The Government of Ontario recently introduced the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) seeking to strengthen cybersecurity programs in the public sector and provide the groundwork for the responsible use of artificial intelligence (AI) among various public sector entities. If passed, Bill 194 will enact the Enhancing Digital Security and Trust Act, 2024 (the Act) and significantly amend the Freedom of Information and Protection of Privacy Act (FIPPA).
The Act and changes to FIPPA will have an important impact on provincial and municipal public services, as well as create new digital protections for children. We summarize the key features of the proposed Act and amendments to FIPPA below.
Enhancing Digital Security and Trust Act, 2024
The Act aims to mitigate risks associated with cybersecurity and AI systems within Ontario’s public sector. This includes organizations operating in Ontario’s critical public services such as those in the education, healthcare, and children’s services sectors.
Defining AI Systems
The Act formally defines “artificial intelligence systems” as “a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments” (AI system).
Regulating Cybersecurity, AI, and Technology Affecting Minors in the Public Sector
While more detailed guidance has been reserved for subsequent regulations, the Act will create uniform cybersecurity and AI system requirements for organizations operating in Ontario’s public sector as follows:
Cybersecurity
- Obligations to develop, implement and govern cybersecurity programs with a corresponding incident reporting scheme; and
- Specific requirements for such cybersecurity programs including: defining roles and responsibilities, progress reporting, education and awareness initiatives, and response and recovery measures in relation to incidents.
AI
- Requirements for AI system usage – namely:
- public disclosure on its development and use;
- implementation of an accountability framework;
- risk mitigation requirements; and
- human oversight and governance of AI systems concerning their use and reporting mechanisms.
Technology Affecting Minors
- Standards, restrictions and reporting obligations concerning the impact of digital technology made available to minors1 by children’s aid societies and school boards regarding the collection, use, retention and disclosure of digital information.
Freedom of Information and Protection of Privacy Act
Bill 194 introduces significant changes to FIPPA, which governs how the Ontario government and prescribed public sector entities (“institutions”) collect, use and disclose personal information. Institutions will be required to adhere to the following new and expanded responsibilities. Notably, Bill 194 does not extend the same requirements to organizations governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
Obligation to Protect Personal Information
FIPPA regulations require that institutions take reasonable measures to protect records against unauthorized access or inadvertent destruction or damage.2 Bill 194 would expand institutions’ responsibilities for personal information protection and safeguarding privacy by mandating that institutions protect personal information in their custody or control against theft, loss, unauthorized use or disclosure, as well as unauthorized modification, copying or disposal.
Privacy Impact Assessment (PIA)
Bill 194 will require institutions to conduct PIAs prior to collecting personal information. A PIA is a written assessment of prescribed considerations, including the purpose, legal authority, type, source, limitations, restrictions, period of retention and safeguards in place for collecting, processing, and disclosing personal information. Upon request, institutions will be required to provide the Information and Privacy Commissioner of Ontario (IPC) with copies of their PIAs.
Breach of Privacy Safeguards – Reporting and Notification Requirements
If passed, Bill 194 will impose mandatory privacy breach notification and reporting obligations on institutions consistent with the requirements of private-sector organizations operating in the province.
Bill 194 adopts the “real risk of significant harm” threshold for notification and reporting of privacy breaches from the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the personal information practices of private-sector organizations operating in Ontario. Bill 194 also mirrors PIPEDA’s definition of “significant harm” and factors for assessing the real risk of significant harm, including the sensitivity of the personal information at issue and the probability of its misuse, as well as any direction or guidance issued by the IPC.
When it is determined that a real risk of significant harm is presented by an incident, the institution is required to report the matter to the IPC in a prescribed form and notify affected individuals “as soon as feasible.” Notification to individuals will be required to include a statement informing them of their right to make a complaint to the IPC within one year after the subject matter of the complaint came to or should reasonably have come to their attention. Additionally, institutions will be required to keep a record of every reported theft, loss or unauthorized use or disclosure of personal information. The IPC will be empowered to compel institutions to produce a copy of that record upon request.
Expanded Powers of the IPC
Bill 194 provides the IPC with the formalized power to review an institution’s information practices on the basis of a complaint or if the OIPC believes an institution has not complied with the mandated privacy safeguards.
Before conducting a review, the IPC may try to resolve the matter through mediation, conciliation or any other informal means of dispute resolution the IPC considers appropriate. If, after giving the institution an opportunity to be heard, the IPC determines an information practice contravenes the protection of individual privacy, the IPC may order the institution to do any of the following, provided it is not more than what is necessary to achieve compliance:
- Discontinue or change the information practice;
- Return, transfer or destroy personal information collected or retained under the information practice;
- Implement a different information practice; and
- Make a recommendation on how the information practice could be improved.
Consent for Retaining and Using “Customer Service Information”
Bill 194 requires consent for the retention and use of collected “customer service information,” the definition of which is expanded to include:
- Individual information such as sex, gender identity, preferred language, date of birth, email address or other contact information;
- Information provided by the service provider, including order status, shipping status, product identification number and expiry date; and
- Communication between the service provider organization and the individual.
Next steps
The Ontario government is currently seeking feedback on Bill 194. The comment period will remain open until June 11, 2024.