- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
- Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
- Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
Safeguarding and managing personal information
Whether in paper, electronic or any other format, records of personal information must be safeguarded at all times.
As a service provider, you must take reasonable steps to protect personal information in your custody or control against theft, loss or unauthorized collection, use, disclosure, copying, modification or disposal.83There is no precise definition of a “reasonable step.” What is reasonable depends on the circumstances. It will change as you use new technologies, and as new threats or vulnerabilities emerge.
When determining how to protect personal information, you should assess the nature of the records, including:
- the sensitivity and amount of personal information in the record
- the number and nature of people with access to the information
- any threats and risks associated with the manner in which the information is kept
Based on this assessment, you should put in place measures to safeguard privacy. These measures should be regularly reviewed to ensure they continue to be reasonable. In many cases, reasonable measures will include the following safeguards:
|Administrative Safeguards||Technical Safeguards |
to Protect Electronic Data
| || || |
Under Ontario’s health privacy law, the IPC reviewed a privacy breach involving a hospital clerk who viewed hundreds of patients’ records without authorization. The hospital discovered the privacy breach during a proactive audit and reported it to the IPC.
In PHIPA Decision 64, the IPC reviewed and summarized the hospital’s privacy policies, confidentiality agreements, privacy warnings, staff training and auditing policies. The IPC concluded that although the employee’s use of information was unauthorized, in the circumstances of the breach and the hospital’s response to and investigation of it, the hospital had taken reasonable steps to protect the information.
This post is also available in: French