The Ontario authorities not too long ago launched the Strengthening Cybersecurity and Building Trust within the Public Sector Act, 2024 (Bill 194), which goals to strengthen cybersecurity packages within the public sector and supply a basis for the accountable use of synthetic intelligence (AI) throughout numerous public sector organizations. If handed, Bill 194 will enact the Digital Security and Trust Enhancement Act, 2024 (the Act), which is able to make vital adjustments to the Freedom of Information and Protection of Privacy Act (FIPPA).
The Act and the FIPPA amendments could have vital impacts on state and native public providers and create new digital protections for kids. Below are key options of the proposed Act and FIPPA amendments.
Enhancing Digital Security and Trust Act of 2024
The Act goals to mitigate dangers related to cybersecurity and AI methods in Ontario’s public sector, together with organizations that serve Ontario’s crucial public providers, comparable to in areas comparable to training, well being care, and baby providers.
Defining an AI system
The act formally defines an “synthetic intelligence system” as “a machine-based system that, for specific or implicit functions, makes inferences from inputs it receives and generates outputs, comparable to predictions, content material, suggestions, or choices that have an effect on the bodily or digital atmosphere” (AI system).
Cybersecurity, AI, and know-how rules affecting minors within the public sector
While extra detailed steering is reserved for subsequent rules, the Act creates uniform cybersecurity and AI methods necessities for organizations working in Ontario’s public sector, together with:
Cybersecurity
The obligation to develop, implement and handle a cybersecurity program with a compliant incident reporting mechanism, and particular necessities for such a cybersecurity program, together with definition of roles and tasks, progress reporting, training and consciousness efforts, and response and restoration actions associated to incidents.
synthetic intelligence
Requirements for the usage of AI methods – particularly, disclosure relating to their improvement and use, implementation of accountability frameworks, threat mitigation necessities, human oversight and governance of the usage of AI methods and reporting mechanisms.
Technology that influences minors
Standards, limitations and reporting obligations relating to the impression of digital applied sciences on minors supplied by baby welfare associations and college boards relating to the gathering, use, retention and disclosure of digital data.
Freedom of Information and Privacy Act
Bill 194 introduces vital adjustments to FIPPA, which governs how the Ontario authorities and designated public sector entities (“Agencies”) gather, use and disclose private data. Agencies should adjust to the next new and expanded tasks: Notably, Bill 194 doesn’t apply the identical necessities to entities regulated by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
Obligation to guard private data
Privacy Impact Assessment (PIA)
Privacy violations – reporting and notification necessities
If handed, Bill 194 would impose privateness breach notification and reporting necessities on companies, in keeping with necessities for personal organizations working within the state.
Bill 194 adopts the “precise threat of serious hurt” commonplace for privateness breach notification and reporting from the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the dealing with of non-public data by non-public organizations working in Ontario. Bill 194 additionally mirrors PIPEDA’s definition of “vital hurt” and the elements for assessing the precise threat of serious hurt, such because the sensitivity and potential misuse of the non-public data at challenge, and any instructions or steering issued by the IPC.
Expanding the powers of the IPC
Bill 194 offers the IPC formal authority to assessment an company’s data practices primarily based on a criticism or if the OIPC determines that an company has not complied with mandated privateness safeguards.
Before conducting a assessment, the IPC might try to resolve the difficulty by mediation, conciliation, or different casual dispute decision implies that the IPC deems acceptable. If, after giving the establishment a possibility to remark, the IPC determines that the knowledge practices violate the safety of particular person privateness, the IPC might order the establishment to do any of the next, supplied that it doesn’t transcend what is critical to attain compliance:
Discontinue or change the knowledge apply, return, switch or destroy private data collected or held beneath the knowledge apply, implement a unique data apply, or implement recommendations about the best way to enhance the knowledge apply.
Consent to Retain and Use “Customer Service Information”
Bill 194 requires consent for the retention and use of collected “customer support data” and expands the definition to learn as follows:
Personal data comparable to gender, gender identification, most well-liked language, date of beginning, e mail tackle or different contact data, data supplied by service suppliers comparable to order standing, delivery standing, product identification numbers, expiration dates, and communications between service supplier organizations and people.
Next steps
The Ontario Government is presently in search of suggestions on Bill 194. The remark interval runs till June 11, 2024.