Collection, use, and disclosure of personal information

You must have an individual’s consent to collect, use or disclose personal
information unless the CYFSA authorizes you to do so without consent.

Part X protects privacy by setting rules for how service providers collect, use and disclose personal information. In this section, we look at a few overarching rules for collection, use and disclosure, before focusing on each of these three activities in turn.

These rules apply when you are collecting personal information from any individual for the purpose of providing a service, or using or disclosing that information. If you are providing services to a child, for example, these rules apply to how you collect, use and disclose the personal information not only of the child, but also of other individuals who may be involved in the services, such as her parents.

As a service provider, you must have an individual’s consent to collect, use or disclose personal information unless the CYFSA authorizes you to do so without consent.23

Even when you have consent, there are three limits on when and how much personal information you can collect, use or disclose:24

  1. You must ensure, to the best of your knowledge, that the collection, use or disclosure is necessary for a lawful purpose. For example, even if a client gave consent for you to use their personal information “in any way you please,” you may only use it where necessary for a lawful purpose.
  2. You must only collect, use or disclose as much personal information as is reasonably necessary to provide a service. For example, even with consent it would not be appropriate to collect information about clients’ political affiliations, unless you somehow need this information to provide service.
  3. You must not collect, use or disclose personal information where non-personal information will serve the same purpose. For example, if you are applying for a grant and are asked to give evidence of successful client outcomes, you could provide de-identified or statistical information. In this case, there would be no need to disclose clients’ personal information in the application.

Note that these limitations do not apply to personal information that you are required by law to collect, use or disclose.

 

23. CYFSA, s. 286
24. CYFSA, ss. 286-287