The Government of Ontario has introduced a new bill aimed at enhancing cybersecurity and establishing a robust framework for the responsible use of artificial intelligence (AI) in the public sector. The Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194), if passed, will enact the Enhancing Digital Security and Trust Act, 2024, and amend the Freedom of Information and Protection of Privacy Act (FIPPA). This legislation is set to impact various public services, including education, healthcare, and children’s services, providing new protections and setting standards for digital security and privacy.

The primary goal of the Act is to mitigate risks associated with cybersecurity and AI systems within Ontario’s public sector. It aims to create a uniform standard for cybersecurity and AI system requirements across organizations, particularly those operating in critical public services. The Act defines “artificial intelligence systems” as machine-based systems that infer from inputs to generate outputs like predictions, recommendations, or decisions, influencing physical or virtual environments. This definition underscores the Act’s focus on ensuring these systems are used responsibly and transparently.

Bill 194 mandates that public sector entities develop and implement comprehensive cybersecurity programs. These programs must include defining roles and responsibilities, regular progress reporting, education and awareness initiatives, and incident response and recovery measures. Additionally, an incident reporting scheme is required to ensure timely and effective management of cybersecurity incidents.

For AI systems, the Act stipulates several key requirements. Public sector entities must disclose the development and use of AI systems publicly, implement accountability frameworks, and establish risk mitigation strategies. Furthermore, human oversight and governance are emphasized, ensuring that AI systems are used and reported on responsibly. This includes clear communication about how AI systems influence decisions and actions within public sector workflows.

The Act also introduces standards and reporting obligations for digital technologies affecting minors. Children’s aid societies and school boards will be required to adhere to specific regulations regarding the collection, use, retention, and disclosure of digital information related to individuals under 18. These measures aim to protect the privacy and digital well-being of minors in Ontario.

Bill 194 proposes significant amendments to FIPPA, enhancing the responsibilities of public sector institutions regarding the protection of personal information. These amendments include expanded obligations to protect personal information against unauthorized access, theft, or destruction. Institutions will now be required to conduct Privacy Impact Assessments (PIAs) before collecting personal information. PIAs will evaluate the purpose, legal authority, type, source, retention period, and safeguards for personal information, ensuring comprehensive risk management.

The new bill aligns with federal standards by adopting the “real risk of significant harm” threshold for privacy breach notifications. Institutions will be required to notify the Information and Privacy Commissioner of Ontario (IPC) and affected individuals of any privacy breaches that present a significant risk of harm. This notification must include details about the breach and inform individuals of their right to file a complaint with the IPC.

Bill 194 enhances the IPC’s authority, allowing the Commissioner to review an institution’s information practices if a complaint is received or if there are concerns about compliance with privacy safeguards. The IPC can order institutions to discontinue or modify information practices, destroy personal information, or implement new practices to ensure compliance with the Act.

The bill also introduces new requirements for obtaining consent for the retention and use of “customer service information.” This information includes personal details such as gender identity, preferred language, contact information, and transaction records. Public sector organizations must obtain explicit consent from individuals to retain and use this information for providing designated services.

Need Help?

If you’re wondering how Bill 194, or any other AI regulations and laws worldwide could impact you and your business, don’t hesitate to reach out to BABL AI. Their Audit Experts can address your concerns and questions while offering valuable insights.