Regulation - LGIC

Privacy Breach Notification Requirements to an Individual under Part X (Personal Information) of the Child, Youth & Family Services Act, 2017 (CYFSA)

Regulation Number(s):
Instrument Type:
Regulation - LGIC
Bill or Act:
Child, Youth and Family Services Act, 2017
Summary of Decision:
Regulation in force on January 1, 2020.

Analysis of Regulatory Impact:
As part of its obligations under the Reducing Regulatory Cost for Business Act, 2017 (RRCBA), the ministry has conducted the Regulatory Impact Analysis (RIA) to identify incremental direct compliance costs, including administrative costs, to for-profit child and youth service providers (businesses). Under the RRCBA, the ministry is required to report on total incremental administrative costs to businesses. The majority of child and youth service providers subject to the CYFSA are not-for-profit service providers and are not included in this analysis.

The proposed regulatory provisions identified in this posting fall under the Part X (Personal Information) LGIC regulation (O. Reg. 191/18). Total annual incremental administrative costs to businesses associated with the Part X (Personal Information) LGIC regulation as a whole are estimated to be $180,000.
Further Information:
Proposal Number:
Posting Date:
December 4, 2017
Summary of Proposal:
Overview of Part X:
The CYFSA received Royal Assent on June 1, 2017. Part X of the Act establishes a new personal information privacy framework for the sector which includes new:
•Rules for the collection, use, and disclosure of clients' personal information by service providers under the Act.
•Rights for children, youth and family members to access and correct their personal information held by those service providers.
•Ministry authority to collect data and information, including personal information from clients and service providers, for purposes such as monitoring and oversight, research, evaluation and system planning.
Part X also creates a right to appeal to the Ontario Information and Privacy Commissioner (IPC) if an individual feels that their privacy has been breached or if they have been unable to gain access to or correct their personal information.
MCYS funds and/or licenses a variety of service providers to provide services across the child and youth sector. Some of these service providers are governed by the Freedom of Information and Protection of Privacy Act (FIPPA), the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), or the Personal Health Information Protection Act (PHIPA). However, many MCYS-funded service providers are currently not governed by any legislation that sets rules for the handling or sharing of personal information (e.g. Children's Aid Societies). Part X fills the 'legislative gap' in the child and youth service sector by providing consistent protections and rights for children, youth, and families related to their personal information.

Policy Intent in Legislation:
The Act establishes requirements for service providers to notify the individual to whom the information relates at the first reasonable opportunity if PI collected for the purpose of providing a service is lost or stolen or used or disclosed without authority. This provision is based on similar expectations for custodians of personal health information under PHIPA.
Section 308(2) aims to foster client trust that their PI is protected. Should their information become compromised, clients must be informed so that they can take steps to protect themselves.

Policy Intent of Regulation:
The regulation prescribes additional requirements and exceptions for notifying individuals of privacy breaches. It requires that:
•Service providers give notice to the individual in all circumstances of a privacy breach (i.e. no exceptions). This is consistent with the approach in the health sector.
•Notifications must be in plain language and include:
oGeneral description of the breach;
oSteps taken to address the breach and mitigate possible adverse effects;
oContact information of a person who can respond to questions from the individual.
These requirements support the CYFSA's goal to be child centered and are responsive to emerging best practices related to providing notice to individuals of privacy breaches.
Contact Address:
Ministry of Children and Youth Services
56 Wellesley St West, 15th Floor
Toronto, ON M5S 2S3
Effective Date:
January 1, 2020