Child, Youth and Family Services Act, 2017 Draft Privacy Regulations Posted

Published on

January 31, 2018

Jan 2018 Charity & NFP Law Update

As reported in the August 2017 Charity & NFP Law Update, Bill 89, Supporting Children, Youth and Families Act, 2017, which contains the Child, Youth and Family Services Act, 2017 (“CYFSA”) in Schedule 1, received Royal Assent on June 1, 2017. Part X of CYFSA establishes a new consent-based regime for the collection, use and disclosure of clients’ personal information by child, youth and family service providers. Although CYFSA is not expected to come into force until the spring of 2018 at the earliest, on December 4, 2017 the Ministry of Children and Youth Services (the “Ministry”) released a set of draft regulations under CYFSA concerning personal information (the “Draft Regulations”), which were open for comment until January 26, 2018.

The Draft Regulations address a number of matters that CYFSA had left to be prescribed by regulation and create a number of new obligations that will have to be satisfied by entities that meet the definition of “service provider” under CYFSA, including charities and not-for-profits. The definition of “service provider” under CYFSA includes the Minister of Children and Youth Services (the “Minister”), holders of adoption or residential licenses under CYFSA and persons or entities that provide a service funded under the Act (“Service Providers”). Some of the requirements set out in the Draft Regulations will require Service Providers to change or improve their day-to-day practices and to gather statistical information concerning their privacy practices and procedures.

Section 8 of the Draft Regulations provides details of what information Service Providers will be required to provide to clients whose privacy has been breached pursuant to section 308(2) of CYFSA, including plain language descriptions of what occurred and the steps taken by the Service Provider to mitigate the breach and prevent future losses. Section 9 of the Draft Regulations sets out the circumstances in which Service Providers must notify the Minister and the Ontario Information and Privacy Commissioner (the “Commissioner”) of a breach pursuant to s. 308(3) of CYFSA. These circumstances include the use or disclosure of personal information without authority, theft of personal information and significant breaches such as those involving highly sensitive personal information or large volumes of personal information.

Section 10 of the Draft Regulations sets out the details of the requirements for the secure retention, transfer and disposal of records of clients’ personal information (pursuant to s. 309(1)(b) of CYFSA). Service Providers must take reasonable steps to protect records containing clients’ personal information from theft, loss, or unauthorized use or disclosure, to ensure that the personal information in a record cannot be reconstructed or retrieved (this requirement would require Service Providers to, for example, permanently wipe or physically destroy hard drives and flash drives and not just erase them or delete files) and to document that a record has been disposed of in a manner that does not actually document any of the personal information it contained. Section 10 also requires Service Providers to put in place and comply with a detailed records retention policy and prohibits Service Providers from transferring a record containing a client’s personal information to a new Service Provider unless the new Service Provider has a records retention policy in place for the type of record being transferred.

Section 11 of the Draft Regulations will now require Service Providers to gather and file annually with the Commissioner specific data such as the number of requests received for access to or correction of records in the previous year, the number of times it granted or refused such request and within which time frames, and details concerning the number and type of privacy breaches (losses, thefts, unauthorized uses and disclosures and so on) that occurred in that year.

Charities and not-for-profits that are Service Providers under CYFSA should continue to monitor the status of CYFSA as well as the Draft Regulations. In particular, when CYFSA is proclaimed, and if Draft Regulations are enacted, Service Providers will have significant requirements to comply with under the new legislation.


Read the January 2018 Charity & NFP Law Update