Ontario Bill 194 proposes data breach reporting for public sector

The Ontario government has proposed draft legislation called The Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024.

The press release says Bill 194 “… would provide new tools to prevent and respond to cyber security threats and safeguard critical public services, such as health care and education.” It would also “… strengthen safeguards for children’s personal information and lay the foundation for the ethical use of artificial intelligence in the public sector.”

The bill has two parts.

Part One: Cyber Security

The first part would enact the Enhancing Digital Security and Trust Act 2024. It applies to public sector entities defined as institutions under the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). FIPPA applies to provincial government agencies. MFIPPA applies to municipalities and quasi-municipal agencies.

This legislation would prescribe cyber security requirements and programs and require institutions to report cyber breaches to the Ontario government.

The AI rules would require an accountability framework for the use of AI, including risk management steps. It contemplates regulations that could ban certain types of AI use.

The bill sets out broad principles, with details to be set out in regulations that have yet to be developed.

Part Two: Privacy Update

The second part of the bill would amend FIPPA. It does not amend MFIPPA.

It would add obligations to provide the Privacy Commissioner with an annual report of privacy breaches.

It would add an obligation to do a privacy impact assessment (PIA) before collecting or using new information or changing how existing information is used. The Privacy Commissioner can ask to see these PIAs.

It also adds a requirement to report privacy breaches to the Privacy Commissioner and individuals if the breach might result in a real risk of significant harm. This requirement and test is similar to that found in PIPEDA, which is a federal privacy language governing private sector privacy in Ontario.

It increases the investigation and order-making powers of the Privacy Commissioner to bring them more in line with PIPEDA requirements.

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn and Twitter.

Image credit: ©NS – stock.adobe.com