On May 13, 2024 Ontario introduced Bill 194, the Strengthening Cyber Security and Building Digital Trust in the Public Sector Act, 2024 (“Act”). If passed, the Act will amend Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) and create a new Enhancing Digital Security and Trust Act, 2024 (“Digital Security Act”). In doing so, the Act would modernize provincial public sector privacy laws, impose new cybersecurity requirements on the public sector, set standards for responsible use of artificial intelligence (AI) by government, strengthen safeguards for the use by the public sector of children’s personal information, and improve customer service delivery within the public sector.
The Government is soliciting feedback on Bill 194, and the comment period ends on June 11, 2024.
While many details are vague at this time due to the the Act’s heavy reliance on regulation-making authority, the following is an overview of the key changes proposed and the potential impact for public sector organizations and their partners in the private sector.
Amending FIPPA
The proposed FIPPA amendments are similar to those seen in British Columbia and Quebec’s public sector privacy legislation. Specifically, FIPPA would be updated in the following ways:
1) Increase institutions’ responsibilities by, for example, formalizing privacy impact assessment requirements, establishing mandatory breach statistical reporting to the Information and Privacy Commissioner of Ontario (“IPC”), and creating requirements for mandatory privacy breach notification to the IPC and affected parties using a “real risk of significant harm” threshold;
2) Expand the IPC’s authority to proactively investigate and respond to privacy breaches; and
3) Introduce protections for whistleblowers who report concerns to the IPC.
Additional amendments are aimed at improving ServiceOntario’s customer service experience by introducing a consent-based “tell us once” feature. This would allow government service forms to be pre-populated with certain “customer service information” (such as name, sex, gender identity, dates of birth, language preferences, and contact information), thereby expediting interactions with ServiceOntario and minimizing the risk of errors that can arise by repeatedly inputting information.
Notably, these amendments will only apply to public sector entities that are “institutions” covered by FIPPA, including provincial Ministries, hospitals, colleges and universities. The amendments do not extend to FIPPA’s municipal counterpart, the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”).
Introducing the Digital Security Act
In contrast to the FIPPA amendments discussed above, the jurisdiction of the proposed Digital Security Act is broader in scope. This legislation would apply to institutions under FIPPA and its municipal counterpart, MFIPPA (including municipalities, transit commissions, and police service boards), as well as children’s aid societies and school boards throughout the province.
The Digital Security Act is predominately geared toward achieving the following three objectives throughout the public sector:
1) Enhancing cybersecurity and cyber resilience
The Digital Security Act provides the Lieutenant Governor in Council regulation-making authority pertaining to cybersecurity matters, such as governance program requirements, technical standards, and mandatory cyber incident reporting obligations. The government has indicated that these requirements would be aimed at regulating sector-specific cybersecurity matters for certain, more vulnerable, public sector entities, such as hospitals, schools, and children’s aid societies.
2) Improving privacy protections for children’s personal information
The Digital Security Act empowers the Lieutenant Governor in Council to pass regulations that protect data that is created when individuals under the age of 18 interact with schools and children’s aid societies. For example, such regulations could prevent the sale of children’s data for predatory marketing practices by third parties, impose age-appropriate standards relating to software on school-issued devices, such as school tablets and laptops, and impose technical standards that must be met when schools and children’s aid societies collect, use, and disclose children’s data.
3) Laying the foundation for ethical use of AI
The proposed legislation defines AI in a manner consistent with how the term is defined in other leading jurisdictions, such as the EU. Specifically, AI is defined as:
a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments, an such other systems as may be prescribed.
The Digital Security Act contains broad regulation-making authority in respect of public sector entities’ use of AI. For example, the Lieutenant Governor in Council could establish regulations regarding the public sector’s transparency, accountability, and risk management obligations, the technical standards that the public sector will need to confirm to when using AI, and prohibitions on the use of AI.
Takeaways
Bill 194 proposes significant amendments to regulatory regime governing personal information in Ontario, and has the potential for additional requirements addressing AI, children’s privacy, and cybersecurity to be implemented through future regulations. Some of the proposed changes mirror those seen in Quebec and British Columbia, such as whistleblower protections and mandatory breach notification where an incident gives rise to a real risk of significant harm, while others are more novel in nature, such as those providing for sector-specific AI regulation.
If passed, public entities across Ontario will be required to review and update their existing privacy and cybersecurity practices, and re-evaluate their use of AI. The ripple effects will also be felt private sector entities that provide services to, or otherwise partner with, the public sector.
The comment period for Bill 194 ends on June 11, 2024. Comments may be submitted here.
For more information on privacy policies and breaches, please reach out to Jaime Cardy or any member of Dentons’ Privacy and Cybersecurity group.
