The privacy legislation currently governing the public sector in Ontario, the Freedom of Information and Protection of Privacy Act (FIPPA), can charitably be described as a “light touch”. However, it appears change is coming. On May 13, 2024, the Ontario government introduced Bill 194, An Act to enact the Enhancing Digital Security and Trust Act, 2024 and to make amendments to the Freedom of Information and Protection of Privacy Act respecting privacy protection measures. If passed, this Bill will give FIPPA a modern makeover. It will also enact a new law, Enhancing Digital Security and Trust Act, 2024, relating to cybersecurity and artificial intelligence.
Key features of the proposed FIPPA amendments include:
- Privacy Impact Assessments (PIAs). Bill 194 proposes to amend section 38 of FIPPA to include a requirement for institutions to conduct PIAs. Specifically, there will be a requirement to prepare a “written assessment” before collecting personal information that addresses standard PIA topics such as:
- purpose for collection, use and disclosure;
- legal authority;
- types of personal information being collected and the source;
- a description of the types of individuals who will have access to the personal information;
- retention period;
- description of safeguards that will be used to protect the personal information; and
- any risk mitigation plan (and a requirement that mitigation activities be completed before the collection occurs, or if that is not possible, within a reasonable period of time).
Any such assessment will have to be updated in the event of a “significant” change to the purpose for the collection, use or disclosure, and the regulator, the Information and Privacy Commissioner of Ontario (IPC), can request a copy of these assessments.
- An obligation to implement “reasonable” safeguards to protect personal information. FIPPA, by way of Regulation 460, currently requires institutions to “…ensure that reasonable measures to prevent unauthorized access to the records are defined, documented and put in place…”.[1] The proposed amendment moves this requirement into the Act itself, creating a more comprehensive scheme, and broadens the requirement to protect against a larger range of internal and external threats (e.g., theft, disposal).
- Mandatory breach reporting, to both the IPC and the affected individual, in the event of a breach causing a “real risk of significant harm” to the individual. This amendment would codify the obligation to notify, which is currently considered a best practice, and provides additional clarity on how to determine the circumstances in which notification is appropriate.
- Enhanced powers for the IPC to review the information practices of public sector entities and make orders to address any identified deficiencies.
These proposed amendments generally reflect standard privacy practices and, as such, are unlikely to be controversial. Many public sector organizations have already implemented many of these activities to align with best practices, though not necessarily to the level outlined in the bill. However, if passed, there will be no ambiguity about expectations and, importantly, the IPC will be empowered to enforce these expectations in a way that it currently cannot.
There is also a proposed whistleblowing provision that would apply to “data integration units” which are entities (or divisions of entities) that can collect, use and disclose personal information for the purpose of analysing the allocation of government resources and/or to facilitate planning and evaluation of government programs. This proposed protection will supplement an already robust legal framework for these entities, which is appropriate given the volume of personal information they can handle, and the fact that they break down the types of information silos that FIPPA was, in many ways, designed to create.
In an interesting and welcome move, a proposed amendment to section 59 specifically authorizes the IPC to collaborate with other privacy commissioners across Canada (and law enforcement) in respect of complaints, research or guidelines, model contracts, or procedures. Given the challenges related to the interoperability of Canada’s patchwork of privacy laws, this could be a very impactful development and, if passed, it will be interesting to see how it gets used.
Finally, Bill 194 purports to amend aspects of the regime, set out in section 65.1 of FIPPA, related to “service provider organizations”, which are described in section 17.1 of the Ministry of Government Services Act (e.g., ServiceOntario). In the announcement on Bill 194, the government framed the objective of these changes as follows: “Updating Ontario’s legislative framework to modernize digital service delivery will offer those who provide consent to benefit from “tell-us-once” features, like pre-populated fields and communications preferences, so they don’t need to restate their information every time they interact with the government.”
We will monitor Bill 194 as it makes its way through the legislative process.
Stay tuned for Bill 194, Part II: the Enhancing Digital Security and Trust Act, 2024.
[1] General, RRO 1990, Reg 460, s. 4(1)