ARTICLE
20 August 2024

Ontario Bill 194: Amendments To Reporting Requirements And Expanding Power For The Privacy Impact Assessment

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP logo
McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
Explore Firm Details
he second schedule of Bill 194 has a narrower scope than the first one, as it only amends FIPPA and does not apply to entities covered by MFIPPA.
Canada Privacy
Photo of TechLex Blog
Photo of Daniel Glover
Photo of Marissa Caldwell
Photo of Béatrice Allard
Photo of Logan Dillon
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Amendments to FIPPA

The second schedule of Bill 194 has a narrower scope than the first one, as it only amends FIPPA and does not apply to entities covered by MFIPPA.

New obligation to protect personal information

FIPPA does not currently require government "institutions" to protect personal information. Rather, it requires that they ensure reasonable measures are taken to prevent unauthorized access, destruction and damage to the institution's records. Bill 194 greatly expands that obligation in requiring that institutions now take reasonable measures to protect personal information in their custody against theft, loss, unauthorized use or access, and unauthorized modification, copying, and disposal.

Reporting and notifying requirement

Bill 194 creates a reporting and notification scheme that is similar to the one that applies to private-sector organizations in Ontario that are subject to PIPEDA. Notably, it adopts the "real risk of significant harm" ("RROSH") threshold. Some factors used to assess the RROSH threshold are similar to those under PIPEDA, most notably the sensitivity of the personal information and the probability of its misuse. Additional factors under the Bill include the steps to be taken to reduce the risk of the harm, and any guidance or directions from the Commissioner pertaining to what constitutes a RROSH. This last factor effectively delegates power to the IPC to refine the meaning of a RROSH over time.

If such a breach occurs and there is a RROSH, the institution must report the matter to the IPC and notify the affected individuals as soon as feasible with specific information that will be determined by regulations.

We already know that the right to make a complaint to the IPC will be part of the content to be included in a breach notification. It is worth noting that the affected individuals' right to complain will have a time limitation of one year, the timer for which starts once the subject matter came to their attention.

Privacy Impact Assessment (PIA)

Bill 194 will also require institutions to conduct PIAs prior to collecting personal information, unless regulations provide otherwise. The PIAs will include, in particular:

  • The purpose for which personal information is intended to be collected, used, disclosed, and why it is necessary for this purpose.
  • The legal authority to conduct the collection, use and disclosure.
  • The types of personal information collected and an indication on how it will be used or disclosed.
  • The position titles of the individuals who will have access to it.
  • The time period for its retention.
  • An explanation of the safeguards used to protect it.

Expanded powers for the IPC

Finally, Bill 194's amendment to FIPPA bolsters the IPC's role as regulator by providing it with order granting powers. It provides that the IPC can review an institution's compliance if it believes it might not be applying the mandated safeguards, or on the basis of a complaint. If the non-compliance is found to be true after an investigation, the IPC may order the following:

  • Discontinue or implement a different information practice.
  • Return, transfer or destroy personal information collected or retained under the information practice.
  • Make a recommendation on how the information practice could be improved.

The IPC cannot order more than what is necessary to achieve compliance, demonstrating that Ontario's framework does not take a punitive approach.

Interestingly, the law formally encourages collaborations with other privacy commissioners in Canada by specifically enabling the IPC to consult and to coordinate activities with them, as well as to mutually handle investigations in which they are both interested. Following the collaborative launch of the principles for the responsible development and use of generative AI by Canada's privacy commissioners, we can look forward to more joint initiatives in the coming years.

Conclusion

If passed, Bill 194 will force public sector institutions to strengthen their privacy management practices and may significantly impact the development of public sector AI and cybersecurity initiatives over the coming months and years. As the Bill is still only in second reading, next steps will involve monitoring

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of TechLex Blog
TechLex Blog
Photo of Daniel Glover
Daniel Glover
Photo of Marissa Caldwell
Marissa Caldwell
Photo of Béatrice Allard
Béatrice Allard
Photo of Logan Dillon
Logan Dillon
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More