Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) stands as the cornerstone of Ontario’s public sector data governance. Yet, in our rapidly evolving digital landscape, even foundational laws need updating. In May 2024, the Ontario government introduced Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, aimed at modernizing the public sector’s cybersecurity, artificial intelligence and privacy protections for the digital age.
Bill 194 introduces the new Enhancing Digital Security and Trust Act, that will apply to the public sector entities and institutions, including the children’s aid society, colleges, universities, school boards and hospitals, as well as the municipal sector. The bill also introduces significant amendments to FIPPA, which will only apply to public sector entities and institutions.
The bill’s journey through the Ontario Legislative Assembly is ongoing. It’s currently at Second Reading, with proceedings resuming when legislators returned on October 21, 2024.
This article unpacks FIPPA’s current privacy mandates, explores Bill 194’s proposed changes, and offers a roadmap for organizations preparing for this potential privacy overhaul.
Status Quo – Current Obligations under FIPPA
The Freedom of Information and Protection of Privacy Act (FIPPA) is designed to uphold two fundamental principles: the right to access information held by public entities and institutions and the protection of individuals’ privacy in Ontario. The Act sets a foundational framework for how information is managed, accessed, and protected, delineating clear obligations for public institutions while balancing this against the need to safeguard personal information.
Access to Information
FIPPA grants individuals the right to access records or part of records in the custody or under the control of public sector entities and institutions, emphasizing transparency and accountability. Under Section 10, any person can request access to records, subject to (1) specific exemptions, (2) frivolous or vexatious requests, (3) specifically excluded records, and (4) another law overrides FIPPA. Notably, the Act also outlines the need for institutions to preserve records, ensuring that information is maintained in a manner that supports access requests.
Exemptions from Disclosure
To balance the right of access with the need to protect sensitive information, FIPPA enumerates several exemptions of which some are considered mandatory and others, discretionary. These include but are not limited to:
- Cabinet documents and advice to government, which protect the confidentiality of governmental deliberations.
- Law enforcement records that, if disclosed, could harm enforcement efforts or legal proceedings.
- Information that could prejudice inter-governmental relations or those with Aboriginal communities.
- Third party information that could hinder competitive positioning if disclosed, such as information related to trade secrets, scientific, technical, commercial intelligence.
- Economic interests of Ontario, safeguarded to prevent harm from premature disclosure of economically sensitive information.
- Disclosure of personal information is generally prohibited, except under specific conditions such as with the individual’s consent, in urgent health or safety circumstances, for publicly accessible records, or under legal authorization. It is also allowed for research purposes that meet certain criteria, or when the disclosure does not constitute an unjustified invasion of privacy. Factors considered in assessing potential privacy invasions include the sensitivity of the information and the potential harm or benefit to the public.
There are also several exceptions to the exceptions that need to be considered carefully to ensure that the intended balance between transparency, access and protection of public interest is struck.
Access Procedure
FIPPA outlines a clear procedure for accessing information. Individuals wishing to access records must submit a formal written request. The institution, upon receipt, is obligated to forward the request appropriately if it does not have custody of the requested record or respond within a prescribed timeframe, with provisions for extending this period under specific circumstances. If access is denied, the institution must provide a detailed notice of refusal, explaining the reasons and exemptions applied, and advise the requester of their right to appeal the decision. This structured approach ensures that the process is transparent, with defined steps and timelines that promote a systematic and fair handling of information requests.
Privacy Protections
Part III of FIPPA underscores the commitment to individual privacy, regulating the collection, retention, use, and disclosure of personal information. The Act states that personal information can only be collected for expressly stated, lawful purposes and must be directly obtained from individuals wherever possible.
With limited exception, a notice requirement applies that requires organizations subject to FIPPA to inform individuals of the collection, the legal authority for the collection, its purpose(s), and the contact information of a public official to whom questions can be addressed.
Information can only be further disclosed under the specific circumstances listed in the Act, and it must be retained according to guidelines that prevent unauthorized access, use, or disclosure, and disposed of as required by regulations.
Use and Disclosure
The use of personal information is restricted to purposes consistent with the reasons for which it was collected, when individuals consent to the use and, for educational institutions and hospitals, for their fundraising activities. The Act gives the right to individuals to withdraw their consent to the use of their personal information when it is used for fundraising purposes. FIPPA also describes the circumstances for which personal information can be disclosed, including under an access request, as described in Part II, when individuals have consented, when the disclosure aligns with the purpose for which it was collected, as well as under specific circumstances where disclosure is permitted by law. This ensures that personal data is not misused or disclosed without justification.
List of Institutions and Personal Information Banks
In addition to these provisions, FIPPA requires the publication of detailed annual compilations that list all institutions subject to the Act. These compilations must include information on where to make records requests, the heads of each institution, where relevant materials can be accessed, such as in a public library or online, and a list of the general classes or types of records each institution holds.
Public institutions are further required to maintain indexes of personal information banks, detailing the types of personal information held and the purposes for which it is used. This enhances transparency and provides individuals with the ability to scrutinize how their personal information is managed.
Bill 194’s Proposed Changes to FIPPA
Bill 194 introduces several amendments to FIPPA that refine the framework around the handling of personal information by public sector institutions. Key amendments include
- the introduction of mandatory privacy impact assessments (PIAs),
- new breach reporting and notification requirements,
- enhanced security safeguard, and
- new order making powers for the IPC.
Privacy Impact Assessments
Under the proposed changes, FIPPA institutions are required to perform PIAs before collecting personal information. This requirement is designed to document the collection, use, retention and disclosure of personal data and to manage risks to individuals in case of a breach.
While the concept of PIAs is not entirely new to the public sector in Ontario – the Information and Privacy Commissioner of Ontario (IPC) published the IPC PIA Guidelines in 2015, which recommend PIAs be performed mainly when new technologies or systems are considered that could impact the privacy of individuals. Bill 194 goes further, requiring that a PIA be carried out prior to the collection of personal information.
Detailed Requirements of the PIA
Bill 194 defines the contents of a PIA, which must be:
- Defining the purpose(s) for collecting personal information and the reasons why the personal information is necessary to achieve the stated purpose(s).
- Citing the legal authority that allows or mandates the collection, use, and disclosure of this data.
- Describing the types of personal information to be collected and the methods of its use or sharing.
- Identifying the sources from which personal information will be obtained and listing which position titles within the organization will have access to this information.
- Stating any limitations or restrictions imposed to the collection, use, or disclosure of the personal data.
- Outlining the retention period for the personal information in compliance with regulatory requirements.
- Describing the administrative, technical, and physical safeguards that will be implemented to protect the personal information.
- Providing a summary of the potential risks to individuals in the event of a data breach, including steps to prevent or mitigate such risks.
Data Breach Reporting and Notifications
Another significant amendment proposed by Bill 194 relates to the handling and reporting of personal data breaches, which is currently not mandated under FIPPA but very much the standard under other privacy laws nationally and around the globe. The proposed amendments require that the head of a public sector institution notify both the Commissioner and affected individuals if there is a privacy breach involving theft, loss, or unauthorized use or disclosure of personal information. This obligation applies only under conditions where there is a reasonable belief that the privacy breach presents a real risk of significant harm to individuals, or under other specified circumstances.
The notification to individuals must include:
- Information about their right to make a complaint to the Commissioner regarding the breach.
- Any additional details as prescribed by upcoming regulations, which will also specify the form and manner of the notification.
Notifications must be issued “as soon as feasible” once it is determined that a breach has occurred. The definition of “real risk of significant harm” encompasses various adverse effects, such as bodily harm, humiliation, damage to reputation or relationships, financial loss, and more. The assessment of risk involves considering the sensitivity of the personal information, the likelihood of its misuse, the mitigation actions that can be taken to reduce the risk of harm.
Furthermore, institutions are required to maintain detailed records of all privacy breaches that pose a real risk of significant harm, with specific record-keeping procedures to be outlined by regulatory guidance. For now, the bill does not require keeping records of all breaches, and is silent as to the documentation of the reasons why the institution determined that a privacy breach did not pose a real risk of significant harm, as it is required under PIPEDA.
Explicit Security Safeguards
Bill 194 adds an express requirement for institutions to take reasonable administrative, physical and technological measures to protect the personal information it processes from incidents such as theft, loss and unauthorized use and disclosure, in addition to unauthorized copying, modification or disposal.
Enhanced Powers for the Commissioner
Finally, Bill 194 gives the authority to the Commissioner to conduct a review of an institution’s practices related to the processing of personal information, and their compliance with the legal obligations under FIPPA, after receiving a confidential complaint. It outlines dispute resolution mechanisms as well as powers to produce information required during a review and in the custody of an institution. The bill also adds a whistleblowing provision, with confidentiality obligations for the whistleblower.
The sum of the proposed changes in Bill 194 are aimed at tightening the controls over personal information by public institutions, enhancing transparency and accountability, and reinforcing the protections afforded to individual privacy under FIPPA.
How to Prepare for the Upcoming Changes
Organizations subject to FIPPA should take proactive steps to prepare for the proposed amendments introduced by Bill 194. Here’s a strategic approach to get ahead of these potential privacy reforms:
- Establish a PIA Framework: Develop a comprehensive Privacy Impact Assessment process that can be integrated into your data collection and management practices. This should include templates, guidelines, and training for staff to ensure consistent and thorough assessments.
- Review Personal Data Collection Practices: Conduct an audit of current personal information collection activities. Identify the types of data collected, their sources, uses, and the legal basis for each collection. This inventory will serve as a foundation for future PIAs.
- Strengthen Data Breach Protocols: Develop incident response plans including specific procedures for identifying, assessing, and reporting privacy breaches that may pose a significant risk of harm. Develop clear criteria for determining when a breach meets the notification threshold and document breaches in a registry.
- Enhance Security Measures: Bolster administrative, technical, and physical safeguards to protect personal information. This may involve updating security technologies, revising access controls, and implementing stronger data encryption practices.
- Retention, Anonymization and Destruction: Ensure personal information is only retained as long as it is necessary to achieve the purposes for which it was collected. Consider anonymization, de-identification and privacy enhancing techniques to minimize risks. Destroy personal information once it is no longer needed or useful.
- Train Staff: Provide comprehensive training to employees on the new requirements, particularly focusing on conducting PIAs and recognizing potential data breaches. Ensure that staff understand the importance of privacy protection and their role in maintaining the protection of personal information.
By taking these steps, public institutions can position themselves to smoothly transition to a modernized privacy framework that Bill 194 may usher in, ensuring continued compliance and robust protection of personal information. For expert guidance in navigating these changes and implementing these preparatory measures, don’t hesitate to reach out to Etika Privacy. Our team of specialists can provide tailored support to ensure your organization is fully prepared for the evolving privacy landscape.
October, 25th, 2024
Authors:
Bernadette Sarazin – CEO and Chief Privacy Officer
Kathrin Gardhouse – VP – AI and Data Governance
