Privacy Breach Notification Requirements to the Minister and the Information Privacy Commissioner (IPC) under Part X (Personal Information) of the Child, Youth & Family Services Act, 2017 (CYFSA)
Bill or Act:
Child, Youth and Family Services Act, 2017.
Summary of Decision:
Regulation in force on January 1, 2020.
Analysis of Regulatory Impact:
As part of its obligations under the Reducing Regulatory Cost for Business Act, 2017 (RRCBA), the ministry has conducted the Regulatory Impact Analysis (RIA) to identify incremental direct compliance costs, including administrative costs, to for-profit child and youth service providers (businesses). Under the RRCBA, the ministry is required to report on total incremental administrative costs to businesses. The majority of child and youth service providers subject to the CYFSA are not-for-profit service providers and are not included in this analysis.
The proposed regulatory provisions identified in this posting fall under the Part X (Personal Information) LGIC regulation (O. Reg. 191/18). Total annual incremental administrative costs to businesses associated with the Part X (Personal Information) LGIC regulation as a whole are estimated to be $180,000.
December 4, 2017
Summary of Proposal:
Overview of Part X:
The CYFSA received Royal Assent on June 1, 2017. Part X of the Act establishes a new personal information privacy framework for the sector which includes new:
•Rules for the collection, use, and disclosure of clients' personal information by service providers under the Act.
•Rights for children, youth and family members to access and correct their personal information held by those service providers.
•Ministry authority to collect data and information, including personal information from clients and service providers, for purposes such as monitoring and oversight, research, evaluation and system planning.
Part X also creates a right to appeal to the Ontario Information and Privacy Commissioner (IPC) if an individual feels that their privacy has been breached or if they have been unable to gain access to or correct their personal information.
MCYS funds and/or licenses a variety of service providers to provide services across the child and youth sector. Some of these service providers are governed by the Freedom of Information and Protection of Privacy Act (FIPPA), the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), or the Personal Health Information Protection Act (PHIPA). However, many MCYS-funded service providers are currently not governed by any legislation that sets rules for the handling or sharing of personal information (e.g. Children's Aid Societies). Part X fills the 'legislative gap' in the child and youth service sector by providing consistent protections and rights for children, youth, and families related to their personal information.
Policy Intent in Legislation:
The Act establishes requirements for service providers to notify the individual to whom the information relates at the first reasonable opportunity if PI collected for the purpose of providing a service is lost or stolen or used or disclosed without authority. This provision is based on similar expectations for custodians of the personal health information under PHIPA.
Section 308(2) aims to foster trust from clients that their PI is protected, and should their information become compromised, inform them so that they can take steps to protect themselves and mitigate harm.
In addition to the requirement that service providers inform the individual of a privacy breach, section 308 (3) provides authority to prescribe criteria for notifying the IPC and the Minister of the privacy breach.
Policy Intent of Regulation:
The policy intent is to require service providers to provide notice to the Minister and IPC if PI collected as part of providing service meets the circumstances outlined in the regulation:
•Service provider has reasonable grounds to believe that the PI was used or disclosed without authority
•Service provider has reasonable grounds to believe the PI was stolen
•Service provider has reasonable grounds to believe that the PI was/will be further used or disclosed without authority
•Loss or unauthorized use or disclosure is part of a pattern
•Service provider has reasonable grounds to believe that PI disclosed to a prescribed entity (PE) or a person or entity that is not prescribed (non-PE) has been stolen or lost, or used or disclosed without authority by the PE or non-PE.
•Service provider determines that the loss or unauthorized use or disclosure of PI is significant
Ministry of Children and Youth Services
56 Wellesley St West, 15th Floor
Toronto, ON M5S 2S3
January 1, 2020