Use of personal information

Once you have collected personal information for the purpose of providing a service, Part X governs the ways you may use this information.

There is no definition of “use” in Part X. Generally, using personal information means viewing or dealing with the information in a manner that does not include disclosing it. For example, when a social worker prepares for a meeting with a family by reviewing their team’s case notes from a previous meeting with the family, they are “using” the information in the case notes.

When you use personal information, you must take reasonable steps to ensure it is as accurate, complete and as up-to-date as necessary for the purposes for which it is used.35 You must exercise judgment about how accurate the information needs to be. For example, personal information used to deliver certain services may in some cases require a higher degree of accuracy than information used solely for administrative purposes.

Service providers can use information with the consent of the individual (provided that, to the best of the service provider’s knowledge, the use is necessary for a lawful purpose).36 Service providers can also use personal information without consent if certain conditions are met.

As a service provider, you can use personal information without consent for the purpose it was collected or created. You can also use it for all the functions reasonably necessary for carrying out that purpose, including providing the information to an officer, employee, consultant or agent of your organization.

A group home requests that all staff arriving to their shift review the log written by their coworkers from the previous shift. The purpose of the log is to improve continuity between shifts and ensure staff are aware of any important issues.

When staff members arrive at work and review the log, they are “using” the information. This use is necessary for ensuring continuity of services which is the purpose of maintaining the log.

In some cases, an individual may instruct you not to use their information.37 For example, a parent may consent to their information being used for a single point-in-time service, but not for any other purpose. The service provider is responsible for complying with the individual’s instruction. However, there are exceptions:38

  • Even if an individual has explicitly instructed otherwise, you can still use the information if reasonably necessary to assess, reduce or eliminate a risk of serious harm to any person or group.
  • If you are a children’s aid society, you can also use the information if reasonably necessary to assess, reduce or eliminate a risk of harm to a child.39

You may also use personal information, without consent, for the following purposes:40

  • where permitted or required by law
  • for planning, managing and delivering services that you provide or fund (including resource allocation, evaluation, monitoring and preventing fraud)
  • for risk and error management, or quality assurance
  • to seek consent (in this case you must use only their name and contact information)
  • to dispose of or de-identify the information
  • for research conducted by a service provider, subject to certain requirements41
  • for a proceeding (or contemplated proceeding) where the service provider is or is expected to be a party or witness and the information relates to a matter at issue
  • if you believe on reasonable grounds that the use is reasonably necessary to assess, reduce or eliminate a risk of serious harm to a person or group

In summary, if you collect personal information to provide a service, you can only use it for that purpose or for one of the additional purposes set out in Part X or with the individual’s consent. Any other use of the information is not authorized and contravenes the CYFSA.

An example of an unauthorized use of information is snooping. Employees reading records for reasons not related to the performance of their duties, such as curiosity or financial gain, is an unauthorized use of information not permitted under Part X.42

An employee is searching through the service provider’s case management system and notices an intake record under a familiar name. Although the record is not relevant to their job, the employee is curious and reads the record to confirm that it involves one of their neighbours.

This represents an unauthorized use of the neighbour’s personal information and is not allowed under Part X.

 

35. CYFSA, s. 306(1)
36. CYFSA, s. 286
37.An express instruction can be made where the information was collected with the consent of the individual; or the information was collected under clause 288(2)(a) of the CYFSA.
38. CYFSA, s. 291(2)
39. CYFSA, s. 291(2)(a)(i). Societies can also use the information for a “prescribed purpose” related to their functions.  However, no purposes are currently prescribed.
40. See CYFSA, s. 291.
41. Part X regulation contains many requirements related to using information for research, including the need to have a research plan approved by a research ethics board. This guide does not provide detail on research-related requirements. See section 5 of Regulation 191/18 under the CYFSA for further information.
42. Guidance about how to detect and deter snooping is available on the IPC’s website.