The ABCs of Bill 194: Pt. 2 Balancing Children’s Privacy
As Ontario's Bill 194 ushers in a new era of digital vigilance, its implications reach beyond legislation and aim to broaden privacy culture across the province. The amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) are incorporated under Schedule 2 of Bill 194 and were discussed in Part 1 of this Article series. In this second installment of the ABCs of Bill 194, we delve into the intricate balance of safeguarding children's privacy amidst a landscape of rapid technological advancements. For Parts 2 and 3 of this article series, we will bring our focus to Schedule 1 of Bill 194, which enacts the Enhancing Digital Security and Trust Act (“EDSTA”).
Before we dive into the content of this article, it is important to clarify the distinctions of the EDSTA and its application.
Schedule 1 of the EDSTA can be broken down into three main buckets: cybersecurity, artificial intelligence (AI), and children’s privacy. The cybersecurity and AI buckets directly apply to FIPPA and MFIPPA-regulated institutions as well as Children’s Aid Societies (“CAS”). Meanwhile, the third bucket, children’s privacy, directly applies to school boards and CAS.
This article will focus on the third bucket - children’s privacy - and how related institutions (i.e. CAS and school boards) can prepare for the onset of regulations that will follow Bill 194.
PART 2: BALANCING CHILDREN’S PRIVACY
Children’s privacy is gaining heavy traction in Ontario’s governance and priorities as technologies evolve and regulations aim to keep pace. While some legislations already govern children's privacy, namely Part X of the Child, Youth, and Family Services Act (CYFSA), Bill 194 aims to add an extra layer of privacy and security to protect children’s personal information.
Although some of the wording in Bill 194 is vague and undecided in terms of implementation, what’s clear is that the government is cracking down on how CAS and school boards manage children's personal information.
The EDTSA will empower the provincial government to regulate how CAS and school boards collect, use, retain or disclose digital information relating to individuals under the age of 18.
In this context, digital information typically includes data relating to children, families, and their interactions with these institutions. Data can range from general personal information (e.g. names, and addresses), financial data, digital communication, case files, educational records, and even sensitive information like learning disabilities or health records.
In line with governing how these institutions process children’s personal information, the government may prescribe regulations that require CAS and school boards to submit reports to the overseeing Ministry of Public and Business Service Delivery about their information practices. Additionally, the Ministry may also prohibit the collection, use, retention or disclosure of certain digital information about children.
With the Ministry’s new power, they can now set regulations that impose technical standards and safeguards for managing digital information. These standards would also regulate the type of digital technology made available to individuals under the age of 18. The technical standards would affect how CAS and school boards protect the digital information they process, such as possibly implementing access controls or multi-factor authentication. When it comes to regulating digital technology, the Ministry will have the power to decide which online tools CAS and school boards are allowed to make available to the children in their care (e.g. digital learning platforms, electronic case management systems, and telehealth services). Technology-related decisions could be based on factors like appropriateness, privacy concerns, and vendor relationships. These regulations are still to be determined but are likely to have profound impacts on CAS and school boards.
As we discussed in Part 1 of this article series, the implications of Bill 194 extend beyond public sector institutions (i.e. CAS, school boards, or organizations regulated by FIPPA). The requirements under the EDTSA also apply to individuals or organizations acting on behalf of CAS and school boards, such as businesses that develop technologies that support these services.
So, what can you do?
Though regulations have not been instated yet, Bill 194 sets the tone for CAS and school boards (and associated organizations) to re-vamp and update their approach to processing and protecting children’s privacy. At this point, preparation is key, and the following proactive measures should be taken:
Conduct Data Audits: Review and catalogue all digital information (i.e. data maps) related to children that is currently collected, used, retained, or disclosed. Ensure this includes personal, financial, and health-related data.
Identify Sensitive Data: Highlight and prioritize protection for sensitive information such as health records and learning disabilities.
Update Privacy Policies: Revise privacy policies to reflect new data collection, usage, retention, and disclosure practices required by Bill 194.
Implement Privacy Impact Assessments (PIAs): Conduct PIAs for new projects or major changes in data processing involving children.
Regular Security Audits: Perform regular security audits to ensure compliance with updated regulations and to identify potential vulnerabilities.
Evaluate Existing Vendors: Conduct due diligence on vendors to assess current digital tools such as electronic case management systems, digital learning platforms, and telehealth services to ensure they meet new standards.
Implement Reporting Mechanisms: Establish role-based protocols for regular reporting to the Ministry of Public and Business Service Delivery.
Maintain Documentation: Keep detailed records of data processing activities and privacy practices through policies and procedures to demonstrate compliance.
Chaos in the Classrooms and Other Legislation
Protecting the privacy of K-12 students is of growing concern for parents and educators. As schools enhance their digital presence via online learning tools and Google Classrooms, there are added risks to integrating education with advancing technology. More and more students are using digital learning platforms which can be privacy-invasive and a point of entry for threat actors. The rates at which school boards are targeted for cyber-attacks are alarming and underscore the pressing changes that Bill 194 will soon enforce.
In late December of 2024, school boards across Canada were impacted by a significant data breach involving PowerSchool, a third-party service provider used by K-12 schools to manage student information. In Ontario, more than 20 school boards have contacted the Information and Privacy Commissioner of Ontario about potential breaches and are beginning to inform families about the details. The Toronto District School Board (TDSB), the largest in the country, reports that personal information, including names, birthdates, medical conditions, and health numbers of students, was accessed. This data breach dates back to 1985 and could potentially impact 1.49 million students (Wong, 2025).
Targeting children's personal information is favourable in the world of cybercrime because with just basic information, such as a student’s name, grade, and a parent's email, cybercriminals could easily craft a phishing scam to extract credit card details. Alternatively, combining a student's name and home address with a fake date of birth could be used to request credit or apply for identification.
This incident highlights significant issues of data retention and data minimization, with school board representatives citing data access requests as a reason why they retain student information for decades. With a stronger push for protecting children’s privacy, this breach might lead schools to reassess the types of student information they collect and retain.
Normally, schools collect a huge volume of personal details from students, however, following the breach, TDSB has opted to stop collecting health card numbers and will delete the ones it already has from its system.
So, what can you do?
This major data breach serves as a stark reminder for CAS and school boards to prioritize proper data retention and minimization practices.
While data retention hasn’t always been a top priority, Bill 194 is urging CAS and school boards to integrate these practices into their day-to-day operations.
In reality, institutions like CAS and school boards are likely to have long retention periods due to the requirement of needing to facilitate access requests. Part X of CYFSA makes it clear that under this regulation, you must have a retention policy that sets out the following information:
· Data classification types of personal information on record
· Data retention periods
· Data disposal or data transfer practices
Part X does not state exactly how long you must retain records. Instead, it suggests determining retention periods via certain criteria, such as potential conflicts with other service providers that have custody of a data record or other laws that prescribe a retention period.
CAS and school boards alike must revisit their understanding of data minimization and re-evaluate the types of data they collect and why. Using the GDPR as a guidepost, data minimization means data collected should be adequate, relevant, and limited to what is necessary. Data minimization ensures organizations only store data they need for specific, legitimate purposes rather than for the sake of collecting information. This was evident in how the TDSB opted to stop collecting health card numbers after this recent breach.
The evolving landscape of children's privacy in Ontario underscores the importance of rigorous data protection measures, especially in light of new legislation like Bill 194. With the government stepping up their efforts to regulate how children's digital information is handled, CAS and school boards must prioritize compliance by strengthening their information practices and data security measures. As technology continues to advance, the commitment to protecting children's privacy must remain a top priority for all stakeholders involved.