Canada: Ontario’s Bill 194 Proposes More Oversight of Public Sector Digital Systems
Author: Emily Elder
On May 13, 2024, the Ontario Government introduced Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (“Bill 194”). The Bill proposes to enact new legislation to address cyber security and artificial intelligence systems within the public sector, called the Enhancing Digital Security and Trust Act, 2024 (the “new Digital Security Act”). If passed, it also would make significant changes to the Freedom of Information and Protection of Privacy Act (“FIPPA”).
The Province is open to feedback about this legislation until June 11, 2024.
Proposed Amendments to the Freedom of Information and Protection of Privacy Act
Bill 194 would amend FIPPA but not its municipal equivalent, MFIPPA. These proposed amendments are varied and numerous, and are part of the Government of Ontario’s effort to modernize its privacy framework under FIPPA.
If enacted, Bill 194 would implement several proposed amendments, including the following:
- Privacy Impact Assessments: Bill 194 would impose a new requirement on public sector institutions to conduct a privacy impact assessment prior to collecting personal information in certain circumstances. Following these assessments, institutions would be required to take steps to mitigate risks associated with the planned collection of personal information.
- Mandatory Data Breach Reporting, Notification and Record-Keeping: The proposed amendments also establish new obligations in the event of a data breach. They notably impose new reporting and disclosure obligations on institutions in the event of certain kinds of data breaches to the Information and Privacy Commissioner of Ontario (“IPC”) and affected individuals, respectively. Further, the proposed amendments establish record-keeping obligations on institutions with respect to data breaches. This proposed framework is similar to those found in private-sector privacy legislation across Canada.
- Expanded IPC Powers: Bill 194 would also expand the IPC’s powers under FIPPA, most of which are intended to enable the IPC to conduct a review of an institution’s “information practices” in response to a complaint. The Bill proposes to grant the IPC order-making powers, including to discontinue information practices, or to return, transfer or destroy personal information collected or retained under an information practice.
Given the breadth of these and other proposed amendments, they will impact most institutions that are subject to FIPPA. If your institution is subject to FIPPA, please contact your regular lawyer at the firm to stay current with Bill 194 to ensure continued compliance with FIPPA.
New Legislation Aims to Modernize Digital Security and Enhance Public Trust by Enacting the Enhancing Digital Security and Trust Act, 2024
The new Digital Security Act would apply to institutions subject to FIPPA and the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), as well as children’s aid societies. If enacted, the new Digital Security Act will establish new regulatory frameworks for the Ontario public sector with respect to artificial intelligence systems and cybersecurity. It also will allow regulation of children’s aid societies’ and school boards’ collection of digital information of anyone under age 18, and of the digital technologies made available for youth under age 18 to use.
In general, unlike the proposed amendments to FIPPA, the present version of the new Digital Security Act contains very few details, and its main goal appears to be granting new powers to regulate and direct. The exact impacts of the new Digital Security Act – and the obligations it will impose on organizations within its scope – will only become clear on the implementation of related regulations.
Below we outline the three main areas that the new Digital Security Act proposes to address.
Artificial Intelligence Systems
This new Digital Security Act would establish several requirements on public sector entities using “artificial intelligence systems”, a term that is defined in this Act. Notably, the new Digital Security Act proposes transparency requirements about how public sector entities use artificial intelligence systems. Public sector entities would also be required to establish accountability frameworks and take steps to manage risks associated with the use of these systems.
Cybersecurity
The cybersecurity sections of the draft new Digital Security Act resemble the Federal Government’s Bill C-26, highlighting a legislative prioritization on cybersecurity for the Canadian public sector. This likely responds to the increasingly common and sophisticated cyber threats that we have seen recently.
The cybersecurity provisions of the new Digital Security Act propose a framework for later regulations to complete, under which specific requirements could be prescribed by the Lieutenant Governor in Council. At a high level, under the new Digital Security Act, regulations could be implemented for the purposes of requiring public sector entities to develop and implement programs to ensure cybersecurity, and to report cybersecurity incidents.
Digital Information Collection and Digital Technology Access for Youths under 18
The Act also sets out a framework for regulations placing requirements on school boards, children’s aid societies and third parties on their behalf with respect to the collection, use, disclosure and retention of digital information relating to individuals under the age of 18. It also would allow Ministerial regulations and directives to school boards and children’s aid societies regarding digital technologies made available to youths under age 18. Again, the details of these requirements are limited, and will be established by regulations.
Takeaway
If Bill 194 is passed, the Act will take several important steps towards modernizing FIPPA, and towards addressing the burgeoning challenges facing Ontario’s public sector with respect to intensifying cybersecurity threats, and identifying appropriate uses of artificial intelligence technologies.
Future regulations will be determinative in shaping the scope of the requirements established under Bill 194 and the new Digital Security Act in particular. It will accordingly be difficult take specific steps to ensure compliance with an enacted version of the Act at this time. However, Bill 194 indicates steps public sector institutions can take to address these emerging concerns addressed by Bill 194, such as to:
- Develop a framework to identify and mitigate risks associated with the use of artificial intelligence systems;
- Ensure transparency in the use of artificial intelligence systems;
- Develop a process for the use of privacy impact assessments prior to collecting individuals’ personal information; and
- Establish or expand upon cybersecurity programs, in accordance with industry standards and best practices.
The Ministry of Public and Business Service Delivery has announced a consultation period for the Bill, ending on June 11, 2024, accessible here. Additional consultations with public sector institutions may be solicited with respect to the future development of the applicable regulations, should Bill 194 pass. If you are a public sector employer that may be impacted by Bill 194, including a school board or children’s aid society, contact your regular FWTA lawyer to discuss what input you may wish to provide to the government about Bill 194.