Ontario’s New Cyber Security Legislation Now In Force
December 3, 2024
| By
Emily Elder
Legislation
Bottom Line
As we previously wrote about here, on May 13, 2024, the Ontario government introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (the “Act”). Now that it is law, this Act:
- Amends the Freedom of Information and Protection of Privacy Act (“FIPPA”) to require public sector institutions to implement appropriate privacy impact assessments and mitigate any identified risks, and creates new obligations for public sector institutions in the event of a data breach. It also give the Information and Privacy Commissioner of Ontario (“IPC”) new order-making powers.
- Enacts the Enhancing Digital Security and Trust Act, 2024, a new statute that applies to institutions subject to FIPPA and its municipal equivalent, the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”). The Enhancing Digital Security and Trust Act, 2024 creates new regulatory frameworks for the Ontario public sector with respect to artificial intelligence systems and cybersecurity. It also allows regulation of children’s aid societies’ and school boards’ collection of digital information of anyone under age 18, and of the digital technologies made available for youth under age 18 to use. It will come into effect when proclaimed by the Lieutenant Governor, a date that has yet to be set. Most of the requirements that will be imposed by the Enhancing Digital Security and Trust Act, 2024 will take the form of future regulations.
Takeaways
Employers should review this new legislation to determine whether they are impacted, and if so, adjust their information technology and data systems in order to ensure compliance.
In particular, employers who are subject to FIPPA should review their information practices, ensure that they implement appropriate privacy impact assessments and mitigate any identified risks, and have processes in place to comply with the new obligations in the event of a data breach.
Employers subject to FIPPA or MFIPPA – especially school boards and children’s aid societies – will also want to review the new Enhancing Digital Security and Trust Act, 2024 carefully.
We will continue to monitor these and other privacy-related statutes, and the development of related regulations. Additional updates will follow.
Need More Information?
For more information or assistance with privacy or workplace laws, contact your regular lawyer at the firm.
Download PDF
