- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
- Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
- Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
b) What is “custody or control”?
Part X applies to records held by a service provider. More specifically, it applies to records “in the custody or under the control” of a service provider.
“Custody” and “control” are not defined in the CYFSA and must be determined on a case-by-case basis. Part X applies to records that are either in the custody or under the control of the service provider. It doesn’t have to be both.
- Custody: You usually have custody of a record if it’s in your possession — in your electronic database or paper files, for example. However, simply possessing the record is not enough to determine the question of custody. To have custody of a record, you must also have some right to deal with the record and some responsibility for its care and protection.13 For example, your employee’s personal journal, unrelated to work, would not be in your custody even if it is stored at their work station.
- Control: Even if a record is not in your possession, it could potentially be under your control. For example, if you have authority to manage a record related to your mandate and function and you rely on it for business purposes, it may be under your control regardless of whether you physically possess it. A record held by your consultant, for example, could be in your control in some circumstances.
The IPC and the courts have reviewed complaints and appeals under other privacy legislation involving this matter14 and have tended to take a broad and liberal approach to determining whether a record is in an organization’s custody or control. The IPC has developed a list of factors to consider in determining whether a record is in the custody or control of an institution, including:
- Did an officer or employee of the institution create the record?
- Does the content of the record relate to the institution’s mandate and functions?
- Does the institution have a right to possession of the record?
- Does the institution have the authority to regulate the record’s content, use and disposal?
It is possible to have custody or control of a record that was not created by your organization. For example, if a child is referred to you by another service provider and you maintain and rely on the referral records to provide services to the child, the referral records would likely be in your custody or control even though they were authored by the other provider.
It is also possible for a record (or a copy of a record) to be in the custody or control of more than one service provider. For example, if two providers are authorized to share certain records relating to a child they are both serving, it is possible for both providers to have custody or control of the records.
If you are unsure whether you have custody or control of a record after considering these factors, you may want to seek legal advice.
This post is also available in: French