CYFSA, s. 288(1)
30. CYFSA, s. 288(2)(e)
31. CYFSA, s. 288(2)(a)
32. CYFSA, s. 288(2)(b). Societies are also permitted to collect information from one another if necessary for prescribed purposes related to their functions (s. 288(2)(c)). However, no purposes are currently prescribed.
33. Service providers may also indirectly collect personal information if the indirect collection has been specifically authorized by the IPC. CYFSA, s. 288(2)(d).
34. CYFSA, s. 307
Help us improve our website. Was this page helpful?
When information is not found


  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.