Ontario’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, received Royal Assent in November 2024 after swiftly advancing through the legislative process. Bill 194 amends the provincial Freedom of Information and Protection of Privacy Act (“FIPPA”) and introduces the new Enhancing Digital Security and Trust Act, 2024 (“Digital Security Act”). Together, these legislative changes create significant new obligations for Ontario’s public sector institutions concerning cybersecurity, privacy, and the use of artificial intelligence (“AI”) systems.

Bill 194: A Brief History

The version of Bill 194 that received Royal Assent closely mirrors the draft presented in May 2023. The only notable modification is that the Legislative Assembly of Ontario (“LAO”) has been explicitly excluded from the definition of “public sector entities” under the Digital Security Act, meaning the LAO is not subject to the new cybersecurity and AI system requirements.

It is also important to note that while the Office of the Information and Privacy Commissioner of Ontario (“IPC”) submitted extensive feedback during the public consultation period, its concerns were not addressed in the final version of Bill 194.

Summary of Key Amendments

As highlighted in our previous article from May 2024, Bill 194 introduces several key changes to FIPPA, including:

  • The requirement for privacy impact assessments (“PIAs”) before collecting personal information;
  • The introduction of statistical breach reporting obligations;
  • Mandatory breach notification requirements;
  • Expansion of the IPC’s powers;
  • Whistleblower protections;
  • Improved ServiceOntario customer service experience through consent-based “tell us once” capabilities.

Some of the FIPPA amendments came into force on January 29, 2025, including the whistleblower protections. Other amendments, including the mandatory PIA and breach notification obligations, will come into force on July 1, 2025.

Additionally, the Digital Security Act introduces specific obligations for children’s aid societies, school boards, and institutions governed by FIPPA and its municipal counterpart, the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), including:

  • Enhanced cybersecurity and cyber resilience requirements, to be defined by regulation;
  • Regulation of the use of AI systems by public institutions; and
  • Stronger protections for children’s personal information processed by school boards and children’s aid societies.

The new Digital Security Act came into force on January 29, 2025.

Proactive compliance

Many of the obligations introduced by Bill 194 reflect best practices or align with requirements in other jurisdictions. However, some—such as the forthcoming regulations governing AI systems—are new and unprecedented. While the some of the FIPPA amendments will not come into force until July 2025, and many details regarding institutions’ cybersecurity and AI obligations are yet to be established by regulations, public bodies can begin preparing for compliance now.

For example, provincial institutions can start by developing policies and procedures for conducting PIAs, enhancing their privacy management programs, and implementing procedures for identifying, assessing, reporting, and tracking privacy breaches.

Similarly, although municipal institutions are not subject to FIPPA amendments, they should consider how the new obligations would affect their operations, as similar amendments to MFIPPA may be forthcoming (notably, the Information and Privacy Commissioner of Ontario has been advocating for such changes).

In addition, institutions subject to M/FIPPA (excluding the LAO), along with children’s aid societies and school boards, must, if they have not already, assess their compliance with the new obligations under the Digital Security Act by identifying, evaluating, and implementing risk-mitigation strategies for their use of AI systems. This includes developing and implementing AI policies, as well as creating related notices. Institutions should also ensure they have robust cybersecurity measures in place, such as encryption, identity and access controls, patch management protocols, and system segregation. Finally, institutions should conduct regular assessments to ensure these safeguards remain effective over time.

Implications for the Private Sector

While private sector organizations are not directly impacted by Bill 194, it is worthwhile to monitor developments regarding these amendments and any forthcoming regulations. Understanding the evolving requirements for public sector institutions will allow private organizations to anticipate how their dealings with public institutions may be affected.

In addition, private sector organizations doing business with public sector organizations should expect that these public sector organizations will begin the process of flowing through many of these new requirements in their contracts. Private sector organizations should consider whether they are in a position to comply with any terms that may be passed through.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, , ,
Jaime Cardy

About Jaime Cardy

Jaime Cardy is a senior associate in the Privacy and Cybersecurity group in Dentons’ Toronto office. She has particular expertise in providing risk management and compliance advice under various legislative privacy regimes, including in both the public and healthcare sectors.

Full bio

RELATED POSTS