Earlier this year, the Ontario government introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, aimed at strengthening digital infrastructure and data privacy protections within public entities and services in Ontario. The Bill is now at second reading. If passed, Schedule 1 of Bill 194 would enact the Enhancing Digital Security and Trust Act, 2024 ("EDSTA"), and Schedule 2 would enact changes to the Freedom of Information and Protection of Privacy Act ("FIPPA").
The EDSTA would allow the government, by regulation, to:
- Require public sector entities to develop and implement cyber security programs, and submit reports on cyber security.
- Regulate how public sector entities, identified by regulation, use artificial intelligence ("AI") systems.
- Allow the government to make regulations on how children's aid societies and school boards collect, use, retain or disclose digital information relating to individuals under age 18.
The amendments to FIPPA would:
- Require institutions to conduct privacy impact assessments ("PIAs") before collecting personal information.
- Mandate that public institutions report privacy breaches to the Information and Privacy Commissioner of Ontario ("IPC") and notify affected individuals.
- Increase the IPC's investigative powers with respect to the information practices of public institutions.
- Create a new whistleblowing framework to report contraventions of FIPPA to the IPC confidentially.
- Expand FIPPA's offenses provisions to include contraventions with respect to the collection and use of personal information, in addition to the disclosure of personal information.
As described in this bulletin, the important requirements introduced by Bill 194 would, if passed into law, represent a very significant change to the legal regimes governing public entities in Ontario. In addition, given the myriad other ongoing law reform initiatives aimed at privacy, cyber security and AI in Canada and abroad, public sector entities outside of Ontario should bear in mind the requirements of Bill 194 and anticipate that similar legislation may follow in other provinces.
Enhancing Digital Security and Trust Act, 2024
EDSTA creates a framework to govern cyber security and the use of AI systems. It applies to both provincial institutions under FIPPA and municipal institutions under the Municipal Freedom of Information and Protection of Privacy Act ("MFIPPA"), as well as children's aid societies and school boards.
While the details of this new framework are left to future regulations, whether issued by the Lieutenant Governor in Council or the Minister of Public and Business Service Delivery (the "Minister"), or to future directives issued by the Minister, EDSTA's provisions send a clear signal as to the sorts of obligations that are on the horizon for public sector entities in Ontario.
Cyber Security
EDSTA allows the Lieutenant Governor in Council to make regulations governing cyber security at public sector entities. These regulations may require public sector entities to:
- develop and implement programs for ensuring cyber security
– and may prescribe elements that must be part of those
programs, such as:
- roles and responsibilities of specified individuals within the public sector entity relating to ensuring cyber security;
- reporting on the entity's progress with respect to ensuring cyber security;
- cyber security education and awareness measures;
- response and recovery measures for cyber security incidents; and
- oversight measures for implementation of the program; and
- submit reports of cyber security incidents to the Minister or a specified individual (including the form and frequency of reports) which may vary across different types of incidents.
In addition, the Minister is empowered to: (a) make regulations setting cyber security technical standards for public sector entities; and (b) issue mandatory directives to public sector entities respecting cyber security (whether of general application or targeted to categories of entities).
Artificial Intelligence Systems
EDSTA broadly defines "artificial intelligence system" as "a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments" and includes any other systems as may be prescribed in regulations.
EDSTA applies to the use of both publicly available AI systems (e.g., ChatGPT), as well as systems developed by or on behalf of the public sector entity.
EDSTA will require public sector entities that use, or intend to use, an AI system to:
- provide information to the public about their use of the AI system;
- develop and implement an accountability framework respecting their use of the AI system (which may require roles and responsibilities for specified individuals);
- take steps to manage risks associated with the use of the AI system (which may include reporting and record-keeping);
- use (or not use) the AI system in accordance with any prescribed requirements;
- disclose information about their use of the AI system; and
- ensure that an individual exercises oversight of the use of the AI system and what additional information that individual must make available (which may include publishing how inquiries may be made about the entity's use of such systems).
The specific public sector entities that are subject to the above, and the circumstances and manner in which the above requirements apply, will be set out in future regulations made by the Lieutenant Governor in Council – along with more general regulations governing the use of AI systems by public sector entities. In addition, the Minister may make regulations setting technical standards that certain public sector entities must conform to in their use of artificial intelligence systems.
Digital Technology Affecting Minors
EDSTA allows the Lieutenant Governor in Council to make regulations governing how children's aid societies and school boards collect, use, retain or disclose digital information relating to individuals under age 18. These regulations may include requirements to submit reports to the Minister, and may prohibit the collection, use, retention or disclosure of certain digital information about minors.
In addition, the Minister may: (a) make regulations setting technical standards for children's aid societies and school boards, and how they collect, use, retain and disclose digital information about minors; and (b) make regulations and issue directives as to what digital technology can be made available to minors by children's aid societies and school boards.
It is important to note that the above requirements relating to digital technology affecting minors would apply to persons acting on behalf of children's aid societies and school boards. This means that businesses that develop or license technologies, or provide digital technology solutions, to children's aid societies and school boards should expect to be affected by the requirements.
No Private Law Duty of Care
EDSTA expressly provides that nothing in the Act or any regulation or directive made under the Act establishes a private law duty of care. This protects public sector entities from legal claims that are based on a failure to comply with EDSTA, or regulations or directives made or issued under that Act. It is important to note that this does not insulate public sector entities from litigation, generally.
Amendments to the Freedom of Information and Protection of Privacy Act
Bill 194 proposes to amend FIPPA's privacy provisions to add new privacy obligations, and to increase the IPC's investigative powers.
Privacy Impact Assessment
FIPPA will require written PIAs to be conducted before provincial institutions collect personal information. PIAs must contain:
- the purpose for which the personal information is intended to be collected, used and disclosed, as applicable;
- an explanation of why the personal information is necessary to achieve that purpose;
- the legal authority for the intended collection, use and disclosure of the personal information;
- the types of personal information that are intended to be collected and, for each type of personal information collected, an indication of how the type of personal information is intended to be used or disclosed;
- the sources of the personal information that is intended be collected;
- the titles of the officers, employees, consultants or agents of the institution who will have access to the personal information;
- any limitations or restrictions imposed on the collection, use or disclosure of the personal information;
- how long the personal information will be retained by the institution;
- an explanation of the administrative, technical and physical safeguards and practices that will be used to protect the personal information;
- a summary of any risks to individuals in the event of a theft, loss or unauthorized use or disclosure of the personal information;
- the steps to be taken by the institution to prevent or reduce the likelihood of a theft, loss or unauthorized use or disclosure of personal information from occurring, and to mitigate the risks to individuals if any such events occur; and
- other information prescribed in future regulations.
Once the PIA is completed, the institution will be responsible for ensuring that the risk mitigation measures identified in the PIA are implemented before collecting the personal information, or, if that is not possible, within a reasonable time after collecting the information.
PIAs must also be updated if there is any significant change to the types of personal information collected, or the purposes for which the personal information is to be used or disclosed.
Although PIAs are not required to be filed with the IPC, the IPC may access or receive a copy upon request.
Privacy Safeguards and Privacy Breach Reporting
The changes to FIPPA will require that institutions take steps that are reasonable in the circumstances to ensure that personal information in the custody or under the control of the institution is protected against: (a) theft, loss and unauthorized use or disclosure; and (b) (in the case of records containing personal information) unauthorized copying, modification or disposal.
The changes will also require institutions in certain circumstances to report privacy breaches to the IPC and to notify affected individuals affected by the privacy breach. This requirement will apply to any theft, loss or unauthorized use or disclosure of personal information in the custody or under the control of the institution if it is reasonable in the circumstances to believe that a real risk of significant harm to an individual would result from the incident. Regulations may also be made which prescribe other circumstances that would trigger privacy breach reporting and notification.
The FIPPA changes define "significant harm" as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The FIPPA amendments also set out the following list of factors relevant to determining whether a privacy breach creates a real risk of significant harm to an individual:
- the sensitivity of the personal information;
- the probability that the personal information has been, is being or will be misused;
- the availability of steps that the individual could take to reduce the risk of the harm occurring, or mitigate the harm should it occur;
- any IPC guidance on what constitutes a real risk of significant harm; and
- other factors prescribed by future regulations.
The reports to the IPC and notices to affected individuals must be made "as soon as feasible" after it is determined that the privacy breach has occurred. The format and contents of these reports and notices will be set out in future regulations. However, notifications to individuals must contain a statement that the individual is entitled to make a complaint to the IPC.
For every privacy breach that is reported to the IPC, institutions must: (a) keep records of that breach; (b) provide those records to the IPC if requested to do so by the IPC; and (c) include that breach in the institution's annual report to the IPC (setting out the number of thefts, losses or unauthorized uses or disclosures of personal information reported in the year covered by the report).
Complaints and Enforcement
The amendments to FIPPA will enable individuals to complain to the IPC about privacy breaches. Individuals must make such complaints within one year of the date the subject matter of the complaint came to the attention of the individual, or should have reasonably come to the attention of the individual. The IPC has the discretion to receive complaints after that time period for significant matters, and where the extension would not prejudice any person, as well as for reasons grounded in the Accessibility for Ontarians with Disabilities Act, 2005.
In response to complaints from individuals affected by a privacy breach (or if the IPC has reason to believe an institution is not meeting its safeguarding obligations under FIPPA), the IPC may review the information practices (as defined in the Bill's amendment to FIPPA) of an institution.
Prior to conducting such a review, the IPC has the discretion to resolve complaints through mediation, conciliation or other informal means of dispute resolution. The IPC may also decline to conduct such a review, including if it considers the institution to have responded adequately to the complaint, or there is insufficient evidence to warrant a review, or if the complaint is trivial, frivolous, vexatious, or made in bad faith.
FIPPA requires that institutions cooperate with any IPC review, and gives the IPC various investigatory powers to compel the production of information and records.
As a result of any review, and after giving the institution the opportunity to provide input, the IPC may determine that an information practice of the institution contravenes FIPPA. In such case, the IPC may make an order, as reasonably necessary to achieve compliance with FIPPA's requirements, to:
- discontinue the information practice;
- change the information practice or implement a different practice, as specified by the IPC;
- return, transfer or destroy personal information collected or retained under the information practice; or
- recommend how the information practice could be improved.
Whistleblowing
The changes to FIPPA include a new whistleblowing regime. Under that regime, any person who has reasonable grounds to believe that an institution or a data integration unit (a person, entity or division that supports data analysis and is prescribed by FIPPA) has contravened, or is about to contravene, FIPPA or its regulations may notify the IPC of the matter. In doing so, that person may request that their identity be kept confidential. If the IPC provides assurances to the individual that it will honour that request, the IPC must keep the identity of the person confidential.
Offences
The changes to FIPPA include a new offence. Currently, section 61(1) of FIPPA provides that it is an offence to wilfully disclose personal information in contravention of FIPPA. Bill 194 will amend this to also make it an offence to wilfully collect or use personal information in contravention of FIPPA.
Next Steps
Bill 194 has passed first reading, and is ordered for second reading. It may be subject to amendment as it moves through the legislature as a result of the government's consultation which closed on June 11, 2024.
If passed, Bill 194 has the potential to create a significant new obligations for provincial and municipal institutions, as well as children's aid societies and school boards. It would be the first legislation in Canada imposing AI-specific requirements on public institutions.
We understand that the Ontario government is contemplating changes to MFIPPA that would address matters similar to the changes to FIPPA set out above (but this will likely occur at a later date).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.