Ontario Introduces Bill 194 to address cyber security in the public sector

10 minute read
18 June 2024

On May 13, 2024, the Government of Ontario tabled Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. The Bill proposes the Enhancing Digital Security and Trust Act, 2024 ("EDSTA"), and seeks to amend the Freedom of Information and Protection of Privacy Act ("FIPPA").



The Bill proposes no changes to the Municipal Freedom of Information and Protection of Privacy Act ("MFIPPA") or Personal Health Information Protection Act ("PHIPA"), but the EDSTA would apply to municipal public sector institutions.

The Enhancing Digital Security and Trust Act, 2024 (EDSTA)

Schedule 1 of Bill 194 would enact the EDSTA. As proposed, the EDSTA would introduce new requirements across the public sector regarding cyber security, artificial intelligence (AI) and technology affecting minors (defined as individuals under the age of 18). The EDSTA would apply to all institutions covered by FIPPA and MFIPPA, as well as children's aid societies and school boards.

While the EDSTA establishes a framework for regulating AI and cyber security in the public sector, many of its key provisions are left to be substantiated by future regulations.

Cyber security

The EDSTA would allow the government to create regulations requiring public sector entities to develop and implement cyber security programs. Regulations may prescribe specific elements that must be included in such programs, including:

  • Internal roles and responsibilities within the entity to ensure cyber security.
  • Procedures for reporting progress with respect to ensuring cyber security.
  • Public education and awareness.
  • Response and recovery measures following a cyber security incident.
  • Program oversight.

The Minister of Public and Business Service Delivery ("the Minister") may also make regulations setting technical standards or establishing directives with respect to cyber security programs.

Regulations may require public sector entities to submit reports to the Minister or any other prescribed person when incidents relating to cyber security occur. Note that "incidents relating to cyber security" are undefined, but are distinct from privacy breaches. Accordingly, this reporting requirement would likely be triggered by a lower threshold than privacy breach notification obligations under FIPPA (described below).

Artificial intelligence

Artificial intelligence requirements under the EDSTA would apply to public sector entities that use or intend to use AI systems prescribed by regulation. Entities that are subject to such regulations would be required to:

  • Provide information to the public about their use of AI systems.
  • Develop and implement an accountability framework applicable to their use of AI systems.
  • Take steps to manage risks associated with use AI systems.
  • Not use artificial intelligence systems in a manner prohibited by regulations.

In addition to these general requirements prescribed by future regulations, entities that use or intend to use AI systems will be required to appoint an individual to be responsible for oversight of AI systems within the entity.

Additionally, the Minister may make regulations setting technical standards for the use of AI systems.

Technology affecting minors

Under the EDSTA, the government may make regulations regarding the processing of "prescribed digital information" of individuals under the age of 18 (minors) by children's aid societies and school boards. Future regulations would establish what constitutes "prescribed digital information."

Regulations may be enacted to:

  • Determine the manner which prescribed digital information may be collected, used, retained, or disclosed.
  • Require that entities provide reports to the Minister or other prescribed person on their collection, use, retention and disclosure of prescribed digital information.
  • Prohibit the processing of digital information of minors in prescribed circumstances or for prescribed purposes.

The Minister may make regulations setting technical standards that school boards and children's aid societies must comply with when processing digital information of minors, and prescribe the digital technology that may be made available for use by minors.

Updates to the Freedom of Information and Protection of Privacy Act (FIPPA)

Schedule 2 of Bill 194 proposes a series amendments to FIPPA. Updates to FIPPA relate to mandatory privacy impact assessments (PIAs), breach reporting obligations, and new powers for the Information and Privacy Commissioner of Ontario (IPC).

PIAs

Bill 194 proposes a new requirement for institutions to complete written PIAs prior to collecting personal information. A compliant PIA must contain:

  1. The purpose for which the personal information is intended to be collected, used and disclosed, as applicable, and an explanation of why the personal information is necessary to achieve the purpose.
  2. The legal authority for the intended collection, use and disclosure of the personal information.
  3. The types of personal information that is intended to be collected and, for each type of personal information collected, an indication of how the type of personal information is intended to be used or disclosed.
  4. The sources of the personal information that is intended be collected.
  5. The position titles of the officers, employees, consultants or agents of the institution who will have access to the personal information.
  6. Any limitations or restrictions imposed on the collection, use or disclosure of the personal information.
  7. The period of time that the personal information would be retained by the institution.
  8. An explanation of the administrative, technical and physical safeguards and practices that would be used to protect the personal information and a summary of any risks to individuals in the event of a theft, loss or unauthorized use or disclosure of the personal information.
  9. The steps to be taken by the institution:
  1. To prevent or reduce the likelihood of a theft, loss or unauthorized use or disclosure of personal information from occurring.
  2. ii. To mitigate the risks to individuals in the event of such an occurrence.
  1. Such other information as may be prescribed.

Under Bill 194, institutions must keep PIAs up to date, and must provide a copy of the PIA to the IPC upon request.

Breach notification and reporting

Bill 194 introduces a mandatory obligation for institutions to notify the IPC and affected individuals of privacy breaches, being "any theft, loss or unauthorized use or disclosure of personal information in the custody or under the control of the institution." Future regulations would prescribed the form and content of breach notifications, but Bill 194 states that notifications must contain a statement that affected individuals are entitled to make a complaint to the IPC.

Bill 194 establishes a "reasonable risk of significant harm" (RROSH) threshold for notification and reporting obligations. Institutions must notify the IPC and affected individuals only when there is a reasonable risk that significant harm to an individual would occur in the circumstances.

The Bill requires institutions to maintain records of every theft, loss or unauthorized use or disclosure of personal information that it reports the IPC.

Powers of the IPC

Bill 194 proposes enhanced oversight and enforcement powers for the IPC. This includes powers to review the information practices of institutions following a complaint, or if the IPC has reason to believe that non-compliance with FIPPA has occurred. The IPC may exercise investigatory powers to order production of records, and issue compliance orders at the conclusion of its review. Institutions would have a duty to assist IPC reviews pursuant to amendments under Bill 194.

The Bill introduces protections for whistleblowers, requiring the IPC to keep confidential the identity of individuals who notify the IPC of their reasonable belief that an institution has contravened FIPPA.

The IPC would have authority under amendments proposed in Bill 194 to consult with a law enforcement officer or any person who has powers, duties and functions similar to those of the IPC with respect to the protection of personal information.

Next steps

Bill 194 is currently at Second Reading in the Legislative Assembly of Ontario. The Legislative Assembly has risen for the summer and is not scheduled to return until October 21, 2024.

The initial public consultation period for Bill 194, during which the public was invited submit comments to the Government of Ontario on the Bill, closed on June 11, 2024.


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.