Publication
COP29: It’s all about the money and paying to survive in this climate-challenged world
The 29th Conference of Parties (COP 29) will be held in Baku, Azerbaijan between 11 and 22 November 2024.
Canada | Publication | June 12, 2024
The Government of Ontario recently introduced the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) seeking to strengthen cybersecurity programs in the public sector and provide the groundwork for the responsible use of artificial intelligence (AI) among various public sector entities. If passed, Bill 194 will enact the Enhancing Digital Security and Trust Act, 2024 (the Act) and significantly amend the Freedom of Information and Protection of Privacy Act (FIPPA).
The Act and changes to FIPPA will have an important impact on provincial and municipal public services, as well as create new digital protections for children. We summarize the key features of the proposed Act and amendments to FIPPA below.
The Act aims to mitigate risks associated with cybersecurity and AI systems within Ontario’s public sector. This includes organizations operating in Ontario’s critical public services such as those in the education, healthcare, and children’s services sectors.
Defining AI Systems
The Act formally defines “artificial intelligence systems” as “a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments” (AI system).
Regulating Cybersecurity, AI, and Technology Affecting Minors in the Public Sector
While more detailed guidance has been reserved for subsequent regulations, the Act will create uniform cybersecurity and AI system requirements for organizations operating in Ontario’s public sector as follows:
Cybersecurity
AI
Technology Affecting Minors
Bill 194 introduces significant changes to FIPPA, which governs how the Ontario government and prescribed public sector entities (“institutions”) collect, use and disclose personal information. Institutions will be required to adhere to the following new and expanded responsibilities. Notably, Bill 194 does not extend the same requirements to organizations governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
Obligation to Protect Personal Information
FIPPA regulations require that institutions take reasonable measures to protect records against unauthorized access or inadvertent destruction or damage.2 Bill 194 would expand institutions’ responsibilities for personal information protection and safeguarding privacy by mandating that institutions protect personal information in their custody or control against theft, loss, unauthorized use or disclosure, as well as unauthorized modification, copying or disposal.
Privacy Impact Assessment (PIA)
Bill 194 will require institutions to conduct PIAs prior to collecting personal information. A PIA is a written assessment of prescribed considerations, including the purpose, legal authority, type, source, limitations, restrictions, period of retention and safeguards in place for collecting, processing, and disclosing personal information. Upon request, institutions will be required to provide the Information and Privacy Commissioner of Ontario (IPC) with copies of their PIAs.
Breach of Privacy Safeguards – Reporting and Notification Requirements
If passed, Bill 194 will impose mandatory privacy breach notification and reporting obligations on institutions consistent with the requirements of private-sector organizations operating in the province.
Bill 194 adopts the “real risk of significant harm” threshold for notification and reporting of privacy breaches from the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the personal information practices of private-sector organizations operating in Ontario. Bill 194 also mirrors PIPEDA’s definition of “significant harm” and factors for assessing the real risk of significant harm, including the sensitivity of the personal information at issue and the probability of its misuse, as well as any direction or guidance issued by the IPC.
When it is determined that a real risk of significant harm is presented by an incident, the institution is required to report the matter to the IPC in a prescribed form and notify affected individuals “as soon as feasible.” Notification to individuals will be required to include a statement informing them of their right to make a complaint to the IPC within one year after the subject matter of the complaint came to or should reasonably have come to their attention. Additionally, institutions will be required to keep a record of every reported theft, loss or unauthorized use or disclosure of personal information. The IPC will be empowered to compel institutions to produce a copy of that record upon request.
Expanded Powers of the IPC
Bill 194 provides the IPC with the formalized power to review an institution’s information practices on the basis of a complaint or if the OIPC believes an institution has not complied with the mandated privacy safeguards.
Before conducting a review, the IPC may try to resolve the matter through mediation, conciliation or any other informal means of dispute resolution the IPC considers appropriate. If, after giving the institution an opportunity to be heard, the IPC determines an information practice contravenes the protection of individual privacy, the IPC may order the institution to do any of the following, provided it is not more than what is necessary to achieve compliance:
Consent for Retaining and Using “Customer Service Information”
Bill 194 requires consent for the retention and use of collected “customer service information,” the definition of which is expanded to include:
The Ontario government is currently seeking feedback on Bill 194. The comment period will remain open until June 11, 2024.
See the General Regulation under FIPPA ss. 4(1) and 4(3)
Publication
The 29th Conference of Parties (COP 29) will be held in Baku, Azerbaijan between 11 and 22 November 2024.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023