CYFSA DECISION 21

Complaint FC20-00022

Ogwadeni:deo

February 21, 2025

Summary: The complainant is the mother of a child who was placed in the care of Ogwadeni:deo (the service provider) by a court order. For a period while the child was in its care under the terms of the court order, the service provider received child benefits from the federal government for the child’s care and maintenance. After the Canada Revenue Agency (CRA) questioned the mother’s eligibility for a similar benefit over part of this time period, the mother alleged a number of privacy breaches by the service provider. Among other complaints, she alleges the service provider inappropriately shared personal information with its finance department, which applied for the federal benefit, and with the CRA. She also asserts that the service provider shared inaccurate information, by failing to report that the child lived with her for some of the period covered by the court order.

In this decision, the adjudicator finds that the service provider did not contravene the Child, Youth and Family Services Act, 2017  (CYFSA ) through its use and disclosure of personal information in connection with receiving federal child benefits. She dismisses the complaint.

Statutes Considered: Child, Youth and Family Services Act, 2017,  SO 2017, c 14, Sch 1, sections 2  (definitions), 286, 291(1)(a), 292(1)(h), and 306(1) and (2); Freedom of Information and Protection of Privacy Act , RSO 1990, c F.31, section 2  (definitions); Children's Special Allowances Act , SC 1992, c 48, Sch .; SOR/93-12 (Children’s Special Allowance Regulations).

Decisions Considered: CYFSA Decisions 4 and 19.

OVERVIEW:

[1] This decision addresses a privacy complaint made under the Child, Youth and Family Services Act, 2017 (CYFSA) about a service provider’s use and disclosure of personal information in connection with receiving federal benefits for a child in care.

[2] The complainant is the mother of a child who was placed in the care of Ogwadeni:deo (the service provider) by a court order. Through its finance department, the service provider applied to the Canada Revenue Agency (CRA) for payments under the federal  Children’s Special Allowances Act [1] for the care and maintenance of the child (“CSA payments”). CSA payments are tax-free monthly payments made by the federal government to an agency or other specified body in respect of each child under 18 who resides in Canada and who is dependent on the agency for the child’s care, maintenance, education, training, and advancement. To qualify for CSA payments, the child must reside in an institution or other home maintained by the agency. Agencies can include Indigenous governing bodies, and federal, provincial, or territorial government departments or agencies.[2]

[3] The child’s mother filed this complaint with the Office of the Information and Privacy Commissioner of Ontario (IPC) after the CRA questioned her eligibility for a similar benefit for a time period during which the service provider had received CSA payments for the child. The mother alleges that the service provider breached the privacy rules in the CYFSA by sharing her and her child’s personal information with its finance department and with the CRA. She also alleges that the service provider shared inaccurate information, by failing to report that despite the court order, the child lived with her for some of the time period covered by the court order.

[4] In this decision, I find the service provider did not contravene the CYFSA when it used and disclosed personal information collected for the purpose of providing a service in connection with receiving federal child benefits. I further find the service provider took reasonable steps in the circumstances to ensure the accuracy of the information it used and disclosed for this purpose. I dismiss the complaint.

ISSUES:

1. Was the service provider’s use and disclosure of personal information permitted or required by the CYFSA?
2. Did the service provider comply with the requirement to take reasonable steps to ensure the accuracy of the personal information it used and disclosed?

DISCUSSION:

[5] One of the purposes of Part X of the CYFSA is to protect the privacy of individuals with respect to personal information collected to provide a service under the CYFSA. Part X achieves this purpose by, among other things, setting out rules for any collection, use, or disclosure of personal information by service providers.

[6] In this case, there is no dispute that the service provider, an Indigenous child protection agency, is a “service provider” within the meaning of the CYFSA,[3] and that the information at issue was collected by the service provider for the purpose of providing a “service” within the meaning of the CYFSA.[4]

[7] “Personal information” is defined in section 2 of the CYFSA to have the same meaning as in the Freedom of Information and Protection of Privacy Act  (FIPPA ). Section 2(1)  of FIPPA defines “personal information” to mean recorded information about an identifiable individual, including, among other things, information relating to the race, national or ethnic origin, or age of an individual (at paragraph (a) of the definition), and the individual’s name where it appears with other personal information relating to the individual [paragraph (h)].

[8] The information at issue in this complaint is information about the child and the child’s mother that the service provider collected for the purpose of providing services to them both, and that the service provider later shared with its finance department and the CRA in connection with its application for CSA payments. This information includes the names of the child and the child’s mother, the child’s age, and the child’s involvement with the service provider, including the child’s living arrangements. I find all this information qualifies as the personal information of the child and of the child’s mother.

[9] As a preliminary matter, therefore, Part X of the CYFSA applies the service provider’s collection, use, and disclosure of the personal information at issue in this complaint. Under the next headings, I will consider the complainant’s allegations that the service provider contravened the CYFSA when it shared personal information in the way that it did.

A. Was the service provider’s use and disclosure of personal information permitted or required by the CYFSA?

[10] Section 286 of the CYFSA addresses the collection, use, and disclosure of personal information collected by a service provider for the purpose of providing a service to an individual. It states:

A service provider shall not collect personal information about an individual for the purpose of providing a service or use or disclose that information unless,

(a) the service provider has the individual’s consent under this Act and the collection, use or disclosure, to the best of the service provider’s knowledge, is necessary for a lawful purpose; or

(b) the collection, use or disclosure without the individual’s consent is permitted or required by this Act.

[11] Under this section, the CYFSA authorizes the “use” and “disclosure” of personal information in some circumstances—namely, where there is the appropriate consent (and other conditions are met); or where the CYFSA permits or requires the use or disclosure to be made without consent.

[12] “Use” and “disclosure” are not defined terms in the CYFSA. However, in CYFSA Decision 19, the IPC found that generally, “use” means viewing or dealing with personal information in a manner that does not include disclosing it. It also found that, generally, “disclosure” means releasing information or making the information available to another person or organization. I agree with the definitions of these terms set out in CYFSA Decision 19, and I adopt them here.

[13] The mother’s privacy complaint contains allegations about the service provider’s use and disclosure of personal information. I will consider each allegation in turn.

The service provider’s use of personal information complied with the CYFSA

[14] The first allegation is about the service provider’s sharing of the mother’s and the child’s personal information with its finance department.

[15] The service provider does not deny that it shared with staff of its finance department certain personal information of the mother and the child, such as their involvement with the service provider, the child’s date of birth, and the dates the child entered and left the service provider’s care. The service provider explains that its finance department required this personal information to account for payments (such as CSA payments) that it received or should receive for the child. The mother does not accept this is a legal basis for finance department staff to have personal information about her and her child.

[16] I find that the service provider’s sharing of personal information with staff of its finance department was a “use” of that information within the meaning of the CYFSA. The CYFSA makes clear that a service provider’s act of providing personal information to an officer, employee, consultant, or agent of the service provider is a use (and not a disclosure) of that information for the purposes of the CYFSA.[5]

[17] The complainant says the service provider never sought or obtained her consent to use her and her child’s personal information in this way. With her representations, she provided an audio recording of a telephone call she had with an employee of the service provider, in which, she says, the employee admits the service provider acted without her consent.

[18] I accept the complainant’s assertion that the service provider did not seek or obtain her consent to share the personal information at issue with its finance department. However, I find the use was authorized to be made without consent under section 291(1)(a) of the CYFSA. This section states:

A service provider may use personal information collected for the purpose of providing a service […] for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose, including providing the information to an officer, employee, consultant or agent of the service provider, but not if the information was collected with the consent of the individual or under clause 288 (2) (a)[6] and the individual expressly instructs otherwise[.]

[19] I am satisfied that the service provider’s use of this personal information was reasonably necessary for carrying out its purpose of providing child protection and other services under the CYFSA. I accept the evidence that finance department staff required this information to apply for and to receive CSA payments that were applied by the service provider to the care and maintenance of the child. There is no evidence before me of a relevant express instruction against this permitted use of personal information.

[20] I thus find the service provider was permitted to use the personal information at issue without consent. There is no evidence to suggest the service provider improperly exercised its discretion in this regard.[7] I conclude that this use of personal information complied with the CYFSA.

The service provider’s disclosure of personal information complied with the CYFSA

[21] The second allegation is about the service provider’s sharing of the mother’s and the child’s personal information with the CRA.

[22] The service provider does not deny that it provided the CRA with certain personal information of the mother and child, including their involvement with the service provider, the child’s date of birth, and the dates the child entered and left the service provider’s care. The service provider explains that it was required to provide this information to the CRA to apply for and receive CSA payments for the care and maintenance of the child.

[23] I find that the service provider’s sharing of personal information with the CRA was a “disclosure” of that information within the meaning of the CYFSA.

[24] As above, the complainant says she did not consent to this sharing of her and her child’s personal information. I accept the complainant’s assertion that the service provider did not seek or obtain her consent to its disclosure of the personal information at issue to the CRA.

[25] However, I find this disclosure was authorized to be made without consent under section 292(1)(h) of the CYFSA. This section states:

A service provider may, without the consent of the individual, disclose personal information about an individual that has been collected for the purpose of providing a service […] if permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada, subject to the requirements and restrictions, if any, that are prescribed.

[26] The service provider supplied a copy of the correspondence it sent to the CRA in answer to a letter from the CRA seeking information about the service provider’s eligibility for CSA payments for the child. It also provided a copy of the completed form it sent to the CRA to apply for CSA payments.[8] Among other details solicited by the CRA on this form are the child’s name, date of birth, gender, and the date the child entered the care of the service provider.

[27] I find that the service provider’s disclosure of this personal information to the CRA was made to fulfil the CRA’s requirements of applicants for CSA payments for a child in care. The disclosure of personal information to the CRA for this purpose was made to comply with the federal  Children’s Special Allowances Act  and its regulation,[9] which among other things set out the information that an agency must provide to the CRA to apply for CSA payments, and provide for the confidentiality of that information.[10]

[28] I thus find the service provider disclosed this personal information without consent in accordance with section 292(1)(h) of the CYFSA.

[29] The service provider later disclosed additional information to the CRA, to try to help the mother address questions from the CRA about the mother’s eligibility for federal child benefits. As I explain in more detail below, after the mother asked the service provider to confirm to the CRA her eligibility for these payments, the service provider contacted the CRA on several occasions to clarify its understanding of the child’s living situation. I do not understand these additional contacts to be at issue in the present complaint. I observe that the CYFSA authorizes disclosures made with the appropriate consent where the disclosure, to the best of the service provider’s knowledge, “is necessary for a lawful purpose,”[11] and where a service provider properly exercises its discretion in doing so.[12]

B. Did the service provider comply with the requirement to take reasonable steps to ensure the accuracy of the personal information it used and disclosed?

[30] This part of the complaint arises from the mother’s allegation that the service provider failed to ensure its finance department and the CRA had accurate information about her child’s living arrangements. The mother alleges that this failure deprived her of child benefits to which she is entitled.

[31] Specifically, the mother says that despite the terms of the court order placing the child in the care of the service provider after a certain date, the child lived with her (and not with the service provider) for several months covered by the court order. Because the service provider had already received CSA payments for these months, the CRA challenged the mother’s claim for child benefits for the same period.

[32] To address the CRA’s inquiries, the mother asked the service provider to clarify for the CRA the child’s living arrangements for these months. At the mother’s request, the service provider contacted the CRA a number of times. The mother’s position is that the service provider was aware the child lived with her for these months, and that its failure to persuade the CRA to correct its understanding of the situation is a violation of the CYFSA.

[33] The mother’s complaint implicates sections of the CYFSA that require a service provider to take steps to ensure the accuracy, completeness, and up-to-date character of the personal information it uses and discloses in the course of providing services. Sections 306(1) and (2) of the CYFSA state:

(1) A service provider that uses personal information for the purpose of providing a service shall take reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes for which it uses the information.

(2) A service provider that discloses personal information that has been collected for the purpose of providing a service shall,

(a) take reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes of the disclosure that are known to the service provider at the time of the disclosure; or

(b) clearly set out for the recipient of the disclosure the limitations, if any, on the accuracy, completeness or up-to-date character of the information.

[34] I have considered the evidence provided by both parties on this issue. As I explain, I am satisfied the service provider complied with its obligations under sections 306(1) and (2).

[35] Both parties acknowledge there was a valid court order that placed the child in the care of service provider as of a certain date. It is not in dispute that the court order was never varied, and that it remained in effect until the child turned 18.

[36] The mother says that when she initially contacted the service provider for help addressing the CRA’s inquiries about her eligibility for child benefits, staff of the service provider accepted her account of events. That staff member provided the mother with a letter in which the staff member confirms her understanding that the child lived with the mother for the months in question. In this letter, the staff member reports that other service provider staff contacted the finance department and the CRA multiple times in an attempt to help the mother resolve her CRA issues. These contacts included three letters from the service provider directly to the CRA, in which the service provider supports the mother’s claim that the child lived with her for the months in question.

[37] Despite these attempts, the mother says, her issues with the CRA were not resolved. She characterizes this result as a failure by the service provider to meet its duties under the CYFSA. I disagree. The mother’s evidence instead demonstrates to me that the service provider made numerous efforts to convey to the CRA information that, at the time, its staff members believed to be accurate.

[38] I note that since that time, the service provider (through new legal counsel) has stated that this staff member failed to recognize that the living situation described by the mother was contrary to the then-governing court order. The service provider’s position is that if the mother wanted to vary the child’s living situation—and to support her request to the CRA for child benefits for those months—the appropriate way to do so would have been to seek a variation of or to appeal the court order, and to report to the CRA any resulting change to the legal custodial arrangement. There is no claim that the mother ever did so.

[39] In these circumstances, I am satisfied the service provider took reasonable steps to ensure the accuracy, completeness, and up-to-date character of the personal information it used and disclosed in connection with its application for and receipt of CSA payments. The service provider made reasonable efforts, in light of its understanding at the time of the mother’s eligibility for child benefits, to convey to its finance department and to the CRA the mother’s information about the child’s living situation for the months in question. I do not agree that the CRA’s reliance instead on the valid court order to determine the appropriate recipient of child benefits is evidence of the service provider’s failure to meet its obligations under the CYFSA.

[40] Finally, I note that in considering this aspect of the complaint, I have not relied on the mother’s evidence regarding prior proceedings between her and the service provider in another forum. The nature of those proceedings is not clear to me, and it appears the matter was concluded through a settlement agreement between the parties. The IPC is not the appropriate body to hear disputes about a party’s compliance with the terms of a private agreement.

[41] I dismiss this aspect of the complaint.

NO ORDER:

For the foregoing reasons, I dismiss the complaint and issue no order.

Original Signed by:		February 21, 2025
Jenny Ryu
Adjudicator