UPDATE — AUGUST 2025: Ontario’s Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) is now law. The Act received Royal Assent on November 25, 2024, and key provisions are in effect. Since July 1, 2025, public sector entities must comply with mandatory breach notifications, privacy impact assessments, and expanded oversight by the Information and Privacy Commissioner of Ontario (IPC). These obligations apply to sectors such as education, healthcare, and children’s services. They cover new cybersecurity standards, AI governance duties, and enhanced privacy protections under the amended Freedom of Information and Protection of Privacy Act (FIPPA). While detailed rules for AI systems are still under development, compliance deadlines have already begun.

ORIGINAL NEWS STORY:

Ontario Introduces Bill to Strengthen Cybersecurity and Trust in Public Sector AI

The Government of Ontario has introduced a new bill aimed at enhancing cybersecurity and establishing a robust framework for the responsible use of artificial intelligence (AI) in the public sector. The Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194), if passed, will enact the Enhancing Digital Security and Trust Act, 2024, and amend the Freedom of Information and Protection of Privacy Act (FIPPA). This legislation is set to impact various public services, including education, healthcare, and children’s services, providing new protections and setting standards for digital security and privacy.

Goals and Requirements

The Act seeks to reduce risks from cyberattacks and AI misuse. It creates a uniform standard for cybersecurity and AI governance across public institutions. Bill 194 defines AI systems as machine-based tools that use data inputs to generate outputs such as predictions, recommendations, or decisions. These outputs influence digital or physical environments, which makes transparency and accountability critical.

Public sector entities must implement cybersecurity programs that assign clear roles, provide training, and include reporting and incident response procedures. They must also report security incidents quickly to limit damage. For AI, institutions must disclose system use publicly, establish accountability frameworks, and set risk management strategies. Human oversight remains a central requirement, ensuring AI supports rather than replaces responsible decision-making.

Bill 194’s Amendments and Obligations

The Act also introduces standards and reporting obligations for digital technologies affecting minors. Children’s aid societies and school boards will be required to adhere to specific regulations regarding the collection, use, retention, and disclosure of digital information related to individuals under 18. These measures aim to protect the privacy and digital well-being of minors in Ontario.

Bill 194 proposes significant amendments to FIPPA, enhancing the responsibilities of public sector institutions regarding the protection of personal information. These amendments include expanded obligations to protect personal information against unauthorized access, theft, or destruction. Institutions will now be required to conduct Privacy Impact Assessments (PIAs) before collecting personal information. PIAs will evaluate the purpose, legal authority, type, source, retention period, and safeguards for personal information, ensuring comprehensive risk management.

The new bill aligns with federal standards by adopting the “real risk of significant harm” threshold for privacy breach notifications. Institutions will be required to notify the Information and Privacy Commissioner of Ontario (IPC) and affected individuals of any privacy breaches that present a significant risk of harm. This notification must include details about the breach and inform individuals of their right to file a complaint with the IPC.

Conclusion

Ontario’s new law marks a major step forward in cybersecurity, privacy, and AI governance for the public sector. Institutions must act quickly to update their systems and policies. More guidance on AI compliance is expected, but regulators have already made clear that the new standards are enforceable.

Need Help?

If you’re wondering how Bill 194, or any other AI regulations and laws worldwide could impact you and your business, don’t hesitate to reach out to BABL AI. Their Audit Experts can address your concerns and questions while offering valuable insights.