Record Retention, Transfer and Disposal Requirements under Part X (Personal Information) of the Child, Youth & Family Services Act, 2017 (CYFSA)
Bill or Act:
Child, Youth and Family Services Act, 2017
Summary of Decision:
Regulation in force on January 1, 2020.
Analysis of Regulatory Impact:
As part of its obligations under the Reducing Regulatory Cost for Business Act, 2017 (RRCBA), the ministry has conducted the Regulatory Impact Analysis (RIA) to identify incremental direct compliance costs, including administrative costs, to for-profit child and youth service providers (businesses). Under the RRCBA, the ministry is required to report on total incremental administrative costs to businesses. The majority of child and youth service providers subject to the CYFSA are not-for-profit service providers and are not included in this analysis.
The proposed regulatory provisions identified in this posting fall under the Part X (Personal Information) LGIC regulation (O. Reg. 191/18). Total annual incremental administrative costs to businesses associated with the Part X (Personal Information) LGIC regulation as a whole are estimated to be $180,000.
December 4, 2017
Summary of Proposal:
Overview of Part X:
The CYFSA received Royal Assent on June 1, 2017. Part X of the Act establishes a new personal information privacy framework for the sector which includes new:
•Rules for the collection, use, and disclosure of clients' personal information by service providers under the Act.
•Rights for children, youth and family members to access and correct their personal information held by those service providers.
•Ministry authority to collect data and information, including personal information from clients and service providers, for purposes such as monitoring and oversight, research, evaluation and system planning.
MCYS funds and/or licenses a variety of service providers to provide services across the child and youth sector. Some of these service providers are governed by the Freedom of Information and Protection of Privacy Act (FIPPA), the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), or the Personal Health Information Protection Act (PHIPA). However, many MCYS-funded service providers are currently not governed by any legislation that sets rules for the handling or sharing of personal information (e.g. Children's Aid Societies). Part X fills the 'legislative gap' in the child and youth service sector by providing consistent protections and rights for children, youth, and families related to their personal information.
Policy Intent in Legislation:
The Act establishes requirements for service providers to protect records of PI in their custody or control by retaining, transferring, and disposing of them in a secure manner. This provision is based on best practices in personal health information under PHIPA.
Section 309 aims to:
•Strengthen the integrity and safekeeping of PI records
•Support access requests to PI records
•Support service delivery and system service planning
The Act gives regulatory authority to prescribe additional requirements for the retention, transfer and disposal of PI records collected for the purpose of providing a service that are in a service provider's custody or control.
Policy Intent of Regulation:
The requirements will reflect the needs of a diverse child and youth sector and its records while providing general key minimum standards for secure recordkeeping.
The intent of the regulation is to:
•Require service providers to develop and maintain retention schedules
•Include a minimum set of factors for service providers to consider when
developing retention schedules (e.g. type of PI record, format of the record)
•Require appropriate disposal of PI records based on authority, protection of the PI during disposal, and recordkeeping of disposed records.
Ministry of Children and Youth Services
56 Wellesley St West, 15th Floor
Toronto, ON M5S 2S3
January 1, 2020