- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
Overview of the CYFSA
The CYFSA is an Ontario law that governs certain programs and services for children, youth, and families, including:
- child welfare
- residential care
- youth justice
- children’s mental health
- First Nations child and family services
- Inuit child and family services
- Métis child and family services
The paramount purpose of the CYFSA is to promote the best interests, protection and well-being of children.1 One of several additional purposes is to recognize that appropriate sharing of information to plan and provide services is essential for creating successful outcomes for children and families.
Children and youth receiving services under the CYFSA have certain rights, including the right to:
- express their views freely and safely about matters that affect them
- be consulted on the nature of the services provided and participate in decisions about services provided to them
- raise concerns or recommend changes to their services, and to receive a response, without interference or fear of coercion, discrimination or reprisal2
Part X of the CYFSA sets out rules for service providers regarding privacy and access to personal information. With limited exceptions, service providers must have consent to collect, use or disclose personal information. They must also take steps to safeguard this information and must notify people if there is a breach of their privacy. Service providers must give individuals access to their records of personal information on request, subject to limited exceptions, and must respond to requests for correction of inaccurate or incomplete records.