The ABCs of Bill 194: Pt. 1 Amendments to FIPPA

On November 25, 2024, Ontario's Bill 194, also known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, reached royal assent. The passing of this Bill marks a significant milestone in Ontario's efforts to enhance digital security and trust within the public sector.

Bill 194 enacts the Enhancing Digital Security and Trust Act (EDSTA) and introduces amendments to the Freedom of Information and Protection of Privacy Act (FIPPA). The primary focus of the Bill is to address:

(A) Amendments to FIPPA,

(B) Balancing Children’s Privacy, and

(C) Cyber Security and AI.

This article is the first of three parts addressing the key areas of Bill 194.

PART 1: AMENDMENTS TO FIPPA

FIPPA is Ontario's legislation that governs how public sector institutions (e.g., ministries, agencies, school boards, children’s aid societies, and hospitals) manage and protect personal information.

As Bill 194 gets implemented, public institutions are not the only ones who need to pay attention. Private sector companies and even non-profit organizations can be impacted by the changing regulations depending on whether they provide a service to, work with, or process the personal information of provincial (and in some cases municipal) institutions.

FIPPA amendments may require private and non-profit organizations to comply with new data protection obligations (see below), report privacy breaches to the Information and Privacy Commissioner (IPC), and notify affected individuals if there is a “real risk of significant harm” (RROSH). Ultimately, organizations under contract with public institutions must adhere to FIPPA regulations to sustain legislative compliance and mitigate privacy risks within these FIPPA-regulated institutions.

In this first article of the Bill 194 series, we will address 4 key amendments to FIPPA.

1.      Protecting Personal Information:

Bill 194 accelerates the responsibilities of the head of any public sector institution to take privacy and security risks more seriously. To foster a stronger awareness towards protecting personal information, there needs to be someone accountable. Bill 194 highlights the role of the head of the institution (“HOTI”) as leading these changes by bringing attention to privacy and security risks through enhanced training and building a privacy culture within public institutions. As outlined in the FIPPA amendments, a public institution must take the necessary steps “to prevent or reduce the likelihood of a theft, loss or unauthorized use or disclosure of personal information from occurring, and to mitigate the risks to individuals in the event of such an occurrence”. If risk mitigation steps are not able to take place before collecting personal information, then at the very least they must take place within a reasonable time after collection. Protecting personal information and mitigating risks are a concerted effort that can only be effective when trained staff from all departments, such as marketing and IT, can work closely together.

So, what can you do?

Effective designation and training are crucial for ensuring compliance with the new FIPPA amendments. Institutions must appoint a dedicated Data Protection Officer (DPO) to oversee adherence to these changes and act as the HOTI. The DPO and relevant staff must receive comprehensive training on privacy laws, privacy and security best practices, and risk mitigation strategies. Training programs play a crucial role in educating staff about their responsibilities under FIPPA and the importance of safeguarding personal information. Effective training, led by the DPO, ensures that staff are well-versed in best practices for data handling, storage, and transmission, while also equipping them to identify and address potential privacy risks. By doing so, these programs significantly reduce the likelihood of unauthorized use or disclosure of personal information.

2.      Privacy Breach Notification:

When it comes to breach notification, the amendments to FIPPA mandate that the HOTI reports privacy breaches (that result in any theft, loss or unauthorized use or disclosure of personal information) to the IPC and notify affected individuals if there is a RROSH in either regard. We have seen this in previous legislation such as PIPEDA which governs reporting requirements for the private sector. However, in this case, FIPPA effectively delegates power to the IPC to conceptualize the meaning of a RROSH over time.

Some of the relevant factors in determining if a privacy breach warrants a RROSH include:

• The sensitivity of the personal information.

• The probability that the personal information has been, is being or will be misused.

• The availability of steps that the individual could take to either reduce the risk of the harm occurring or mitigate the harm should it occur.

The right to lodge a complaint with the IPC will also be included in the breach notification changes. Once a HOTI determines that the theft, loss or unauthorized use or disclosure of personal information has occurred, they are mandated, in their breach notification report, to disclose that the affected individual is entitled to make a complaint to the IPC. It is important to note that affected individuals have one year to file their complaint, starting from the date the issue comes to their attention barring some exceptions.

Additionally, one of the more interesting amendments to FIPPA is the new whistleblowing framework. This framework allows confidential reporting of potential FIPPA contraventions to the Commissioner. This encourages individuals to report privacy violations without fear of retaliation and fosters more privacy awareness and accountability across public institutions.

So, what can you do?

To stay ahead of privacy breaches, institutions should consider the following steps:

• Develop a robust protocol for promptly identifying, assessing, and reporting breaches (this includes procedures for timely notification to the IPC and affected individuals).

• Breach processes should be clearly defined and communicated to all relevant staff.

• Ensure there is training and awareness conducted for staff to be able to determine a RROSH based on the above factors; consider tabletop exercises to strengthen hands-on learning.

• Keep a detailed record of all instances of a privacy breach, even those that are not reportable because they do not meet the RROSH threshold

• Manage and continuously update a log of all privacy incidents and breaches because the HOTI will be required to submit an annual report to the Commissioner outlining the previous year’s incidents/breaches including the number of thefts, losses or unauthorized uses or disclosures of personal information.

3.      Privacy Impact Assessments (PIAs):

Transparency and accountability are key features of Bill 194 which is why PIAs are now mandated. Public sector institutions engaging in a project or practice that requires the collection of personal information must first conduct a PIA (unless regulations suggest otherwise).

The PIA must address, for example, the legal authority for the intended collection, the types of personal information being collected, a clear rationale for why personal information is being collected and used, and a summary of any risks to the individual, among other things.

On request by the Commissioner, the HOTI must provide access to the PIA.

So, what can you do?

To prepare for these new changes, institutions should take the following steps:

• Create or revise procedures for conducting PIAs to align with the latest requirements.

• Ensure there is a process that will not let a new activity that collects, uses, or processes personal information move forward without conducting a PIA.

• Consider designing multiple PIA templates (or conditional questions in the PIA template) that can be used depending on the complexity of the project or activity.

• It’s important to consider how to best spend resources and have it commensurate with the risk of the project or practice.

• Train staff on the updated PIA procedures to ensure they are equipped with the necessary knowledge and skills.

• Customize PIA practices to meet the specific needs of different sectors, teams, and departments within the institution.

• Actively manage and update your PIAs with any significant changes to the purpose for which personal information is collected, used, or disclosed.

4.      Expanded Powers for the IPC:

The IPC's role as a regulator is strengthened through the FIPPA amendments. These amendments enable the IPC with order-granting powers and allow for more thorough examinations of “information practices” within public sector entities, particularly if a complaint has been lodged or if the Commissioner suspects any instances of FIPPA noncompliance.

FIPPA defines information practices as the way an institution handles personal information (through administrative, technical, and physical means), including its collection, use, modification, disclosure, retention, disposal, and protection measures.

If the Commissioner determines noncompliance in an institution's information practices, a review may take place. Before conducting a review, the Commissioner may try to resolve the matter through various forms of mediation. However, if a formal review is conducted, the Commissioner will review all information practices and relevant documents within that institution which may reveal other noncompliance instances unrelated to the first.

The Commissioner is empowered to take the following actions to the HOTI:

• Discontinue or change the information practice as specified by the Commissioner.

• Return, transfer or destroy personal information collected or retained under the information practice.

• Implement a different information practice.

• Make a recommendation on how the information practice could be improved.

So, what can you do?

To prepare for the onset of the IPC’s powers over information practices, institutions must significantly update their internal compliance processes. This involves:

• Conducting a thorough and regular review and update of internal privacy policies/practices to ensure they align with the latest requirements and best practices.

• Clearly defining roles and responsibilities related to compliance to ensure all staff understand their duties and accountability.

• Implementing strong administrative, technical, and physical safeguards to protect personal information effectively.

Moving Forward

Public sector institutions may feel unprepared to address these detailed and heavy-handed privacy obligations due to limited experience or a lack of knowledge and resources. This is where our Bamboo team excels. Bamboo has an extensive history of supporting clients in building privacy programs, designing and conducting PIAs, as well as engaging in privacy and security incident response, risk mitigation, and breach notification. Please reach out with any questions to ensure your team is fully prepared to meet the new regulatory requirements effectively.

Keep an eye out for parts two and three of this Bill 194 article series where we will break down what public, private, and non-profit organizations need to know regarding children’s privacy, as well as cyber-security and AI compliance requirements.