On July 1, 2025, notable amendments to the Freedom of Information and Protection of Privacy Act (the “Act”) came into force. The amendments, introduced under Schedule 2 of Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, aim to enhance personal information protections by modernizing Ontario’s digital privacy rules and aligning the province’s privacy framework with best practices from other jurisdictions.
The definition of “Institution” under the Act includes Ontario government ministries, certain service provider organizations, hospitals, and certain agencies, boards, commissions, corporations, and other designated bodies.
Section 38 of the Act requires Institutions to complete a Privacy Impact Assessment (“PIA”) containing certain prescribed information in respect of any personal information that the Institution intends to collect, and to update the PIA before making any significant change to the purpose for which the personal information is used or disclosed.
In a shift from the previous framework, where breach reporting was voluntary and merely recommended by the Information and Privacy Commissioner of Ontario (the “IPC”), it is now a legal requirement to report certain privacy breaches. Under Section 40.1 of the Act, Institutions must notify both the IPC and the affected individuals where it is reasonable to believe that the breach presents a real risk of significant harm to the individual or if any other prescribed circumstances exist. Additionally, Institutions are required to submit an annual report to the IPC detailing privacy breaches that met the “real risk of significant harm” threshold, among other reporting requirements.
Institutions are also now required to implement reasonable safeguards (see Section 40 of the Act) to protect personal information against theft, loss, unauthorized use, disclosure, copying, modification, or disposal. Previously, no information protection requirements were imposed.
Finally, the IPC is now authorized under Section 49.0.1 of the Act to review the practices of Institutions if the IPC has received a complaint. Following such a review, the IPC may make certain orders requiring corrective action or recommendations to improve Institutions’ practices.
For additional information on the new amendments to the Act, the IPC has released guidance available here.
Summary By: Uday Bahal
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
