Michael Walsh
Associate
Article
On May 13, 2024, the Government of Ontario tabled Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. The Bill proposes the Enhancing Digital Security and Trust Act, 2024 ("EDSTA"), and seeks to amend the Freedom of Information and Protection of Privacy Act ("FIPPA").
The Bill proposes no changes to the Municipal Freedom of Information and Protection of Privacy Act ("MFIPPA") or Personal Health Information Protection Act ("PHIPA"), but the EDSTA would apply to municipal public sector institutions.
Schedule 1 of Bill 194 would enact the EDSTA. As proposed, the EDSTA would introduce new requirements across the public sector regarding cyber security, artificial intelligence (AI) and technology affecting minors (defined as individuals under the age of 18). The EDSTA would apply to all institutions covered by FIPPA and MFIPPA, as well as children's aid societies and school boards.
While the EDSTA establishes a framework for regulating AI and cyber security in the public sector, many of its key provisions are left to be substantiated by future regulations.
Cyber security
The EDSTA would allow the government to create regulations requiring public sector entities to develop and implement cyber security programs. Regulations may prescribe specific elements that must be included in such programs, including:
The Minister of Public and Business Service Delivery ("the Minister") may also make regulations setting technical standards or establishing directives with respect to cyber security programs.
Regulations may require public sector entities to submit reports to the Minister or any other prescribed person when incidents relating to cyber security occur. Note that "incidents relating to cyber security" are undefined, but are distinct from privacy breaches. Accordingly, this reporting requirement would likely be triggered by a lower threshold than privacy breach notification obligations under FIPPA (described below).
Artificial intelligence
Artificial intelligence requirements under the EDSTA would apply to public sector entities that use or intend to use AI systems prescribed by regulation. Entities that are subject to such regulations would be required to:
In addition to these general requirements prescribed by future regulations, entities that use or intend to use AI systems will be required to appoint an individual to be responsible for oversight of AI systems within the entity.
Additionally, the Minister may make regulations setting technical standards for the use of AI systems.
Technology affecting minors
Under the EDSTA, the government may make regulations regarding the processing of "prescribed digital information" of individuals under the age of 18 (minors) by children's aid societies and school boards. Future regulations would establish what constitutes "prescribed digital information."
Regulations may be enacted to:
The Minister may make regulations setting technical standards that school boards and children's aid societies must comply with when processing digital information of minors, and prescribe the digital technology that may be made available for use by minors.
Schedule 2 of Bill 194 proposes a series amendments to FIPPA. Updates to FIPPA relate to mandatory privacy impact assessments (PIAs), breach reporting obligations, and new powers for the Information and Privacy Commissioner of Ontario (IPC).
PIAs
Bill 194 proposes a new requirement for institutions to complete written PIAs prior to collecting personal information. A compliant PIA must contain:
Under Bill 194, institutions must keep PIAs up to date, and must provide a copy of the PIA to the IPC upon request.
Breach notification and reporting
Bill 194 introduces a mandatory obligation for institutions to notify the IPC and affected individuals of privacy breaches, being "any theft, loss or unauthorized use or disclosure of personal information in the custody or under the control of the institution." Future regulations would prescribed the form and content of breach notifications, but Bill 194 states that notifications must contain a statement that affected individuals are entitled to make a complaint to the IPC.
Bill 194 establishes a "reasonable risk of significant harm" (RROSH) threshold for notification and reporting obligations. Institutions must notify the IPC and affected individuals only when there is a reasonable risk that significant harm to an individual would occur in the circumstances.
The Bill requires institutions to maintain records of every theft, loss or unauthorized use or disclosure of personal information that it reports the IPC.
Powers of the IPC
Bill 194 proposes enhanced oversight and enforcement powers for the IPC. This includes powers to review the information practices of institutions following a complaint, or if the IPC has reason to believe that non-compliance with FIPPA has occurred. The IPC may exercise investigatory powers to order production of records, and issue compliance orders at the conclusion of its review. Institutions would have a duty to assist IPC reviews pursuant to amendments under Bill 194.
The Bill introduces protections for whistleblowers, requiring the IPC to keep confidential the identity of individuals who notify the IPC of their reasonable belief that an institution has contravened FIPPA.
The IPC would have authority under amendments proposed in Bill 194 to consult with a law enforcement officer or any person who has powers, duties and functions similar to those of the IPC with respect to the protection of personal information.
Bill 194 is currently at Second Reading in the Legislative Assembly of Ontario. The Legislative Assembly has risen for the summer and is not scheduled to return until October 21, 2024.
The initial public consultation period for Bill 194, during which the public was invited submit comments to the Government of Ontario on the Bill, closed on June 11, 2024.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.