- Download the Part X guide
- Terms used in this guide
- Does Part X of the CYFSA apply to you?
- Collection, use, and disclosure of personal information
- Consent and capacity
- Elements of consent
- Consent may be implied in some cases
- Consent may be written or verbal
- Presumption of consent’s validity
- Conditional consent and withdrawal of consent
- Capacity to consent
- Substitute decision-makers
- Safeguarding and managing personal information
- Access to records of personal information
- Individual’s right of access
- Access exceptions
- Is the record dedicated primarily to the provision of service to the individual?
- How are access requests made?
- Service provider’s response to access requests
- Substitute decision-makers can request access
- Correction of records
- Offences and immunity
- The role of the Information and Privacy Commissioner
Public statement about information practices
You must make a written statement about your information practices available to the public.
You must make a written statement about your information practices available to the public. This could be included on your website or on posters or brochures in your workplace.91
Your public statement must include an easy-to-understand description of:
- your information practices (This means your policies for collection, use, modification, disclosure, retention and disposal of personal information, as well as the safeguards you have in place to protect the information92)
- how an individual may obtain access to or request correction of a record of personal information held by your organization
- how to contact your organization
- how to make a complaint to your organization and to the IPC
It is good practice to write clear, concise statements describing the information practices of your organization, taking care to avoid technical and legal language. You can consider providing additional details through a separate document. For example, a poster in your waiting room could provide a high-level statement about your information practices, which directs readers seeking more detail to a brochure or website.
If you use or disclose personal information outside the scope of your publicly stated information practices, and without consent, you are required to inform the individual at the first reasonable opportunity. You are also required to make a note about the use or disclosure and attach it to the individual’s record.93 This might apply, for example, if you use personal information for research after stating in your description of information practice that you will only use personal information for direct service delivery.
This post is also available in: French