Earlier this year, the Ontario government introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, aimed at strengthening digital infrastructure and data privacy protections within Ontario's public sector. If passed:
- Schedule 1 of Bill 194 would enact the Enhancing Digital Security and Trust Act, 2024 ("EDSTA"), and
- Schedule 2 would enact changes to the Freedom of Information and Protection of Privacy Act ("FIPPA").
This will impact many public sector entities involved in health care:
- Hospitals and provincial health agencies (such as Ontario Health and Ontario Health atHome) (collectively, "health institutions") will be subject to both EDSTA and the changes to FIPPA.
- Public health units and municipal health entities subject to the Municipal Freedom of Information and Protection of Privacy Act ("MFIPPA") will only face new requirements under EDSTA. Although no amendments to MFIPPA have been proposed, it is possible that future legislation will amend MFIPPA in a manner similar to the FIPPA amendments proposed in Bill 194.
As described in this bulletin, if passed into law, Bill 194 will make a significant change to the legal regimes governing Ontario hospitals, health agencies and health units. In addition, given the myriad other ongoing law reform initiatives aimed at privacy, cyber security and AI in Canada and abroad, public sector entities outside of Ontario should bear in mind the requirements of Bill 194 and anticipate that similar legislation may follow in other provinces.
Enhancing Digital Security and Trust Act, 2024
EDSTA creates a framework to govern cyber security and the use of AI systems in hospitals and other provincial institutions under FIPPA and municipal institutions under MFIPPA, as well as children's aid societies and school boards.
While the details of this new framework are left to future regulations, whether issued by the Lieutenant Governor in Council or the Minister of Public and Business Service Delivery (the "Minister"), or to future directives issued by the Minister, EDSTA's provisions send a clear signal as to the sorts of obligations that are on the horizon for hospitals and other public sector entities in Ontario.
Cyber Security
EDSTA allows the Lieutenant Governor in Council to make regulations governing cyber security at health institutions and public health units. These regulations may require such institutions to:
- develop and implement programs for ensuring cyber security
– and may prescribe elements that must be part of those
programs, such as:
- roles and responsibilities of specified individuals within the institution relating to ensuring cyber security;
- reporting on the institution's progress with respect to ensuring cyber security;
- cyber security education and awareness measures;
- response and recovery measures for cyber security incidents; and
- oversight measures for implementation of the program; and
- submit reports of cyber security incidents to the Minister or a specified individual (including the form and frequency of reports) which may vary across different types of incidents.
In addition, the Minister is empowered to: (a) make regulations setting cyber security technical standards for institutions; and (b) issue mandatory directives to institutions respecting cyber security (whether of general application or targeted to categories of entities).
Artificial Intelligence Systems
EDSTA broadly defines "artificial intelligence system" as "a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments" and includes any other systems as may be prescribed in regulations.
EDSTA applies to the use of both publicly available AI systems (e.g., ChatGPT), as well as systems developed by or on behalf of public sector institutions.
EDSTA may require health institutions and public health units that use, or intend to use, an AI system to:
- provide information to the public about their use of the AI system;
- develop and implement an accountability framework respecting their use of the AI system (which may require roles and responsibilities for specified individuals);
- take steps to manage risks associated with the use of the AI system (which may include reporting and record-keeping);
- use (or not use) the AI system in accordance with any prescribed requirements;
- disclose information about their use of the AI system; and
- ensure that an individual exercises oversight of the use of the AI system and what additional information that individual must make available (which may include publishing how inquiries may be made about the entity's use of such systems).
The specific public sector entities that are subject to the above, and the circumstances and manner in which the above requirements apply, will be set out in future regulations made by the Lieutenant Governor in Council – along with more general regulations governing the use of AI systems by public sector entities. In addition, the Minister may make regulations setting technical standards that certain public sector entities must conform to in their use of artificial intelligence systems (and this may include health institutions).
No Private Law Duty of Care
EDSTA expressly provides that nothing in EDSTA or any regulation or directive made under EDSTA establishes a private law duty of care. This protects health institutions and public health unit entities from legal claims that are based on a failure to comply with EDSTA, or regulations or directives made or issued under EDSTA. It is important to note that this does not insulate public sector entities from litigation, generally.
Amendments to the Freedom of Information and Protection of Privacy Act
Bill 194 proposes to amend FIPPA's privacy provisions to add new privacy obligations, and to increase the investigative powers of the Information and Privacy Commissioner of Ontario ("IPC").
It is important to note that these changes to FIPPA only apply to personal information under FIPPA. For example, they would not affect a hospital's handling of patient personal health information under Ontario's health privacy statute.
Privacy Impact Assessment
FIPPA will require written privacy impact assessments ("PIAs") to be conducted before health institutions collect personal information. PIAs must contain:
- the purpose for which the personal information is intended to be collected, used and disclosed, as applicable;
- an explanation of why the personal information is necessary to achieve that purpose;
- the legal authority for the intended collection, use and disclosure of the personal information;
- the types of personal information that are intended to be collected and, for each type of personal information collected, an indication of how the type of personal information is intended to be used or disclosed;
- the sources of the personal information that is intended be collected;
- the titles of the officers, employees, consultants or agents of the health institution who will have access to the personal information;
- any limitations or restrictions imposed on the collection, use or disclosure of the personal information;
- how long the personal information will be retained by the health institution;
- an explanation of the administrative, technical and physical safeguards and practices that will be used to protect the personal information;
- a summary of any risks to individuals in the event of a theft, loss or unauthorized use or disclosure of the personal information;
- the steps to be taken by the health institution to prevent or reduce the likelihood of a theft, loss or unauthorized use or disclosure of personal information from occurring, and to mitigate the risks to individuals if any such events occur; and
- other information prescribed in future regulations.
Once the PIA is completed, the health institution will be responsible for ensuring that the risk mitigation measures identified in the PIA are implemented before collecting the personal information, or, if that is not possible, within a reasonable time after collecting the information.
PIAs must also be updated if there is any significant change to the types of personal information collected, or the purposes for which the personal information is to be used or disclosed.
Although PIAs are not required to be filed with the IPC, the IPC may access or receive a copy upon request.
Privacy Safeguards and Privacy Breach Reporting
The changes to FIPPA will require that health institutions take steps that are reasonable in the circumstances to ensure that personal information in the custody or under the control of the health institution is protected against: (a) theft, loss and unauthorized use or disclosure; and (b) (in the case of records containing personal information) unauthorized copying, modification or disposal.
The changes will also require health institutions in certain circumstances to report privacy breaches to the IPC and to notify individuals affected by the privacy breach. This requirement will apply to any theft, loss or unauthorized use or disclosure of personal information in the custody or under the control of the health institution if it is reasonable in the circumstances to believe that a real risk of significant harm to an individual would result from the incident. Regulations may also be made which prescribe other circumstances that would trigger privacy breach reporting and notification. As noted above, this does not apply to personal health information that is subject to Ontario's health privacy law (which has its own privacy breach regime).
The FIPPA changes define "significant harm" as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The FIPPA amendments also set out the following list of factors relevant to determining whether a privacy breach creates a real risk of significant harm to an individual:
- the sensitivity of the personal information;
- the probability that the personal information has been, is being or will be misused;
- the availability of steps that the individual could take to reduce the risk of the harm occurring, or mitigate the harm should it occur;
- any IPC guidance on what constitutes a real risk of significant harm; and
- other factors prescribed by future regulations.
The reports to the IPC and notices to affected individuals must be made "as soon as feasible" after it is determined that the privacy breach has occurred. The format and contents of these reports and notices will be set out in future regulations. However, notifications to individuals must contain a statement that the individual is entitled to make a complaint to the IPC.
For every privacy breach that is reported to the IPC, health institutions must: (a) keep records of that breach; (b) provide those records to the IPC if requested to do so by the IPC; and (c) include that breach in the health institution's annual report to the IPC (setting out the number of thefts, losses or unauthorized uses or disclosures of personal information reported in the year covered by the report).
Complaints and Enforcement
The amendments to FIPPA will enable individuals to complain to the IPC about privacy breaches. Individuals must make such complaints within one year of the date the subject matter of the complaint came to the attention of the individual, or should have reasonably come to the attention of the individual. The IPC has the discretion to receive complaints after that time period for significant matters, and where the extension would not prejudice any person, as well as for reasons grounded in the Accessibility for Ontarians with Disabilities Act, 2005.
In response to complaints from individuals affected by a privacy breach (or if the IPC has reason to believe a health institution is not meeting its safeguarding obligations under FIPPA), the IPC may review the information practices (as defined in the Bill's amendment to FIPPA) of a health institution.
Prior to conducting such a review, the IPC has the discretion to resolve complaints through mediation, conciliation or other informal means of dispute resolution. The IPC may also decline to conduct such a review, including if it considers the health institution to have responded adequately to the complaint, or there is insufficient evidence to warrant a review, or if the complaint is trivial, frivolous, vexatious, or made in bad faith.
FIPPA requires that health institution cooperate with any IPC review, and gives the IPC various investigatory powers to compel the production of information and records.
As a result of any review, and after giving the health institution the opportunity to provide input, the IPC may determine that an information practice of the health institution contravenes FIPPA. In such case, the IPC may make an order, as reasonably necessary to achieve compliance with FIPPA's requirements, to:
- discontinue the information practice;
- change the information practice or implement a different practice, as specified by the IPC;
- return, transfer or destroy personal information collected or retained under the information practice; or
- recommend how the information practice could be improved.
Whistleblowing
The changes to FIPPA include a new whistleblowing regime. Under that regime, any person who has reasonable grounds to believe that a health institution has contravened, or is about to contravene, FIPPA or its regulations may notify the IPC of the matter. In doing so, that person may request that their identity be kept confidential. If the IPC provides assurances to the individual that it will honour that request, the IPC must keep the identity of the person confidential.
Offences
The changes to FIPPA include a new offence. Currently, section 61(1) of FIPPA provides that it is an offence to wilfully disclose personal information in contravention of FIPPA. Bill 194 will amend this to also make it an offence to wilfully collect or use personal information in contravention of FIPPA.
Next Steps
Bill 194 has passed first reading, and is ordered for second reading. It may be subject to amendment as it moves through the legislature as a result of the government's consultation which closed on June 11, 2024.
If passed, Bill 194 has the potential to create a significant new obligations for hospitals, health agencies and public health units. It would be the first legislation in Canada imposing AI-specific requirements on public institutions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.