On March 13, 2026, the Ontario government announced that it will be updating its Cyber Security, Privacy and Access to Information framework to strengthen data protection for Ontarians, including stronger cyber security rules for public services and updated Freedom of Information (FOI) timelines and processes.
Ontario’s current framework, introduced in 1988, has gone nearly 40 years without any major updates. Over that time, advances in technology and digital data usage have outpaced existing legislation, leaving gaps in protection against modern privacy risks and cyber security threats.
To address these challenges, the proposed updates introduce stronger cyber security rules across the broader public sector and modernize processes under the Freedom of Information and Protection of Privacy Act (FIPPA).
Key changes to FIPPA include (among other things): updating FOI response timelines from 30 calendar days to 45 business days to provide more flexibility to manage large and complex requests; requiring public institutions to provide timely and reasonable assistance to requestors when requests lack sufficient detail; and codifying the practice of releasing large volumes of information to the requestor as processing continues to enable requestors to access the information quickly and allow more time to process the requests. Notably, records from the premier, cabinet, ministers, parliamentary assistants and their offices would be excluded from FOI requests under these new changes.
The updated framework also prioritizes strengthening cyber security and data protection to reflect modern day practices. Mandatory cyber security measures would be introduced for vital public services including hospitals, school boards, children’s aid societies and post-secondary institutions. This includes a requirement for school boards to notify parents or guardians when students’ personal information is disclosed to third-party software. In addition, with the goal of enhancing Ontario’s ability to prevent and respond to cyber attacks, the updates will require broader public sector organizations to complete cyber maturity assessments every two years, report critical incidents and designate a single point of contact for cyber security events. Further, the updates would allow certain information contained in employee accounts, such as email accounts, to move with individuals across public sector roles, reducing disruption during job transitions.
The Ontario government’s announcement states that these changes will support increased data security and greater privacy.
The exclusion of previously accessible government documents has been criticized.
Summary By: Victoria Di Felice
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
