In May 2024, the Ontario Government tabled Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. If passed, this Bill will impose a number of sweeping changes to the privacy and cyber security landscape in Ontario.
There are two schedules to the Bill: Schedule I proposes the enactment of the Enhancing Digital Security and Trust Act, 2024 (the "EDSTA"), and Schedule II proposes amendments to the Ontario Freedom of Information and Privacy Act ("FIPPA").
Schedule I - Enhancing Digital Security and Trust Act, 2024
The EDSTA is divided into three major sections: Cyber Security, Use of Artificial Intelligence Systems, and Digital Technology Affecting Individuals Under Age 18. The EDSTA would apply to public sector entities under FIPPA, the Municipal Freedom of Information and Protection of Privacy Act, children's aid societies, and school boards (as defined in the Education Act). The EDSTA establishes a framework for the enactment of future regulations.
Cyber Security: the government may make regulations governing cyber security at public sector entities, including:
- the development and implementation of programs to ensure cyber security; and
- requiring reports to be submitted to the Minister regarding incidents related to cyber security and the prescribed forms and frequency of such reports.
The Minister may also make regulations regarding the technical standards that public sector entities must conform to with respect to cyber security.
Use of Artificial Intelligence Systems: public sector entities under this section will be required to:
- provide information to the public about their use of AI systems;
- develop and implement an accountability framework regarding the use of AI systems;
- take steps to manage risks associated with the use of AI systems; and
- use AI systems only in accordance with any prescribed requirements and not for any uses prohibited by regulations.
Additional requirements will be prescribed in future regulations.
Digital Technology Affecting Individuals Under Age 18: the government may make regulations impacting children's aid societies and school boards that will:
- prescribe the approach to collection, use retention and disclosure of digital information relating to individuals under age 18, including imposing prohibitions in circumstances that will also be prescribed); and
- require reports to be submitted to the Minister regarding the foregoing.
Additional technical requirements may be set out in future regulations.
Schedule II – Amendments to the Freedom of Information and Privacy Act
Currently, FIPPA applies to Ontario's provincial ministries and most provincial agencies, boards, and commissions, as well as community colleges, universities, and hospitals ("Institutions").
Bill 194 proposes new mandatory requirements for privacy impact assessments ("PIAs"), breach reporting obligations, and new powers for the Information and Privacy Commissioner of Ontario (the "IPCO").
Mandatory PIAs: Institutions will be required to prepare a written PIA before collecting personal information. Any such PIA is to include, among other things:
- the purpose for collecting, using, disclosing the personal information and an explanation of why the personal information is necessary to achieve that purpose;
- the legal authority for the intended collection, use and disclosure of the personal information;
- the types of personal information collected, and for each type, an indication of how the type of personal information is intended to be used or disclosed;
- any limitations or restrictions imposed on the collection, use, or disclosure of the personal information;
- the period of time that the personal information will be retained by the Institution;
- a description of the administrative, technical, and physical safeguards and practices to protect the personal information and a summary of any risks to the individuals in the event of theft, loss or unauthorized use or disclosure of the personal information;
- the steps to be taken by the Institution to prevent or reduce the risk of theft, loss or unauthorized use or disclosure of personal information and to mitigate the risk of such an occurrence; and
- any other information that may be prescribed.
In addition to the PIA requirements, the Bill proposes new mandatory breach reporting obligations. In circumstances where it is reasonable to believe there is a real risk that significant harm to an individual would result, Institutions will be required to notify the Information and Privacy Commissioner and any affected individuals, with additional requirements to be prescribed by regulation.
The Bill proposes to grant additional review powers for the IPCO in the case of a complaint by an affected individual, including a review of the information practices of an Institution. The Institution will have a corresponding duty to co-operate with and assist the conduct of the review. Following the review, the IPCO can only order no more than what is reasonably necessary to achieve compliance.
Next steps
The Bill is currently at the Second Reading stage with the debate deemed adjourned on May 28, 2024. After the debate, the Bill may proceed to either the Third Reading or be examined by a Standing or Select Committee. Thereafter, it may be directed to final debate and the Third Reading. If passed, the EDSTA will come into force on the day it receives Royal Assent.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.