On November 25, 2024, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (“Bill 194”) passed Third Reading and received Royal Assent at the Legislative Assembly of Ontario.
Bill 194 (i) enacts the Enhancing Digital Security and Trust Act (“EDSTA”) and (ii) introduces changes to the Freedom of Information and Protection of Privacy Act (“FIPPA”), which together create significant new obligations regarding privacy, cyber security, and the use of artificial intelligence (“AI”) for Ontario’s public sector entities, including health care entities such as hospitals and provincial health agencies (collectively, “health institutions”).
Fasken reviewed Bill 194 in detail last August and highlighted the following notable elements:
EDSTA would allow the government, by regulation, to:
- Require health institutions to develop and implement cyber security programs, and submit reports on cyber security.
- Regulate how health institutions, identified by regulation, use AI systems.
The amendments to FIPPA would:
- Require health institutions to conduct privacy impact assessments before collecting personal information.
- Mandate that health institutions report privacy breaches to the Information and Privacy Commissioner of Ontario and notify affected individuals.
- Increase the Commissioner’s investigative powers with respect to the information practices of health institutions.
- Create a new whistleblowing framework to report contraventions of FIPPA to the Commissioner, confidentially.
- Expand FIPPA’s offences provisions to include contraventions with respect to the collection and use of personal information, in addition to the disclosure of personal information.
The provincial government will announce the date on which EDSTA and the amendments to FIPPA will come into force, as well as introducing regulations that will contain specific requirements. Similar changes to the Municipal Freedom of Information and Protection of Privacy Act may follow (although no bill has been introduced yet).
With Bill 194’s Royal Assent, health institutions in Ontario now face very significant new privacy and cyber security obligations, as well as Canada’s first AI-specific regulatory requirements for public institutions. Health institutions should continue to pay close attention to these developments to ensure compliance. Private sector organizations should consider Bill 194 a bellwether and stay informed about potential regulatory changes that may impact how they do business with health institutions, and other provincial and municipal institutions.
