Bill 194 mandates Privacy Impact Assessments

On May 13, 2024, the Government of Ontario introduced new legislation intended to strengthen cyber security, enhance privacy protections, and ensure the responsible use of artificial intelligence (AI) within the public sector, with a particular focus on safeguarding children and modernizing digital service delivery. Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, will establish regulation-making authorities to set information protections for children, empower the Minister of Public and Business Service Delivery to lead cyber security initiatives for vulnerable sectors, introduce accountability and transparency requirements for the use of AI in the public sector, and mandate privacy breach notifications and privacy impact assessments.

A number of helpful articles have already been published to help institutions understand Bill 194, with many focusing on the proposed provisions relating to cybersecurity, AI regulation and the regulation of technology affecting minors:

• Bill 194 – The new Enhancing Digital Security and Trust Act, 2024 and changes to Ontario’s Freedom of Information and Protection of Privacy Act (Borden Ladner Gervais LLP)
• Unpacking Ontario’s Proposed Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (McMillan LLP)
• New Ontario Bill 194 to Reform FIPPA and Introduce Mandatory Privacy Breach Reporting (Blake, Cassels & Graydon LLP)
• Bill 194, Part I: FIPPA Amendments & Bill 194, Part II: Enhancing Digital Security and Trust Act, 2024 (Lerners LLP)

Additionally, for institutions which fall under the Freedom of Information and Protection of Privacy Act (FIPPA), Bill 194 introduces revised privacy breach reporting and notification requirements, with a new “real risk of significant harm” threshold for reporting privacy breaches, and also makes the use of Privacy Impact Assessments (PIA’s) mandatory in certain circumstances.

Privacy Impact Assessments (per IPCO)

Privacy Impact Assessments can be thought of as a “warning system” that helps ensure management is aware of the privacy implications of a proposed plan of action.

As described by the Information and Privacy Commissioner of Ontario (ICPO), “A PIA is a risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology, program, process or other activity may have on an individual’s privacy.”

Traditionally, IPCO has recommended conducting a PIA whenever there is a new project, or changes to an existing program, process or system, that will involve the collection, use, retention, disclosure, security or disposal of personal information. Such projects may include the implementation of a new or revised service delivery model or the adoption of a new information technology system.

IPCO has suggested performing the following steps when conducting a PIA:

• Collect specific information about the project, the key players and stakeholders and the type of and manner in which personal information will be collected, used, retained, disclosed, secured or disposed of.
• Using information gathered in the previous step, identify FIPPA or MFIPPA requirements and potential risks and impacts to privacy.
• Consider ways to reduce or eliminate the risks and impacts identified.
• Assess proposed solutions and their benefits.
• Obtain approval to proceed with recommended solutions.
• Document findings and chosen solutions in a PIA Report.
• Proceed with the project, ensuring that the recommendations from your PIA are fully incorporated in the project plans and implemented.

IPCO, Planning for Success: Privacy Impact Assessment Guide

Privacy Impact Assessments (per Bill 194)

The language in Bill 194 regarding Privacy Impact Assessments is somewhat different from the IPCO guidance referred to above.

First, the language of Bill 194 states that PIA’s are mandatory “before collecting personal information”. This would seem narrower than IPCO’s recommendation of conducting a PIA whenever there is a new program or even changes to a program involving personal information.

Second, Bill 194 offers a new description of what is required in a PIA, as follows:

4(1)(3) Unless the regulations provide otherwise, before collecting personal information, the head of an institution shall ensure
that a written assessment is prepared that contains the following information respecting any personal information that the
institution intends to collect:

1. The purpose for which the personal information is intended to be collected, used and disclosed, as applicable, and an
   explanation of why the personal information is necessary to achieve the purpose.
2. The legal authority for the intended collection, use and disclosure of the personal information.
3. The types of personal information that is intended to be collected and, for each type of personal information collected,
   an indication of how the type of personal information is intended to be used or disclosed.
4. The sources of the personal information that is intended be collected.
5. The position titles of the officers, employees, consultants or agents of the institution who will have access to the personal
   information.
6. Any limitations or restrictions imposed on the collection, use or disclosure of the personal information.
7. The period of time that the personal information would be retained by the institution, in accordance with subsection 40
   (1).
8. An explanation of the administrative, technical and physical safeguards and practices that would be used to protect the
   personal information in accordance with subsection 40 (5) and a summary of any risks to individuals in the event of a
   theft, loss or unauthorized use or disclosure of the personal information.
9. The steps to be taken by the institution, i. to prevent or reduce the likelihood of a theft, loss or unauthorized use or disclosure of personal information from occurring, and ii. to mitigate the risks to individuals in the event of such an occurrence.
10. Such other information as may be prescribed.

Bill 194, 1ST SESSION, 43RD LEGISLATURE, ONTARIO, 2 CHARLES III, 2024

This revised PIA language in Bill 194 raises some questions that may require further clarification:

• Will IPCO continue to recommend conducting a PIA in all of the scenarios outlined in its original guidance, including whenever a program involving personal information is established or changed, or does the legislation serve to limit the types of projects that necessitate a PIA going forward?
• Are IPCO’s original recommendations on how to conduct a PIA still in effect, or will adhering to the requirements outlined in Bill 194 be sufficient?
• The new PIA requirement refers to “regulations that may provide otherwise”. What regulations should we expect? And will IPCO be proposing anything here?

What about institutions that fall under MFIPPA?

The legislative amendments in Bill 194 apply only to FIPPA, but at least some of the amendments will affect municipalities, police services, school boards and other institutions that fall under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) as well.

Bill 194 introduces a new term, “public sector entity” which captures both types of institutions: those covered by FIPPA as well as those covered by MFIPPA. Many of the changes in Bill 194 are applicable to all “public sector entities”, including the new requirements around cyber security and the use of artificial intelligence.

However, at least in the current draft of Bill 194, the new mandatory privacy breach reporting and privacy impact assessment requirements apply only to “institutions”, which serves to limit their application to institutions as defined under FIPPA. Presumably, the intention is to exclude MFIPPA institutions from the new mandatory breach reporting and PIA requirements—at least for now!

No changes to the FOI Process

Other than a minor amendment to the year-end statistical reporting process which will require provincial institutions falling under FIPPA to include “the number of thefts, losses or unauthorized uses or disclosures of personal information” in their annual report, there appear to be no changes to the FOI request process in Bill 194.

Consultation is still open

The official consultation on Bill 194 will remain open until June 11, 2024 so there is still time for institutions and members of the public to make submissions. The Association of Municipal Managers, Clerks and Treasurers of Ontario (AMCTO) is collecting comments and concerns on the proposed legislation as well.

The FOI Assist Software

The FOI Assist software is continually updated to reflect any changes to FIPPA, MFIPPA, and relevant updates from the Information and Privacy Commissioner of Ontario. This ensures that when you use FOI Assist to track and respond to FOI requests, you can be confident you are relying on the most current legislation and guidance.

To learn more about how the FOI Assist software can Make Freedom of Information Easy^TM at your institution, contact FOI Assist or book a demonstration today.