CYFSA Frequently Asked Questions

It is free to see or ask for a copy of your personal information. It is also free to request a correction of your personal information.

Once you have made a request, service providers must get back to you with an answer in 30 days. In some cases, they can extend this time by up to an additional 90 days, but they must let you know in writing about this within 30 days of receiving your access or correction request.

If your service provider cannot or will not correct your record, they must tell you why in writing. They also must let you add a written statement to your file that describes why you believe the information is wrong.

If your service provider does not make the changes you’ve asked for, contact them to see if they can work with you to find a solution. If you are still having problems, you or your substitute decision-maker can make a complaint to the IPC. Your complaint must be filed with our office within six months after your service provider denies your request or does not respond to it.

Learn more about your correction rights in the IPC’s It’s About You brochure.

If you receive, or have received, a service under the Child, Youth and Family Services Act (CYFSA), then, yes, you have the right to request a correction of your personal information in a record you have been given access to. If someone else can make decisions about your personal information, such as a substitute decision-maker, they can ask to make a correction to your personal information on your behalf.

In your request, tell your service provider what is wrong or missing and give them the information needed to fix the error.

Your service provider does not have to correct your record if they did not create it and don’t have the knowledge or authority to make the change. They may also refuse to correct your record if it includes a professional opinion or observation made in good faith.

Learn more about your correction rights in the IPC’s It’s About You brochure.

When asking for your personal information under the CYFSA, you cannot see or get copies of your adoption records. For more information about getting adoption records, contact your service provider, visit Ontario.ca or call 1-800-461-2156.

Sometimes your service provider may not be able to give you all the information you ask for. This could be because they are not allowed to under the law.

Learn more about your access rights in the IPC’s It's About You brochure.

If you receive, or have received, a service under the Child, Youth and Family Services Act (CYFSA), then, yes, you have the right to ask to see or receive a copy of your personal information in your file. This includes information about your history, your health, or notes from talks you’ve had with a social worker or other professional. You can also ask your service provider to explain to you any term or code used in your record.

If someone else can make decisions about your personal information, such as a substitute decision-maker, they can ask to see or receive a copy of your personal information on your behalf. See who can make decisions about your personal information.

If your service provider does not let you see your personal information in your file, they must tell you why in writing.

If you do not get access to the personal information you have requested, you or your substitute decision-maker can make a complaint to the Information and Privacy Commissioner of Ontario (or, the IPC).

Learn more about your access rights in the IPC’s It's About You brochure.

No, you can ask to see or receive a copy of your personal information or make corrections to your personal information at any age. You can make these requests yourself, unless your service provider decides you are not capable of doing so, or your substitute decision-maker can make a request on your behalf.

Wherever possible, we resolve complaints through mediation. Mediation is when the IPC helps you and your service provider settle your differences. If a complaint cannot be solved this way, the IPC may decide to review the matter in a fair and neutral way.

Based on the results of our review, we may order a service provider to give you access to your record, to correct your personal information, to stop or change how they collect, use or disclose your personal information, or to take stronger measures to protect it from unauthorized access. In some cases, however, we might side with the decision or the actions of the service provider if we find that they are meeting their obligations under the law.

Learn more about the IPC’s complaint processes under Part X of the Child, Youth and Family Services Act.

Part X of the CYFSA sets out the access and privacy rules for personal information held by service providers in the child, youth, and family services sector. Children’s aid societies, Indigenous child and family well-being agencies, group homes, and organizations that provide services for youth are some examples of service providers covered under the law.

Our office makes sure that children’s aid societies, Indigenous child and family well-being agencies, group homes, and other service providers follow the rules they’re supposed to, to protect and provide access to your personal information.

You can file a complaint with the IPC if:

• A service provider denies your access or correction request.
• A service provider does not respond to you within the timeline they’re supposed to.
• Your information has been lost, stolen, shared, or viewed by others when it shouldn’t be.
• You think your service provider is not meeting their responsibilities regarding the collection, use or disclosure of your personal information under Part X of the Child, Youth and Family Services Act (CYFSA).
• You believe someone has or is about to break the law regarding the collection, use or disclosure of your personal information under Part X of the CYFSA.

You can also contact us by phone, email, or mail if you have any questions.

Yes. Your service provider must tell you what they do with your personal information. For example, they must make a written statement of their information practices available to you. This public statement must include a clear description of:

• How your service provider collects, uses, discloses, retains, disposes of, and protects your personal information.
• How you can access or request correction of your personal information.
• How to contact your service provider.
• How to make a complaint to your service provider and to the IPC.

Contact your service provider if you have questions about how you can get this information.

Yes. You or your substitute decision-maker have the right to refuse or limit the collection, use, or disclosure of your personal information. You may consent to share some of your personal information with others, but not all of it. For example, you may be okay to share information about your allergies, but not information related to your mental health. You may also consent to have your personal information shared with one third party, but not with another. For example, with your doctor, but not with your teacher.

Service providers generally need your consent to collect, use, or disclose your personal information, unless the law allows them to do this without your consent. For example, your service provider can collect, use, or disclose your personal information without your consent if it is necessary to review, reduce, or remove a risk of harm to you or another person or group.

If you previously told your service provider that they could collect, use, or share your personal information, you can change your mind at any time and let your service provider know about your change of decision. Once you let them know, they must stop collecting, using, or sharing your personal information, except in situations where the law allows or requires them to do so.

If your service provider decides that you are not capable of making decisions about your personal information, and you disagree with them, you can challenge the decision through Ontario’s Consent and Capacity Board. This board reviews cases where there is a disagreement about whether you are capable of making decisions about your own personal information.

You can find the forms you need to challenge a decision on the Consent and Capacity Board’s website.

The law generally presumes that you are capable of making decisions about your personal information, unless your service provider has reasonable grounds to believe that you are not.

Your service provider is responsible for deciding whether you are capable of making these kinds of decisions in specific cases. In doing so, they must assess whether you understand the information needed to make decisions about your personal information, as well as the consequences of these decisions. For example, it would be reasonable for a service provider to decide that a three-year-old child is not capable of giving consent for decisions about their personal information. Learn more about how your service provider decides if you are capable of making decisions about your personal information.

Note that you might be considered capable of making decisions about your personal information at one time, but incapable at another time. For example, a traumatic event or a new medication might temporarily affect your capacity to give, withhold, or withdraw your consent. You might also be considered capable of providing consent for some parts of your personal information, but not for others, depending on the situation.

Sometimes you might not agree with a decision made by your substitute decision-maker. If you are capable of making decisions about the collection, use or disclosure of your personal information, even under the age of 16, your decision to give, withhold, or withdraw consent about your personal information will overrule your substitute decision-maker’s decision.

Where the CYFSA requires consent to collect, use, or disclose your personal information, you can generally make those decisions about your own personal information. The law presumes that you are capable of making such decisions at any age, unless your service provider has reasonable grounds to believe that you are not capable of doing so. Learn more about how your service provider decides if you are capable of making decisions about your personal information.

If you are under the age of 16 and/or if your service provider determines you are incapable of consenting on your own behalf, the CYFSA identifies who can act as your substitute decision-maker. The CYFSA also sets out the things that your substitute decision-maker must consider when making decisions for you.

With some specific exceptions relating to your health care treatment and some counselling decisions, your substitute decision-maker can consent to the collection, use, or disclosure of your personal information for you. They can also make requests, including access and correction requests, on your behalf. Learn more about who can act as your substitute decision-maker.

If you are 16 years of age or older, you can tell your service provider in writing that you want a different person over 16 to make decisions about the collection, use, or disclosure of your personal information on your behalf.

The CYFSA prohibits people from publishing or making public information that identifies a child participant or witness in a child protection hearing, including information that would identify the child’s parents, foster parents, and family members (s. 87(8)). Publishing this information is an offence under the law (s. 142(3)).

The prohibition prevails over Part X of the CYFSA. This means a service provider cannot use or disclose personal information that publicly identifies a participant in a child protection hearing, even if the use or disclosure would otherwise be allowed under Part X.

In most circumstances, the publication ban would not affect an individual’s right of access to personal information. If the individual has a right of access to the information under s. 312 of the act, the service provider must provide access.

Service providers are not responsible for ensuring that individuals receiving access to their file will not publish the information. However, if the service provider suspects the individual may make the information public in contravention of the law, they may choose to bring the prohibition (s. 87(8)) to the individual’s attention.

 Example: A parent requests access to their child’s personal information from a CAS. The CAS suspects the parent may plan to make the information public on social media. The CAS reviews the parent’s right of access under s. 312, including the access exceptions, and determines that the parent does have a right to access the information. The CAS releases the information along with a fact sheet it has prepared about the CYFSA’s publication ban.

The Office of the Information and Privacy Commissioner provides oversight of Ontario’s access and privacy laws, including Part X of the CYFSA.

Any person can file a written complaint with the IPC if they believe another person has or is about to contravene Part X. The IPC promotes informal and early resolution of complaints wherever possible, and often does this through mediation.

If a complaint is not resolved at an early stage, the IPC may decide to conduct a formal review.

The IPC has the power to make orders — for example, it may order a service provider to grant an individual access to their record. The IPC’s orders and decisions are publicly available on our website.

Learn more about the the role of the IPC under Ontario’s child and family services law.

All service providers must have a publicly-available written statement about their information practices. This could be included on your website or on posters or brochures in your workplace.

Your public statement must include an easy-to-understand description of:

• your information policies and practices, and privacy safeguards
• how to access or request correction of a record of personal information
• how to contact your organization
• your organization’s complaint processes and how to file a complaint with the IPC

Learn more about the statement of information practices.

Part X applies to personal information held by child and family service providers. If a record contains no information about an identifiable individual, Part X does not apply.

The personal information must relate to a service provided or funded under the CYFSA or a CYFSA licence. If you offer services unrelated to the CYFSA, Part X would not apply to those records. These access and privacy rules also do not apply to records related to finalized adoptions.

Learn more about the kinds of records covered by Ontario’s child and family services law.

Part X of the Child, Youth and Family Services Act applies to people and organizations providing a service funded under the act or under a CYFSA licence. Examples include children’s aid societies, and licensed operators of group homes and foster homes (but not foster parents).

If you work for a provincial or municipal institution serving children and youth, such as a government ministry, municipality or school board, Ontario’s public sector access and privacy laws apply instead of the core rules of Part X. If you are a health care provider, Ontario’s health privacy law applies when you are handling personal health information.

Learn more about who the CYFSA access and privacy rules apply to.

When someone requests access to personal information, the service provider must determine if that individual has a right to access the information under Part X of Ontario’s child and family services law, the CYFSA. If they have the right to the information, the provider must release it without conditions.

Once access is granted, service providers cannot place limits on what an individual does with the information. Under the law, individuals are not required to sign agreements, such as non-disclosure agreements, that specify what they will do with the information.

However, service providers may decide to alert the individual to certain restrictions, such as the ban on publishing any information that identifies participants in a protection hearing (s. 87(8)).

To help determine if someone has a right of access to personal information, see the IPC’s Part X Access Guide.

As long as the record is in your custody or under your control, then you are responsible for determining whether to provide access to the record, even if it was created by someone else.

It is possible to have custody or control of a record that was not originally created by your organization.

Learn more about how to determine if a record is in your custody or control in our guide to Providing Access to Personal Information under the CYFSA

Individuals can request correction of records they’ve received from service providers. Service providers must respond to correction requests within 30 calendar days and cannot charge fees. In limited cases, you may extend the deadline for a full response by up to 90 days.

You must correct the record if the individual demonstrates that it is inaccurate or incomplete and gives you the information to correct the record. However, you can refuse a request to correct a record if:

• the information is a professional opinion or observation made in good faith
• your organization did not create it, and you lack the knowledge, expertise or authority to correct it

If you refuse to make a correction, you must provide a written response explaining why, within 30 calendar days. You must inform them of their right to file a complaint about the decision to the IPC and their right to prepare a statement of disagreement to attach to the file.

Learn more about responding to correction requests

Child and family service providers must respond to access requests within 30 calendar days  and cannot charge fees. In limited cases, you may extend the deadline for a full response by up to 90 days.

If you plan to extend the deadline, you must provide written notice of the time extension and the reason for it, within 30 days of the request.

Granting access means giving the individual a chance to examine the record and giving them a copy on request. A summary of the record is not sufficient.

If you refuse all or part of an individual’s request, you must notify them in writing within 30 days, and inform them of their right to file a complaint about the access decision with the IPC.

Learn more in the IPC’s guide to Providing Access to Personal Information under the CYFSA

All individuals, regardless of age, have a right to access records of their personal information from child and family service providers that relate to services they received under the CYFSA.

There are a few exceptions to the right of access. For example, individuals do not have a right to access their information if a court order prevents release of the records or they contain legal advice.

If a record is dedicated primarily to providing services to the individual requesting access, they have a right to the entire record — subject to the exceptions in the act — even if it contains information about other individuals and other matters. If it’s not dedicated primarily to providing services to the requester, they only have a right to access their own personal information in the record.

Learn more about access rights

A parent with custody of a child under age 16 can be the child’s substitute decision-make under Part X. This means they can consent to a collection, use or disclosure of the child’s information. They can also make access or correction requests regarding the child’s information.

There are a few exceptions, including for certain counselling records. And if the child is capable, their decision overrules that of the parent.

A non-custodial parent does not have the same rights as a custodial parent to make access requests for the child’s information, or to consent on their behalf. However, service providers may have discretion to disclose information about the child to the non-custodial parent in some cases.

Learn more about substitute decision-makers

Substitute decision-makers can consent on behalf of an individual to the collection, use or disclosure of the individual’s personal information. They can also give instructions and make requests, including access requests, on the individual’s behalf.

Part X explains who can be a substitute decision-maker for individuals who are incapable of consenting.

For a child under the age of 16, the custodial parent — or children’s aid society with care of the child — can act as the child’s substitute decision-maker with some exceptions. In the event of a conflict, a capable child’s decisions about their personal information overrule those of a parent or society.

Learn more about substitute decision-makers

Individuals must be capable of consenting to a collection, use or disclosure of their information. Capable means they are able to understand:

• the information that is relevant to deciding whether to consent and
• the likely consequences of giving, withholding or withdrawing their consent

Child and family service providers can assume that an individual of any age is capable, unless they have reasonable grounds to believe otherwise.

Service providers are responsible for determining who is capable under Part X. However, people can challenge decisions of incapacity through Ontario’s Consent and Capacity Board.

Learn more about capacity

Child and family service providers must get consent before collecting, using or disclosing personal information — except in certain cases permitted by the act.

Consent to collect, use or disclose personal information must:

• be given by the individual — or their substitute decision-maker

• be given freely and voluntarily
• relate to the information that you are collecting, using or disclosing
• be knowledgeable

Consent may be received in writing, for example through a signed consent form. You can also get consent orally – such as over the phone ­­– but only if you make a written record of it.

Learn more about consent

When an employee purposefully views personal information for reasons unrelated to their job duties — such as out of curiosity about a client they know personally — this is sometimes referred to as snooping.

Service providers are required to take reasonable steps to protect personal information against privacy breaches, including snooping.  These steps may include:

• Privacy policies that address snooping
• Staff training and awareness
• Privacy notices and warning flags
• Confidentiality agreements signed by staff
• Role-based access to electronic records
• Logging and auditing of staff access to records

You can learn more in the IPC’s guide to Detecting and Deterring snooping in the health sector

A privacy breach happens when personal information is stolen or lost — or is collected, used or disclosed without authority.

If a privacy breach occurs, immediately notify the relevant staff in your organization, identify the scope of the breach and take the steps necessary to contain it.

You must notify individuals as soon as possible of any breach in which their personal information was lost, stolen or used or disclosed without authority. You must also notify the IPC and the Minister of Children, Community and Social Services of certain privacy breaches.

Breach reports can be submitted to the IPC here. The IPC will review the information you provide and may decide to conduct an investigation in some cases.

Learn more about responding to privacy breaches.

Child and family service providers need an individual’s consent to collect, use or disclose their information — except in certain cases permitted by the act.

Ontario’s child and family services law explains when service providers can collect information — directly and indirectly — without consent. For example, a children’s aid society can collect personal information from another society without consent if necessary to assess, reduce or eliminate a risk of harm to a child.

Once you have collected personal information to provide services, the act explains how you may use this information. For example, you can use information without consent for the purpose it was collected, including providing it to other employees where needed.

The law also explains when you may disclose personal information without consent, including where necessary to assess, reduce or eliminate a risk of serious harm to a person or group.

Learn more about collecting, using or disclosing personal information without consent

Service providers are required to give written notice when refusing all or part of an access request. How you do so will depend on your reasons for refusing access.

For example, when you are denying access because a legal privilege applies, or because a court order or other law prevents the record’s release, you must specifically reference these exceptions as your reason for denying access. Your written notice must tell the requester about their right to file a complaint with the IPC within six months.

You are not required to explain or justify to the requester why a certain access exception applies. However, if they make a complaint to the IPC, you may then be required to provide evidence and reasoning for why you relied on that exception.

For template letters giving notice of a refusal of access, see our guide to providing access to personal information under the CYFSA.

The 30 day timeline begins after you receive an access request. For example, if the request is mailed, the timeline would begin the day you receive the letter, not the day it was sent.

The day you receive the request is considered “day zero.” When calculating the due date for a response, service providers should count 30 calendar days starting from the next day after the request is received.

However, if the request lacks sufficient detail to allow you to identify and locate the record, the 30-day period does not start until the request has been clarified with the requester. In such cases, you must offer to assist the requester in clarifying the request – for example, by replying to their request the next day to advise what additional information you need.

Learn more in our guide to providing access to personal information under the CYFSA

Part X does not require you to inform third parties before releasing their information to someone who has a right of access to the record.

For non-sensitive information, there would generally not be a need to contact the third party – for example, if you were providing a client with access to a record containing basic information about their foster parent they already know.

In some cases, it may be appropriate to talk to the third party whose information is in the record. If you do that, consider whether or not you will need to disclose to the third party the personal information of the person requesting the information. If so, you will need authority for the disclosure, such as getting the requester’s consent.

Learn more about processing access requests in our guide to providing access to information under the CYFSA

It depends on whether the record is dedicated primarily to providing services to the person requesting access:

• If so, they have a right to access the entire record — even if it happens to contain information about another person
• If not, they have a right to access only their own personal information from the record

In either case, their right of access is subject to several exceptions. Part X does not include an overarching access exception that requires you to always remove third party information before providing access. But it does contain other exceptions (such as where access will lead to a risk of serious harm) that may apply to third party information in some cases.

Learn more about access exceptions, and about how to determine if a record is dedicated primarily to providing services to the requester, in our guide to providing access to information under the CYFSA.

You must take reasonable steps to verify a requester’s identity before releasing personal information to them.

In some cases, you may already be satisfied that the requester is who they claim to be – for example, because you currently provide services to them.  If so, no additional steps may be required.

If you do need to take additional steps to verify a requester’s identity, you can do so in different ways. For example, you may ask them to sign a form confirming their identity, or produce a piece of identification, such as a driver’s license. It is a best practice to document the steps you take to verify identity.

Learn more in our guide to providing access to personal information under the CYFSA

Nothing in Part X — or in Ontario’s other privacy laws — stands in the way of the duty to report suspected child abuse or neglect to a children’s aid society. Individuals and service providers can continue to make such reports, which are required by law, without consent. Children’s aid societies can continue to indirectly collect information, without consent, to support the duty to report.

Learn more about duty to report and privacy

Yes. Even if an individual’s personal information was recorded many years before Part X came into force in January 2020, they have a right to access their record and you must protect it against privacy breaches.

However, Part X does not apply retroactively. For example, an individual would not have a right to complain to the IPC about a privacy breach that happened — or an access request they submitted— years before Part X came into force.

Learn more in the guide to Part X

If a service provider is covered by Ontario’s health privacy law, the core requirements of Part X do not apply to their handling of personal health information — PHIPA applies instead.

However, Part X may apply if the service provider is handling personal information that isn’t health information. For example, a multi-service organization runs a children’s mental health clinic, as well as a children’s aid society. The organization is already operating as a custodian under PHIPA for the purpose of running their mental health clinic. Even so, Part X of the CYFSA will apply to the work of their children’s aid society.

Learn more about service providers covered by PHIPA

As a service provider, you are required to develop a policy setting out what kinds of personal information records you maintain and how long you will keep (retain) them.

Part X does not dictate how long you must keep records, but it does require you to consider certain factors in deciding your retention periods. For example, you must consider whether another service provider needs the record to provide services.

Regardless of your retention periods, if someone requests access to a record, you must then retain it for as long as it takes to fulfil their access request and any follow up they may have (including filing a complaint with the IPC).

Learn more about retaining and disposing of records in the guide to Part X

Your service provider needs to let you know if information they have about you has been lost, shared, stolen or viewed when it shouldn’t be. They need to write down what happened, what they are doing to fix the problem, and who to contact if you have questions. They also need to tell you how you can file a privacy complaint with our office.

If a service provider doesn’t let you see your personal information in your file or won’t make corrections to it, they must tell you why in writing. They must also let you know if what you’re asking for will take longer than 30 days.

If you don’t agree with their reasons for not giving you the information or making the changes you’ve asked for, contact the service provider. They can work with you to find a solution. If you are still having problems, you can contact our office to make a complaint about the service provider.

Ask for the correction by writing to the service provider. Some service providers may have a form you can use. Tell them what is wrong or missing and be sure to give them the information needed to fix the problem. Asking for a correction to the personal information in your file is free.

Sometimes the service provider may not be able to give you all the information you ask for. This could be because they aren’t allowed to under the law. When a service provider does not give you all of the information you’ve asked for, they have to tell you why.

Even if the service provider cannot show you everything in your file, it is not enough for them to give you a short summary of what’s in it. They must give you access to your file and a copy of it if you ask for one.

These rules do not apply to adoption records. For more information about getting your adoption records, visit www.ontario.ca/page/search-adoption-records, or call 1-800-461-2156.

People of any age can ask to see or make corrections to the personal information in their file.

You can ask to see and get a copy of any or all of your personal information in your file. This could include information about your history, your health or notes from talks you’ve had with a social worker or other professional. Your service provider must help you get this information if you ask.

As a service provider, you must have an individual’s consent to collect, use or disclose personal information — except in certain cases permitted by the act.

Even when you have consent, there are limits on when and how much personal information you can collect, use or disclose. For example, you must only collect, use or disclose as much personal information as is reasonably necessary to provide a service.

Learn more about collection, use and disclosure