Home

New Law Governing Cybersecurity, AI and Privacy in the Ontario Public Sector – Are you Ready?

10/01/2025

Authored By:

Kim Leger
Email Kim Leger Find Kim Leger on LinkedIn

On November 25, 2024, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (“Bill 194”) passed Third Reading and received Royal Assent at the Legislative Assembly of Ontario.

Bill 194 (i) enacts the Enhancing Digital Security and Trust Act (“EDSTA”) and (ii) introduces changes to the Freedom of Information and Protection of Privacy Act (“FIPPA”), which together create significant new obligations regarding privacy, cyber security, and the use of artificial intelligence (“AI”) for Ontario’s public sector entities, including provincial and municipal institutions, as well as children’s aid societies and school boards. The provincial government will announce the date on which EDSTA and the amendments to FIPPA will come into force and introduce regulations containing specific requirements. 

What Legislative Changes Are Coming?

EDSTA would allow the government, by regulation, to:

  • Regulate how public sector entities, identified by regulation, use AI systems, including:
    • An obligation to inform the public about the use of AI;
    • An obligation to develop and implement an accountability framework;
    • An obligation to manage risk associated with the use of AI; and
    • An obligation to provide certain human oversight.
  • Allow the government to regulate how children’s aid societies and school boards collect, use, retain or disclose digital information relating to individuals under the age of 18
  • Require public sector entities to develop and implement cyber security programs and submit reports on cyber security. The legislation also provides that the Minister can set cyber security technical standards by regulations as well as incident reporting requirements, which differ from privacy breach reporting requirements and are most likely to be triggered by a cyberattack.

The amendments to FIPPA would:

  • Require institutions to conduct privacy impact assessments before collecting personal information.
  • Mandate that public institutions report privacy breaches to the Information and Privacy Commissioner of Ontario and notify affected individuals.
  • Increase the Commissioner’s investigative powers with respect to the information practices of public institutions.
  • Expand FIPPA’s offence provisions to include contraventions with respect to the collection and use of personal information, in addition to the disclosure of personal information.

How Does This Impact Your Organization?

With Bill 194’s Royal Assent, public sector entities in Ontario now face very significant new privacy and cyber security obligations, as well as Canada’s first AI-specific regulatory requirements for public institutions. Public institutions should continue to pay close attention to these developments to ensure compliance. Private sector organizations should stay informed about potential regulatory changes that may impact how they do business with provincial and municipal institutions.

How Can You Prepare For These Changes?

Contact Mara Consulting for further information or help with updates to your privacy management program, developing a cybersecurity program, or developing an AI governance framework to ensure you are ready for these changes.