On May 13, 2024, the Government of Ontario introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194), which, if passed, will significantly reform the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA governs how the Ontario government and prescribed public sector entities (institutions) collect, use and disclose personal information, and sets out a general right of access to government records.

If passed, Bill 194 will amend FIPPA to require these institutions to report certain privacy breaches to the Information and Privacy Commissioner of Ontario (IPC), require privacy assessments to be conducted before collecting personal information, and increase the IPC’s investigative powers. These amendments would align FIPPA more closely with public sector privacy legislation in B.C. and Quebec. 

Bill 194 also introduces legislation to regulate the use of artificial intelligence systems in the Ontario public sector. This proposed legislation will be the subject of a future Blakes bulletin. 

New General Obligation

Currently, Ontario’s FIPPA does not expressly require institutions to protect personal information. Instead, under the General regulation to FIPPA, institutions must ensure that reasonable measures to prevent unauthorized access to the institution’s records are defined, documented and put in place, taking into account the nature of the records to be protected.

Bill 194 would, if passed, introduce a new general requirement to protect personal information directly in FIPPA. Institutions would be expressly obligated to take steps that are reasonable in the circumstances to ensure that personal information in their custody or control is protected against theft, loss and unauthorized use or disclosure, as well as unauthorized modification or disposal. 

Formalizing the Privacy Impact Assessment Process

Bill 194 would also amend FIPPA to require institutions to ensure that prior to collecting personal information, a written assessment is prepared that addresses prescribed considerations, including the purpose, legal authority, limitations, restrictions and safeguards in place for processing personal information. Institutions would also be responsible for ensuring that risk mitigation strategies identified in the assessment are implemented before collecting the personal information or, if not possible, within a reasonable time after collecting the information. The IPC would be able to compel the institution to provide a copy of the assessment upon request.

Mandatory Breach Reporting

Similar to the mandatory breach reporting requirements under public sector privacy laws in B.C. and Quebec, Bill 194 would amend FIPPA to require institutions to report to the IPC in a prescribed form any theft, loss or unauthorized use or disclosure of personal information in the custody or under the control of the institution if it is reasonable in the circumstances to believe that there is a real risk that a significant harm to an individual would result or if any prescribed circumstances exist. “Significant harm” would be defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Unless otherwise prohibited by law, the institution would also be required to notify affected individuals and inform them that they are entitled to make a complaint to the IPC. However, unlike in any other Canadian jurisdictions, the right to complain to the IPC about an institution’s breach would be limited to one year after the subject matter of the complaint first came to the attention of the complainant or should have reasonably come to the attention of the complainant, whichever is shorter, subject to limited exceptions to be made by the IPC. 

The factors to be considered when determining if there is a “real risk of significant harm” would include 

• The sensitivity of the personal information
• The probability that the personal information has been, is being or will be misused
• The availability of steps that the individual could take to
  • Reduce the risk of the harm occurring, or
  • Mitigate the harm should it occur
• Any direction, recommendation or guidance provided by the Commissioner pertaining to what constitutes a real risk of significant harm
• Any other prescribed factor

Institutions would also be required to keep a record of every theft, loss, or unauthorized use or disclosure of personal information reported to the IPC.  

New IPC Investigation Powers

Bill 194 would also provide the IPC with new power to conduct a review of the information practices of an institution if it has received a complaint following a report of a breach from an institution or where it has other reason to believe the institution is not meeting its obligations. Before conducting a review, the IPC may try to resolve the matter through mediation, conciliation or any other informal means of dispute resolution that the IPC considers appropriate.

If, after giving an opportunity to be heard to the institution, the IPC determines that an information practice contravenes its FIPPA obligations, the IPC may order the head to do any of the following:

• Discontinue the information practice
• Change the information practice as specified by the IPC
• Return, transfer or destroy personal information collected or retained under the information practice
• Implement a different information practice as specified by the IPC
• Make a recommendation in respect of how the information practice could be improved

However, the IPC would be unable to order more recommendations than reasonably necessary to achieve compliance. 

As noted above, these amendments would bring Ontario’s FIPPA closer into alignment with the recently amended public sector privacy statutes in Quebec and B.C. and would require institutions across Ontario to review and strengthen their privacy management frameworks.