O. Reg. 191/18: PERSONAL INFORMATION, Child, Youth and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1
Child, Youth and Family Services Act, 2017
PERSONAL INFORMATION
Historical version for the period April 3, 2018 to December 31, 2019.
Note: THIS REGULATION IS NOT YET IN FORCE. It comes into force on January 1, 2020, the day section 281 of Schedule 1 to the Supporting Children, Youth and Families Act, 2017 comes into force.
No amendments.
This is the English version of a bilingual regulation.
Prescribed entities, s. 293 of the Act
1. The following entities are prescribed for the purposes of section 293 of the Act:
1. The Canadian Institute for Health Information.
2. The Institute for Clinical Evaluative Sciences.
Prescribed restrictions, s. 293 (2) of the Act
2. The following requirements and restrictions apply to the disclosure of personal information by a service provider to a person or entity under subsection 293 (2) of the Act:
1. A service provider may only disclose the personal information if,
i. the person or entity to which the information will be disclosed identifies as a First Nations, Inuit or Métis person or entity,
ii. the information relates to First Nations, Inuit or Métis individuals,
iii. the service provider and the person or entity to which the information will be disclosed have entered into an agreement with respect to the use, security, disclosure, return or disposal of the information,
iv. the agreement referred to in subparagraph iii,
A. requires the person or entity to whom the information is disclosed to notify the service provider who disclosed it of any loss or theft of the personal information or of any unauthorized use or disclosure of the information, and
B. sets out how the person or entity will notify the service provider,
v. the service provider has received written acknowledgement from each of the bands or First Nations, Inuit or Métis communities whose member’s personal information will be disclosed, indicating that the band or community approves of the fact that the person or entity will receive the personal information, and
vi. the service provider has received written acknowledgement from each of the bands or First Nations, Inuit or Métis communities with which an individual whose personal information will be disclosed identifies, indicating that the band or community approves of the fact that the person or entity will receive the personal information.
Prescribed excluded information, s. 293 (1), (2) and (3) of the Act
3. The following information and corresponding circumstances are prescribed for the purposes of subsection 293 (4) of the Act:
1. Recorded information that documents the content of conversations that took place during a counselling session.
Restrictions on use, s. 293 (9) of the Act
4. (1) Despite subsection 293 (9) of the Act, a prescribed entity, or a person or entity that is not a prescribed entity, may use personal information received under subsection 293 (1), (2) or (3) of the Act for a purpose other than for which it was received if the following requirements are met:
1. The person or entity shall submit a research plan that meets the requirements of subsection (2) respecting the use of that personal information to a research ethics board that meets the following criteria:
i. It has at least five members.
ii. At least one member has no affiliation with the person or persons that established the research ethics board.
iii. At least one member is knowledgeable in research ethics, either as a result of formal training in research ethics or practical or academic experience in research ethics.
iv. At least two members have expertise in the methods or in the areas of research being considered.
v. At least one member is knowledgeable in privacy issues but does not provide legal advice to a service provider.
2. The person or entity has received written confirmation from each member of the research ethics board that the member’s personal interest in the use of the personal information or the performance of the research does not conflict or appear to conflict with the member’s ability to objectively review the research plan.
3. The research ethics board has approved the plan.
(2) A research plan shall be in writing and set out the following information:
1. The affiliation of each person involved in the research.
2. The nature and objectives of the research and the public or scientific benefit of the research that the researcher anticipates.
3. A description of the research proposed to be conducted and the duration of the research.
4. A description of the personal information required and the potential sources.
5. A description of how the personal information will be used in the research and, if it will be linked to other information, a description of the other information as well as how the linkage will be done.
6. An explanation as to why the research cannot reasonably be accomplished without the personal information and, if it is to be linked to other information, an explanation as to why this linkage is required.
7. An explanation as to why consent to the disclosure of the personal information is not being sought from the individuals to whom the information relates.
8. A description of the reasonably foreseeable harms and benefits that may arise from the use of the personal information and how the researchers intend to address those harms.
9. If the research relates primarily to First Nations, Inuit or Métis individuals,
i. the written approval of each of the bands or First Nations, Inuit or Métis communities whose member’s personal information will be used in the research, and
ii. the written approval of each of the bands or First Nations, Inuit or Métis communities with which an individual whose personal information will be used in the research identifies.
10. A description of all persons who will have access to the personal information, why their access is necessary, their roles in relation to the research and their related qualifications.
11. The safeguards that the person or entity will impose to protect the confidentiality and security of the personal information, including an estimate of how long information will be retained in an identifiable form and why.
12. Information as to how and when the personal information will be disposed of or returned to the service provider.
13. A description of how the entity or person will, at the earliest reasonable opportunity, notify the service provider from which the personal information was received of any theft, loss or unauthorized use or disclosure of the personal information.
14. The funding source of the research.
15. Whether the person or entity has applied for the approval of another research ethics board and, if so, the response to or status of the application.
16. Whether the person or entity’s interest in the disclosure of the personal information or the performance of the research would likely result in an actual or perceived conflict of interest with other duties of the person or entity.
Restrictions on use of personal information by Minister and service provider
5. The Minister shall not use personal information for the purposes described in paragraph 6 of subsection 283 (1) of the Act and a service provider shall not use personal information collected for the purposes of providing a service for the purpose set out in clause 291 (1) (j) of the Act unless the following requirements are met:
1. The Minister or service provider, as the case may be, prepares a research plan that meets the requirements of subsection 4 (2) with the exception of those requirements set out in,
i. paragraphs 12 and 14 of that subsection, in the case of the Minister, or
ii paragraph 12 of that subsection, in the case of a service provider.
2. The Minister or service provider, as the case may be, submits the research plan to a research ethics board that meets the criteria set out in paragraph 1 of subsection 4 (1).
3. The Minister or service provider, as the case may be, has received written confirmation from each member of the research ethics board that the member’s personal interest in the use of the personal information or the performance of the research does not conflict or appear to conflict with the member’s ability to objectively review the research plan.
4. The research ethics board has approved the plan.
Exception to restriction on disclosure by prescribed entity
6. (1) Despite subsection 293 (9) of the Act, a prescribed entity, or a person or entity that is not a prescribed entity, may disclose personal information disclosed to it under subsection 293 (1), (2) or (3) of the Act to,
(a) another prescribed entity, if the disclosure is for the purposes described in subsection 293 (1) of the Act; or
(b) a researcher, in the circumstances set out in subsection (2).
(2) A prescribed entity, or a person or entity that is not a prescribed entity, may disclose personal information disclosed to it under subsection 293 (1), (2) or (3) of the Act to a researcher if,
(a) the researcher demonstrates that,
(i) the researcher has prepared a research plan relating to the personal information to be disclosed that meets the requirements of subsection 4 (2) and has had the plan approved by a research ethics board that meets the criteria set out in paragraph 1 of subsection 4 (1),
(ii) in considering the research plan, the research ethics board considered,
(A) whether the objectives of the research could reasonably be accomplished without using the personal information,
(B) whether, at the time the research is to be performed, adequate safeguards will be in place to protect the privacy of individuals whose personal information will be used in the research and to preserve the confidentiality of the information,
(C) the public interest in conducting the research and the public interest in protecting the privacy of individuals to whom the personal information relates, and
(D) whether obtaining the consent of the individuals to whom the personal information relates would be impractical;
(b) the researcher has entered into an agreement with the prescribed entity, or person or entity that is not a prescribed entity, that requires the researcher to comply with any recommendations of the research ethics board respecting the performance of the research as set out in the board’s approval of the researcher’s research plan; and
(c) the prescribed entity, or person or entity that is not a prescribed entity, is satisfied that the researcher will,
(i) comply with the agreement described in clause (b),
(ii) use the information only for the purposes set out in the research plan approved by the research ethics board,
(iii) not publish the information in a form that could reasonably enable a person to ascertain the identity of the individual,
(iv) not disclose any personal information disclosed to the researcher except as required by law,
(v) not make contact, or attempt to make contact, directly or indirectly, with any individual whose personal information has been disclosed to the researcher, and
(vi) notify the prescribed entity, or the person or entity that is not a prescribed entity, immediately in writing if the researcher fails to do anything described in this clause.
(3) A prescribed entity, or person or entity that is not a prescribed entity, who is notified by a researcher to whom the person or entity has disclosed personal information under clause (1) (b) that the researcher has failed to do something described in clause (2) (c) shall immediately notify the Commissioner if the notification relates to the theft, loss or unauthorized use or disclosure of personal information.
Applications under ss. 302, 304 and 305 of the Act
7. (1) The Consent and Capacity Board continued under the Health Care Consent Act, 1996 is prescribed as the body for the purposes of sections 302, 304 and 305 of the Act.
(2) For the purposes of subsections 302 (10), 304 (4), and 305 (10) of the Act, in conducting an application under section 302, 304 or 305 of the Act, respectively, the Consent and Capacity Board shall comply with sections 73 to 79 of the Health Care Consent Act, 1996.
Additional requirements, s. 308 (2) of the Act
8. The following additional requirements are prescribed for the purposes of subsection 308 (2) of the Act:
1. The service provider shall notify the individual in plain, easy-to-understand language, and the notification shall include a general description of how the personal information was lost, stolen or used or disclosed without authority.
2. The service provider shall inform the individual of any steps the service provider has taken to,
i. prevent a similar theft or loss or unauthorized use or disclosure of personal information from recurring, and
ii. mitigate possible adverse effects on the individual that may be caused by the theft or loss or unauthorized use or disclosure.
3. The service provider shall provide the individual with the contact information of an employee of the service provider who can provide the individual with additional information about the theft or loss or unauthorized use or disclosure.
Prescribed circumstances, s. 308 (3) of the Act
9. Each of the following circumstances is prescribed for the purposes of subsection 308 (3) of the Act:
1. The service provider has reasonable grounds to believe that the personal information was used or disclosed without authority by a person who knew or ought to have known that the person was using or disclosing the information without authority.
2. The service provider has reasonable grounds to believe that the personal information was stolen.
3. The service provider has reasonable grounds to believe that the personal information that was stolen or lost or used or disclosed without authority was or will be further used or disclosed without authority.
4. The loss or unauthorized use or disclosure of the personal information is part of a pattern of similar losses or unauthorized uses or disclosures of personal information in the custody or control of the service provider.
5. The service provider has reasonable grounds to believe that personal information that the service provider disclosed, to a prescribed entity or a person or entity that is not a prescribed entity under subsection 293 (1), (2) or (3) of the Act, has been stolen or lost or used or disclosed without authority by the prescribed entity or the person or entity that is not a prescribed entity.
6. An employee of the service provider is terminated, suspended or disciplined as the result of the theft, loss or unauthorized use or disclosure of personal information by the employee.
7. An employee of the service provider resigns and the service provider has reasonable grounds to believe that the resignation is related to an investigation or other action by the service provider with respect to the theft, loss or unauthorized use or disclosure of personal information by the employee.
8. The service provider determines that the loss or unauthorized use or disclosure of the personal information is significant after considering all relevant circumstances, including,
i. the sensitivity of the personal information that was lost or used or disclosed without authority,
ii. the volume of the personal information that was lost or used or disclosed without authority,
iii. the number of persons whose personal information was lost or used or disclosed without authority, and
iv. whether one or more service providers were involved in the loss or unauthorized use or disclosure of the personal information.
Prescribed requirements, s. 309 (1) (b) of the Act
10. (1) For the purposes of clause 309 (1) (b) of the Act, this section prescribes requirements in respect of the retention, transfer and disposal of records.
(2) In this section, a reference to a record is a reference to a record that is in the service provider’s custody or control and that contains personal information that was collected by the service provider for the purpose of providing a service.
(3) In disposing of a record a service provider shall,
(a) take reasonable steps to protect the record against theft or loss or unauthorized use or disclosure;
(b) take reasonable steps to ensure that the personal information in the record cannot be reconstructed or retrieved; and
(c) document the record that has been disposed of in a way that does not document any of the personal information contained in the record.
(4) A service provider that ceases to provide the service to which a record relates shall not transfer the record to another service provider for the purpose of allowing that service provider to continue to provide that service unless the service provider that will receive the record has in place a records retention policy under this section that addresses the retention of the type of record being transferred.
(5) A service provider shall develop and maintain a records retention policy in accordance with this section and shall comply with that policy.
(6) The policy shall set out,
(a) each type of record maintained by the service provider and a description of the personal information contained in the record, including the format in which the record is maintained;
(b) the classification of each type of record according to the sensitivity of the personal information contained in the record and the manner in which that personal information is normally used or disclosed by the service provider;
(c) a time period for which each type of record shall be retained by the service provider; and
(d) the method by which the service provider will,
(i) dispose of each type of record in a manner consistent with subsection (3), or
(ii) if the service provider ceases providing the service to which a record relates, store or transfer the record in a manner consistent with subsection (4).
(7) In determining the time periods described in clause (6) (c), a service provider shall consider the following:
1. Whether another service provider also has custody or control of the record or requires the record for the purpose of providing a service.
2. Whether, in the view of the service provider, the record is one to which an individual has a right of access under section 312 of the Act.
3. Whether the record is one which relates to circumstances that are or may be the subject of a possible legal proceeding, other than a legal proceeding described in clause 312 (1) (c) of the Act.
4. Whether the service provider has been informed by the Minister or another service provider that the Minister or service provider may require the information for the purpose set out in paragraph 3 of subsection 283 (1) of the Act or clause 291 (1) (d) of the Act.
5. Any other requirement under the Act or another Act that relates to the amount of time that the record must be retained by the service provider.
Reporting to Commissioner
11. (1) On or before March 31 in each year, a service provider shall report the following information to the Commissioner:
1. The number of requests for access to a record under subsection 313 (1) of the Act received by the service provider in the previous year.
2. The number of times a service provider, in response to a request made under subsection 313 (1) of the Act in the previous year, refused to provide access to a record or part of a record and the number of times the service provider relied on each of the clauses or, in the case of a refusal under clause 312 (1) (d) of the Act, each of the subclauses, under subsection 312 (1) of the Act to do so.
3. The number of times the service provider responded within 30 days of receiving a request for access to a record under subsection 313 (1) of the Act and the number of times the service provider extended the deadline to respond to such a request to not more than 90 days under subsection 314 (3) of the Act.
4. The number of requests to correct a record made to a service provider under subsection 315 (2) of the Act in the previous year and the number of times a service provider, in response to such a request,
i. refused the request because it did not find that the correction was warranted under subsection 315 (9) of the Act,
ii. relied on each of either subsection 315 (6) or (10) of the Act to refuse the request, or
iii. received a statement of disagreement under subsection 315 (12) of the Act.
5. The number of times the service provider responded within 30 days of receiving a request to correct a record under subsection 315 (2) of the Act and the number of times the service provider extended the deadline to respond to such a request to not more than 90 days under subsection 315 (4) of the Act.
6. The number of times personal information in the service provider’s custody or control that was collected for the purpose of providing a service was stolen.
7. The number of times personal information in the service provider’s custody or control that was collected for the purpose of providing a service was lost.
8. The number of times personal information in the service provider’s custody or control that was collected for the purpose of providing a service was used without authority.
9. The number of times personal information in the service provider’s custody or control that was collected for the purpose of providing a service was disclosed without authority.
10. The number of times personal information in the service provider’s custody or control that was collected for the purpose of providing a service was used in a manner that is outside the scope of the service provider’s description of its information practices under clause 311 (1) (a) of the Act.
11. The number of times personal information in the service provider’s custody or control that was collected for the purpose of providing a service was disclosed in a manner that is outside the scope of the service provider’s description of its information practices under clause 311 (1) (a) of the Act.
(2) The report required by subsection (1) shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner.
12. Omitted (provides for coming into force of provisions of this Regulation).