Human Resources Legislative Update

Ontario Introduces Legislation to Address Cyber Security in the Public Sector

Human Resources Legislative Update

Ontario Introduces Legislation to Address Cyber Security in the Public Sector

Date: May 15, 2024

On May 13, 2024, the Ontario government tabled Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194). If passed, Schedule 1 of Bill 194 would enact the Enhancing Digital Security and Trust Act, 2024. Amendments would also be made to the Freedom of Information and Protection of Privacy Act (FIPPA).

Enhancing Digital Security and Trust Act, 2024

If passed, the Enhancing Digital Security and Trust Act, 2024 (Act) would strengthen cyber security within “public sector entities,” as that term is defined, and set out requirements for the use of artificial intelligence (AI). For both the cyber security and AI provisions of Bill 194, many of the requirements would be established by regulation.

Cyber Security

If passed, the Act would create the following regulation-making authority relating to cyber security, as defined, in public sector entities:

  • requiring public sector entities to develop, implement and govern cyber security programs and to report cyber security incidents in a prescribed form to the Minister of Public and Business Service Delivery (Minister) or a specified individual
  • specifying the details of a cyber security program
  • setting out prescribed technical standards
  • permitting the Minister to issue directives to public sector entities regarding cyber security

Artificial Intelligence

The preamble to Bill 194 states that AI, as that term is defined, must be “used in a responsible, transparent, accountable and secure manner.”

Regulation-making authority under the AI provisions would require public sector entities to:

  • provide information to the public about their use of AI
  • develop and implement an accountability framework regarding the use of AI and take risk-management steps
  • use AI only for the prescribed uses and, where it does, to disclose prescribed information as may be required and establish oversight

Additional regulation-making power relates to accountability frameworks and disclosure of information, among other things.

Under the Act, public sector entities to whom the AI and cyber security obligations apply may include both Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and FIPPA institutions as well as children’s aid societies. Provision is made to limit application of the Act to prescribed entities within this group.

The proposed Act also contains provisions to regulate the use of digital technologies when collecting, using, retaining or disclosing “prescribed digital information” of persons under the age of 18 years by school boards or children’s aid societies. The details are largely left to regulation.

Amendments to FIPPA

The government has stated that Bill 194, if passed, would enhance and modernize privacy protection.

In this regard, key amendments to FIPPA would include:

  • requiring the head of an institution to conduct a privacy impact assessment before collecting personal information; this would require the institution to address a number of specified steps in the assessment and to mitigate risk, among other things
  • adding expanded privacy safeguard language to the provisions of FIPPA relating to personal information including obligations to protect against theft, loss, unauthorized use or disclosure, copying, modification or disposal
  • introducing new data breach notification and reporting requirements to affected parties and the Information and Privacy Commissioner of Ontario (IPC)
  • empowering the IPC to review the information practices (as newly defined) of an institution where a complaint has been received, as well as provisions relating to conduct of the review and any orders that result from the review, among other things
  • adding a new provision related to whistleblowing
  • adding a revised definition of “customer service information” and setting out additional uses for that information

Interestingly, Bill 194 does not extend these new requirements to municipal institutions under MFIPPA.

Consultation on Bill 194

On May 13, 2024, the Ontario government also announced that it is seeking feedback on the proposed amendments found in Bill 194. Comments are due by June 11, 2024.

We will continue to monitor the progress of Bill 194 through the legislative process. In the meantime, should you have any questions, please feel free to reach out to your regular Hicks Morley lawyer.

The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©