Ontario’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 – How the Public Sector Can Be Prepared for the New AI Obligations

by Kathrin Gardhouse, Data and AI Governance Consultant | INQ

and David Goodis, Partner | INQ Law

Bill 194, formally known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, marks a significant legislative initiative for Ontario. The bill, currently at its first reading and ordered for a second, aims to enhance digital security and trust within the public sector. This includes institutions defined under the Freedom of Information and Protection of Privacy Act and its municipal counterpart, as well as children’s aid societies and school boards. The legislation is poised to establish stringent regulations governing cybersecurity and the responsible use of artificial intelligence (AI) systems, and bolstering the privacy and security of digital information, particularly concerning minors.

This article provides a summary of the first of the bill’s two parts, the new act addressing AI, cybersecurity, and children’s privacy, as well as tips for public sector institutions on how to be prepared for the new obligations. Part two of this post will cover the amendments to the Freedom of Information and Protection of Privacy Act.  

Novel Obligations Relating to AI

In its first part, Bill 194 introduces the Enhancing Digital Security and Trust Act, 2024 with requirements related to the deployment and management of AI systems within public sector entities. These include obligatory measures for entities to inform the public about AI usage, develop robust accountability frameworks, and implement risk management processes. Entities must comply with specific regulations, such as ensuring oversight and transparency in AI operations. Furthermore, the bill prohibits the use of AI systems under certain conditions, safeguarding against potential misuse and reinforcing the ethical use of technology in public administrations.

While the bill outlines the fundamental requirements for AI systems, many specifics are left to be determined by subsequent regulations. This includes the exact nature of the information to be disclosed to the public, the composition and details of the accountability frameworks, the specific risk management steps to be implemented, and crucially, what constitutes prohibited uses of AI. From the time Bill 194 comes into force until these regulations are developed and enacted, public-sector entities will face a period of uncertainty regarding the full scope of their obligations under the new law. This transitional phase requires entities to stay adaptive and prepared to align with new regulations as they emerge to ensure full compliance and continued protection of public trust in digital operations.

Tips for preparation:

1. Stay Informed: Government entities should closely monitor developments related to the forthcoming regulations under Bill 194. This includes participating in any public consultations or feedback opportunities which can provide insights into potential regulatory directions.

2. Assess Current AI Systems: Conduct a thorough inventory and assessment of all AI systems currently in use. This should include identifying the purposes for which AI is used, understanding the data inputs and outputs, and evaluating the decision-making processes involved.

3. Develop Interim Policies: In anticipation of the new requirements, entities can start developing interim policies and frameworks that address accountability, transparency, and risk management in AI usage. These frameworks should be flexible to allow for adjustments once specific regulations are established.

4. Training and Awareness: Begin training programs for staff and management on the ethical use of AI and the importance of cybersecurity and privacy. This will not only prepare them for upcoming changes but also instill a culture of digital responsibility and awareness.

5. Engage with Experts: Consider consulting with AI ethics and legal experts to understand best practices in AI governance. This can help in shaping internal policies and preparing for the specific obligations that will be detailed in the regulations.

6. Prepare for Transparency: Develop mechanisms to enhance transparency in AI operations, such as methods for documenting AI decision-making processes and outcomes. This preparation will be beneficial in complying with the expected disclosure requirements to the public.

Cybersecurity Provisions

Bill 194 empowers the Lieutenant Governor in Council to make regulations pertaining to cybersecurity measures to be implemented by public sector entities as well as reporting obligations. Such regulations can include setting out roles and responsibilities, mandatory progress reports, education and awareness programs, and oversight requirements.

The Minister is in turn empowered to set technical standards with regard to cybersecurity measures and to issue directives in this regard.

Children's Privacy

Bill 194 also addresses the protection of children’s digital data insofar as it is collected, used, retained, or disclosed by children’s aid societies and school boards. It empowers the Lieutenant Governor in Council to make regulations that determine the manner of collection, use, retention, and disclosure of such data as well as reporting requirements to the Minister or a specified individual. The regulations may also prohibit the collection, use, retention, and disclosure for certain purposes and under certain condition to be specified by the regulations.

The Minister is in turn empowered to make regulations setting out technical standards children’s aid societies and school boards must follow when collecting, using, retaining, and disclosing children’s digital data, and when digital technology is made available for the use by children.

Children in this context refers to individuals under the age of 18.

Conclusion

As Ontario's public sector braces for the implementation of Bill 194, it's crucial to understand and prepare for the novel AI, cybersecurity and children’s privacy-related obligations. For organizations looking to ensure seamless compliance and develop or enhance their AI governance frameworks, engaging with experts like INQ Consulting can provide crucial guidance and strategic insights.

For more details on what will be required from public sector institutions under Bill 194, check out Part Two, which delves into the proposed amendments to the Freedom of Information and Protection of Privacy Act.

INQ Consulting specializes in data protection and AI governance, providing expert guidance to ensure your AI strategies not only innovate but also comply with evolving regulations. Partner with INQ Consulting to safeguard your business against potential legal and competitive risks in the AI landscape.

Not sure where to get started? INQ’s portfolio of AI services is customized to fit your specific needs and get you AI-ready. To learn more, visit our website at www.inq.consulting or contact us at ai@inq.consulting. To keep up with the latest in AI news, subscribe to the Think INQ newsletter.