- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
There are a few exceptions to the right of access. Individuals do not have a right to access their record of personal information if:
- it is subject to a legal privilege restricting its disclosure to the individual
- another act or a court order prohibits its disclosure to the individual or
- the information was collected or created primarily in anticipation of or for use in a legal proceeding which has not concluded
Additionally, individuals do not have a right to access their record of personal information if granting access could reasonably be expected to:
- result in a risk of serious harm to any individual94
- lead to the identification of an individual who was required by law to provide information in the record to the service provider or
- lead to the identification of an individual who provided the information either explicitly or implicitly in confidence — if the service provider considers it appropriate to keep their identity confidential
If one of these exceptions applies, the individual does not have a right of access to that information in the record. However, you would still be required to grant access to the remainder of the record of personal information if you can sever or redact the information to which the exception applies.95
A children’s aid society receives an access request from a youth looking for records related to a society investigation.
The society reviews the records and finds information about a neighbour who made the initial call to the society to report that the family’s children may be in need of protection, as required by the “duty to report.”
Before releasing records to the youth, the children’s aid society removes or redacts any information which could lead to the identification of the neighbour, who was required by law to provide this information to the society.
In addition to these exceptions, Part X also allows service providers to refuse access if a request is frivolous or vexatious or made in bad faith.96 The IPC has found, under other privacy legislation, that a request is frivolous or vexatious if it is:
- part of a pattern of conduct (for example, an excessive number of access requests by the same person) that amounts to an abuse of the right of access or interferes with the operations of the institution or
- made for a purpose other than to obtain access (such as to annoy or harass the institution or to purposefully burden the system)
There is a high threshold for deciding that a request is frivolous or vexatious. Refusing an access or correction request on these grounds is not a routine matter and should not be undertaken lightly.