- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
- Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
- Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
Collection, use, and disclosure of personal information
You must have an individual’s consent to collect, use or disclose personal
Part X protects privacy by setting rules for how service providers collect, use and disclose personal information. In this section, we look at a few overarching rules for collection, use and disclosure, before focusing on each of these three activities in turn.
These rules apply when you are collecting personal information from any individual for the purpose of providing a service, or using or disclosing that information. If you are providing services to a child, for example, these rules apply to how you collect, use and disclose the personal information not only of the child, but also of other individuals who may be involved in the services, such as her parents.
Even when you have consent, there are three limits on when and how much personal information you can collect, use or disclose:24
- You must ensure, to the best of your knowledge, that the collection, use or disclosure is necessary for a lawful purpose. For example, even if a client gave consent for you to use their personal information “in any way you please,” you may only use it where necessary for a lawful purpose.
- You must only collect, use or disclose as much personal information as is reasonably necessary to provide a service. For example, even with consent it would not be appropriate to collect information about clients’ political affiliations, unless you somehow need this information to provide service.
- You must not collect, use or disclose personal information where non-personal information will serve the same purpose. For example, if you are applying for a grant and are asked to give evidence of successful client outcomes, you could provide de-identified or statistical information. In this case, there would be no need to disclose clients’ personal information in the application.
Note that these limitations do not apply to personal information that you are required by law to collect, use or disclose.
This post is also available in: French