- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
- Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
- Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
Service providers may also collect information indirectly. Sometimes they do so with consent.29 For example, a parent may consent to the service provider obtaining information from a specialist who has assessed their child. In this case, the provider would need the parent’s explicit consent for the indirect collection, and cannot rely on implied consent.
As a service provider, there may be times when you need to indirectly collect information, without consent. Part X permits you to do so only in the following situations:
First, you can indirectly collect information without consent if it is permitted or required by law.30 For example, when a children’s aid society receives a call from a teacher about a child who may be in need of protection, the society can collect this information from the teacher without consent. Receiving reports about children in need of protection is part of the society’s mandate under the CYFSA and is permitted by law.
Second, service providers may indirectly collect personal information without consent if:
- the information is reasonably necessary to provide a service or to assess, reduce or eliminate a risk of serious harm to a person or group and
- it is not possible to collect personal information directly that can reasonably be relied on as accurate and complete, or in a timely manner.31
A community service provider is working with a youth who is struggling in school. The service provider wants to speak directly with the teenager’s teacher to help understand his classroom challenges.
Speaking with the teacher to gather information would be an indirect collection of the teenager’s personal information. In this case, the information would be helpful – but not reasonably necessary – to provide services or reduce a risk of serious harm. The provider must therefore get the youth’s consent before speaking with his teacher.
Finally, children’s aid societies can collect personal information from one another (or from child welfare authorities outside Ontario) if the information is reasonably necessary to assess, reduce or eliminate a risk of harm to a child.32 A children’s aid society would not require consent in this situation.
In summary, service providers may only collect personal information with consent, or in situations where collection without consent is specifically permitted by Part X.33 Any other collection is unauthorized and contravenes the CYFSA. Providers must take reasonable steps to prevent unauthorized collection of personal information.34 These steps might include developing clear policies and procedures for collecting information, and regularly training staff.
This post is also available in: French