Human Resources Legislative Update

New FIPPA Privacy Requirements Take Effect for Ontario Public Sector Institutions

· 2 min read By: Andrew J. Movrin, Victoria McCorkindale

Human Resources Legislative Update

New FIPPA Privacy Requirements Take Effect for Ontario Public Sector Institutions

Date: August 7, 2025

Schedule 2 of the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194), came into effect on July 1, 2025. The legislation introduced significant amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) including enhanced compliance obligations, such as mandatory privacy impact assessments, formal breach reporting obligations, and enhanced safeguarding requirements.

Notably, these amendments apply only to FIPPA institutions and do not extend to municipal institutions governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), such as municipal government, school boards, police services boards, and public library boards.

One of the most significant amendments to FIPPA is the introduction of new data breach notification and reporting requirements to affected parties and the Information and Privacy Commissioner of Ontario (IPC).

Other key amendments to FIPPA include:

  • requiring the head of an institution to conduct a privacy impact assessment before collecting personal information; this requires the institution to address a number of specified steps in the assessment and to mitigate risk, among other things
  • addition of expanded privacy safeguard language to the provisions of FIPPA relating to personal information, including obligations to protect against theft, loss, unauthorized use or disclosure, copying, modification or disposal
  • empowerment of the IPC to review the information practices (as newly defined) of an institution where a complaint has been received, as well as provisions relating to conduct of the review and any orders that result from the review, among other things
  • addition of a new provision related to whistleblowing
  • addition of a revised definition of “customer service information” and setting out additional uses for that information

For guidance on how we can help you ensure compliance with these new FIPPA requirements, please reach out to Andrew Movrin, Victoria McCorkindale, or your regular Hicks Morley lawyer.

The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©