Schedule 2 of Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, has introduced significant amendments to Ontario’s Freedom of Information and Protection of Privacy Act, 1990 (FIPPA), which took effect on July 1.
An article from the Information and Privacy Commissioner of Ontario (IPC) sheds light on the changes for institutions subject to FIPPA. These include new requirements to safeguard personal information, perform privacy impact assessments, and report privacy breaches.
Under the amendments, institutions falling within FIPPA need to safeguard personal information by taking reasonable steps to protect the information in their custody or control against theft, loss, and unauthorized use or disclosure and keeping records with the information safe against unauthorized copying, modification, or disposal.
Under the changes, provincial institutions subject to FIPPA have to report certain privacy breaches or other prescribed circumstances by assessing such breaches against the real risk of significant harm (RROSH) threshold, reporting breaches meeting that threshold to the IPC, and notifying impacted individuals of breaches meeting that threshold as soon as feasible.
The IPC article noted that, in some cases, the amendments require reporting breaches to the IPC under the aforementioned circumstances, but prohibit notifying the affected persons.
The IPC article explained that the RROSH threshold considers factors such as the sensitivity of the personal information, the likelihood of misuse, and the potential of the affected individual taking steps seeking to prevent or mitigate harm.
Under the changes, all institutions falling within FIPPA should keep and retain a record of reported breaches meeting the RROSH threshold and occurring on or after July 1, including the number and types of such breaches, the number of individuals impacted, and any other required information, then include this information in their annual statistical report.
The IPC article noted that the first report, encompassing breaches from July 1 to Dec. 31, are due to the IPC by Mar. 31, 2026.
Privacy impact assessments
Under the amendments, all institutions subject to FIPPA need to conduct privacy impact assessments (PIAs) and give a copy upon the IPC’s request that includes the following information:
- the purpose for collecting, using, or disclosing the personal information
- an explanation of the necessity of the information to achieve that purpose
- the legal authority for the institution to collect, use, or disclose the information
- the types of information for collection
- the intended use or disclosure for each type
- how each type is intended to be used or disclosed
- the sources of the information for collection
- the position titles of the institution’s officers, employees, consultants, or agents who can access the information
- any limitations or restrictions on the information’s collection, use, or disclosure
- the period of time the institution will retain the information
- an explanation of the administrative, technical, and physical safeguards over the information
- a summary of risks to individuals due to the information’s theft, loss, or unauthorized use or disclosure
- the steps the institution should take to mitigate risks to individuals and prevent or reduce the likelihood of the information’s theft, loss, or unauthorized use or disclosure
- any other prescribed information
The IPC article said the changes to FIPPA also include a new privacy complaint and review regime and empower the IPC to investigate and issue binding orders.
According to the IPC article, while the amendments do not cover the Municipal Freedom of Information and Protection of Privacy Act, 1990 (MFIPPA), numerous changes to FIPPA address fundamental privacy practices that that MFIPPA institutions should also observe to safeguard personal privacy, lower risk, abide by current requirements, and promote public trust.