by Kathrin Gardhouse, Data and AI Governance Consultant | INQ
and David Goodis, Partner | INQ Law
Bill 194, officially known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, is a pivotal legislative measure currently under consideration in Ontario. As it progresses toward its second reading, the bill aims to significantly enhance digital security and trust across public sector entities covered by the Freedom of Information and Protection of Privacy Act and its municipal counterpart, along with children’s aid societies and school boards. It sets forth stringent regulations aimed at improving cybersecurity practices and the ethical management of artificial intelligence (AI) systems, with a strong emphasis on the privacy and security of sensitive information, particularly that of minors.
This introduction continues the discussion of the AI-related obligations introduced in Part One of this post by providing a summary of the second of the bill’s two parts, the amendments to the Freedom of Information and Protection of Privacy Act, with an eye to what is new and what is familiar and tips for how to be prepared for when Bill 194 becomes law.
Privacy Impact Assessments
A significant component of the second part of Bill 194, which amends the existing Freedom of Information and Protection of Privacy Act (FIPPA), is the focus on Privacy Impact Assessments (PIAs). Bill 194 mandates that FIPPA institutions conduct comprehensive PIAs before collecting personal information. These assessments are designed to ensure that personal data is collected, used, and disclosed responsibly and in accordance with legal standards.
PIAs are not new to the public sector in Ontario. The Information and Privacy Commissioner of Ontario issued a guideline for PIAs including an expansive template in 2015, which “strongly encourages” Ontario public sector institutions to conduct PIAs. The PIA under Bill 194 does not appear to require anything above and beyond what the guideline already recommends today.
The big novelty is, however, that Bill 194 requires a PIA to be undertaken “before collecting personal information” whereas the existing guideline limits its PIA requirement to situations where institutions are “considering new information technologies, systems, and program services that may affect privacy.” Examples for when that may be the case can be found in the Information and Privacy Commissioner’s FIPP Manual.
Similar to the PIA guideline and in contrast to the obligations relating to AI discussed in Part 1 of our post, Bill 194 sets out very detailed requirements, merely leaving it to regulations to add or to exempt entities from the PIA. Specifically, a PIA must include a clear justification of the purpose for collecting the personal information, detailing its intended uses and disclosures and explaining why such collection is necessary. Additionally, it must cite the legal authority that permits or mandates the collection, use, and disclosure of this data.
The PIA also requires a detailed description of the types of personal information to be collected and the ways in which each type will be utilized or shared. It should identify the sources from which personal information will be obtained and list the positions within the organization—such as officers, employees, consultants, or agents—who will have access to the information. Any limitations or restrictions on the collection, use, or disclosure of the personal data must be explicitly stated.
Moreover, the PIA must outline the retention period for the personal information, adhering to the regulatory requirements specified in the bill. It must describe the administrative, technical, and physical safeguards that will be implemented to protect the personal information and provide a summary of the potential risks to individuals in the event of a data breach, including theft, loss, or unauthorized disclosure. Finally, the assessment should specify proactive steps the institution will take to prevent or mitigate these risks.
Data Breaches
Bill 194 will require the head of a public sector institution to notify the Commissioner and affected individuals when there is a data breach involving theft, loss, or unauthorized use or disclosure of personal information. An annual report is also mandatory. However, these requirements apply only if there is a reasonable belief that the breach presents a real risk of significant harm to those individuals, or if other prescribed circumstances exist. The obligation to notify is contingent upon the notification not being prohibited by other laws.
The notification provided to individuals must include:
A statement informing them of their right to make a complaint to the Commissioner regarding the breach.
Any additional information that may be prescribed by regulations, which will detail the form and manner of the notification.
The notification must be made as soon as feasibly possible after the institution's head determines that the breach has occurred.
“Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The assessment of whether a breach poses a real risk of significant harm involves considering factors such as:
The sensitivity of the personal information involved.
The likelihood that the information has been, is being, or will be misused.
The potential effects on individuals, which could range from financial loss to damage to reputation.
Bill 194 requires that institutions maintain comprehensive records of all data breaches that pose a real risk of significant harm. The content and manner of this record-keeping obligation will be prescribed by regulation.
Tips for preparation:
Public sector institutions may already be well familiar with the requirements around privacy breaches as guidance for these events has been available for many years, and breach reporting has even been mandatory for those covered by the Personal Health Information Protection Act.
But for those that need a refresher, here are our tips for privacy incident preparedness and response:
Establish a Comprehensive Incident Response Plan: Develop a detailed plan that outlines the steps to be taken in the event of a privacy incident. This should include identification of key roles and responsibilities, communication strategies, and procedures for containment, assessment, and mitigation.
Regular Training and Awareness Programs: Ensure that all employees are aware of the potential privacy risks and understand their roles in protecting sensitive information. Conduct regular training sessions to keep everyone updated on the latest security practices and response protocols.
Conduct Regular Risk Assessments: Regularly evaluate your data handling practices and IT systems to identify vulnerabilities that could lead to privacy incidents. Use these assessments to strengthen your security measures and reduce potential exposure.
Implement Strong Data Security Measures: Use encryption, access controls, and other security technologies to protect sensitive information. Ensure that physical security measures are also in place to protect against unauthorized access to facilities.
Establish a Notification Protocol: Define clear procedures for notifying all relevant stakeholders, including regulatory bodies, affected individuals, and internal management, in the event of a privacy incident. Ensure compliance with legal notification requirements.
Document Everything: Keep detailed records of any privacy incidents, including how the incident was managed, the steps taken to resolve it, and any lessons learned. This documentation will be crucial for regulatory compliance and for refining your incident response strategy.
Engage with External Experts: Consider forming partnerships with cybersecurity and legal experts who can provide specialized knowledge and support before, during, and after a privacy incident.
Review and Update Regularly: Continuously evaluate the effectiveness of your incident response plan and make necessary adjustments. This includes updating the plan to reflect new regulatory requirements, changing business practices, and evolving threats.
Miscellaneous Provisions
Beyond the core areas of cybersecurity and privacy, Bill 194 addresses several miscellaneous provisions, including whistleblower protections and inter-agency collaboration. It strengthens the rights of individuals to report potential violations confidentially, ensuring that their identities are protected. Additionally, the bill grants new powers to the Commissioner, enhancing their authority to conduct reviews of information practices if there is a complaint or reason to believe that the requirements of the Act are not being complied with. This includes the ability to conduct investigations, issue orders, and require changes to practices that do not meet legal standards. The bill also facilitates the sharing of best practices and information between entities to enhance privacy protections across jurisdictions, promoting a cohesive and robust framework for digital security in the public sector.
Conclusion
Bill 194’s amendments to the Freedom of Information and Protection of Privacy Act introduce new requirements and reinforce existing obligations in cybersecurity and privacy protection within Ontario’s public sector. As these changes take effect, entities will need to brush up on familiar protocols and adapt to new standards. For expert guidance on aligning with these requirements and ensuring compliance, reach out to INQ Consulting. Their expertise in industry practices and regulatory demands can help your organization navigate this transition effectively.
INQ’s portfolio of AI services is customized to fit your specific needs and get you AI-ready. To learn more, visit our website at www.inq.consulting or contact us at ai@inq.consulting. To keep up with the latest in AI news, subscribe to the Think INQ newsletter.
ความคิดเห็น