FTR Now

Ontario Modernizes Its Freedom of Information and Privacy Regime

· 4 min read By: Scott T. Williams

FTR Now

Ontario Modernizes Its Freedom of Information and Privacy Regime

Date: May 7, 2026

Ontario’s 2026 Budget, A Plan to Protect Ontario was tabled on March 26, 2026. In it, the Ontario government announced a significant modernization of Ontario’s access‑to‑information and privacy framework, with direct and material implications for municipalities, school boards, and other institutions subject to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and for public-sector institutions including, hospitals, colleges and universities subject to the Freedom of Information and Protection of Privacy Act (FIPPA). Bill 97 received Royal Assent on April 24, 2026.

We provided an overview of the key proposed amendments to both statutes in Highlights of the 2026 Ontario Budget.

Bill 97’s FIPPA amendments are deemed to come into force on July 1, 2026, with certain provisions coming into effect on September 15, 2026. The MFIPPA amendments will also come into force in stages with certain provisions effective on July 1, 2026, and others on January 1, 2027.

Bill 97 introduces several structural changes to access and privacy administration across the broader public sector.

Key Amendments to Both MFIPPA & FIPPA

Business-day calculation of certain statutory timelines

Select statutory timelines will now be calculated using business days rather than calendar days, reflecting the operational demands faced by institutions managing high‑volume or complex access requests.

Extended deadline for access responses

The standard response time for access‑to‑information requests will increase from 30 days to 45 days, providing institutions with additional capacity to manage scope, records retrieval, and review.

Introduction of “staged access” responses

In prescribed circumstances, institutions will be permitted to respond to access requests by proposing a staged access plan, allowing records to be disclosed incrementally over time rather than in a single release.

Expanded authority to extend response timelines

Beyond existing extension mechanisms, institutions will be authorized to take a  second extension in certain circumstances, further recognizing the complexity of modern information environments.

Exclusion of cybersecurity-related records

Both statutes will exclude from their application certain records prepared or collected under the Enhancing Digital Security and Trust Act, 2024 (EDSTA), reinforcing the confidentiality of prescribed cyber security and digital risk documentation.

Amendments Unique to MFIPPA

Bill 97 brings MFIPPA closer into alignment with reforms introduced to FIPPA in 2025 by imposing new governance and accountability measures on municipal institutions:

Mandatory Privacy Impact Assessments

MFIPPA institutions will be required to complete Privacy Impact Assessments (PIAs) before collecting personal information, strengthening upfront risk identification and mitigation.

Mandatory reporting of certain privacy breaches

In defined circumstances, institutions must report the theft, loss, or unauthorized use or disclosure of personal information to the affected individual as well as to the Information and Privacy Commissioner of Ontario (IPC).

Expanded IPC oversight powers

The IPC will be granted express authority to review an institution’s information practices in specified circumstances, increasing regulatory scrutiny of privacy management frameworks.

Amendments Unique to FIPPA

FIPPA will be amended to exclude from its application records in the custody or control of a Minister, a Minister’s office, or parliamentary assistants, unless those records are otherwise in the custody of an institution.

Practical Implications for Public Sector Employers

Once in force, these amendments will have immediate and practical implications across institutional operations, particularly in human resources, labour relations, cyber security, and workforce data governance.

While institutions should continue to comply with the existing statutory framework until the amendments are proclaimed, proactive preparation will be essential. Institutions should begin to:

  • strengthen information governance by clearly documenting decision‑making frameworks, delegations, and internal controls
  • improve access request intake and triage discipline, including coordination of pauses, releases, and communications
  • update policies, procedures, and tracking tools to reflect the shift from calendar‑day to business‑day calculations
  • develop standardized staged access response templates, including guidance on when staged disclosure is appropriate and how it should be documented
  • establish consistent criteria and documentation requirements for exercising additional response time extensions
  • identify and segregate records captured under the EDSTA, and train staff accordingly

MFIPPA institutions should also prioritize the development of:

  • a formal PIA process
  • a clear, documented privacy breach response and reporting protocol

These reforms reflect a deliberate recalibration of Ontario’s access and privacy regime. Institutions that invest early in governance, documentation, and staff training will be best positioned to manage regulatory risk, operational strain, and heightened oversight expectations under the amended statutes.

For assistance preparing for these changes or assessing their impact on your organization, please contact Scott T. Williams, Andrew J. Movrin or Victoria McCorkindale, or other members of the firm’s Information, Data Security & Privacy Practice Group.

The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©