Newport Thomson

Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act has changed the privacy and data protection standards across Canada. According to Stats Canada 38.5% of Canadians live in Ontario, therefore approx 40% +/- of your National database is in scope of this new law.

“Schedule 2 of Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, amends the Freedom of Information and Protection of Privacy Act (FIPPA). Changes relate to how provincial institutions subject to FIPPA protect personal information, conduct privacy impact assessments, and report privacy breaches, among other things. Most of these new provisions take effect on July 1, 2025.”

And if this is in place for provincial institutions, it is reasonable to expect these same standards will be applied to the private sector shortly.

Here are a few things you need to know…

1. Mandatory Privacy Impact Assessments (PIAs)

Starting July 1, 2025, any institution governed by FIPPA must conduct a written PIA before collecting personal information and update it whenever the purpose changes. 

The PIA must clearly state:

• Why you’re collecting the information and under which legal authority.
• What kind of personal data is involved, how it’ll be used or disclosed, sources, retention periods.
• Who will access it and will it be shared (with whom?).
• What safeguards are in place (administrative, technical, physical).
• Step-by-step risk mitigation strategies

If requested, these PIAs must be shared with the Information and Privacy Commissioner (IPC) IPC Ontario.

2. Breach Reporting and Notification

As of July 1, 2025, institutions must assess if any privacy breach (theft, loss, unauthorized use/disclosure) poses a Real Risk of Significant Harm (RROSH). 

If it does, you must:

• Report the breach to the IPC as soon as possible.
• Notify affected individuals promptly—unless legally prohibited IPC Ontario+1.

3. Annual Statistical Reporting

Beginning 2026, institutions must submit an annual breach statistics report to the IPC covering the previous year’s relevant incidents (those meeting RROSH or other criteria). The first report, covering July–December 2025, is due March 31, 2026 IPC Ontario+1.

4. IPC’s Expanded Oversight Powers

The IPC now has new authority to:

• Review institutional privacy and security practices and any documented policies & procedures regarding privacy and security.
• Issue corrective orders when non-compliance is identified with a date to comply.
• Keep whistleblower identities confidential.
• Conduct joint investigations with other privacy authorities IPC OntarioLegislative Assembly of Ontario.

5. Cybersecurity, AI, and Children’s Data – A Framework to Follow

Bill 194 also introduces a new law, the Enhancing Digital Security and Trust Act, 2024 (EDSTA), which:

• Empowers the government to create regulations about cybersecurity programs. 
• Allows directives on AI systems usage, accountability, and disclosure.
• Includes specific protections for digital information regarding minors
  Many of these details are set to be defined through upcoming regulations, but preparations now can smooth the way Dentons DataLegislative Assembly of Ontario.

Why It Matters Now

• It’s in effect, or coming fast. Some parts (like whistleblower protections and the IPC’s new powers) are already live; major privacy requirements kick in mid-2025 WeirFoulds LLPIPC Ontario.
• Non-compliance has real consequences. The IPC can launch reviews, order changes, and intervene, prompting operational delays or reputational damage.
• This is modern privacy 101. Even if you’re not a public body, clients and partners may soon expect you to align with these standards to maintain trust.

What You Should Do, Stat

1. Set up or refine your PIA process: determine templates, approval flows, update mechanisms. Understand when a PIA is required.
2. Build breach handling protocols: ensure you can assess RROSH quickly, report accurately, and notify properly. A Breach Reporting Plan is critical. It should be documented and breach practice drills should be scheduled.
3. Track breach data systematically: prepare to file your first statistical report by March 31, 2026. It should cover the July 2025 – Dec 2025 period.
4. Stay ahead of regulations: constantly monitor rule-making on cybersecurity, AI, and children’s data. With the powers to issue regulations the IPC can change the rules at any time. Be sure to have a structure that allows you to stay on top of these changes.
5. Treat this as a trust-building opportunity: not just compliance. Communicate proactively to customers and business partners about your readiness.

Bottom line: Bill 194 is not just government red tape. It’s a critical step toward safeguarding the personal data of Canadians. For organizations managing a national database, understanding and acting on these obligations is vital. Not tomorrow, but today.