In November 2024, the Ontario Legislature passed Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, which introduced amendments to the Freedom of Information and Protection of Privacy Act (FIPPA).[1]
FIPPA’s amendments came into force on July 1, 2025 and introduced, among other changes, breach reporting and notification obligations that apply to public institutions such as hospitals, government agencies, boards, commissions, and other bodies designated by regulation. The introduction of these mandatory breach obligations for the public sector brings FIPPA into alignment with existing public sector privacy regimes in other provinces across Canada.
These new obligations will also indirectly impact private sector service providers who do business with public institutions, who should anticipate that institutions will require commitments from them going forward to ensure compliance.