Recent Amendments to FIPPA: Understanding Privacy Breach Obligations for Public-Sector Organizations in Ontario

In November 2024, the Ontario Legislature passed Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, which introduced amendments to the Freedom of Information and Protection of Privacy Act (FIPPA).[1]

FIPPA’s amendments came into force on July 1, 2025 and introduced, among other changes, breach reporting and notification obligations that apply to public institutions such as hospitals, government agencies, boards, commissions, and other bodies designated by regulation. The introduction of these mandatory breach obligations for the public sector brings FIPPA into alignment with existing public sector privacy regimes in other provinces across Canada.

These new obligations will also indirectly impact private sector service providers who do business with public institutions, who should anticipate that institutions will require commitments from them going forward to ensure compliance.

Notably, as the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) was not similarly updated, these mandatory reporting and notification obligations do not currently apply to public institutions under MFIPPA, including municipalities, school boards, libraries, and local police forces. It is expected that similar updates to MFIPPA will be forthcoming. The Office of the Information and Privacy Commissioner of Ontario (IPC) has encouraged MFIPPA institutions to proactively adhere to new IPC guidance on managing breaches.[2]

In this article we outline the new breach requirements as well as steps that public institutions and service providers to such institutions can take to prepare for these new obligations.

Breach Notification Trigger

As of July 1, 2025, public institutions subject to FIPPA are required to report to the IPC and notify impacted individuals of any “theft, loss or unauthorized use or disclosure of personal information in the custody or under the control of the institution if it is reasonable in the circumstances to believe that there is real risk that a significant harm to an individual would result.”[3]

The inclusion of a “real risk of significant harm” (RROSH) threshold aligns with the majority of breach reporting and notification regimes across Canada and requires institutions that have become aware of any theft, loss, or unauthorized use or disclosure of personal information to assess whether the incident poses a RROSH to the affected individuals in order to determine if the reporting and notification obligations are triggered.

Under FIPPA, a “significant harm” is broadly defined to include not just financial loss and identity theft, but also “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, […] negative effects on the credit record and damage to or loss of property”.[4]

Real Risk of Significant Harm (RROSH) Factors

FIPPA sets out factors that are relevant to determining whether a privacy breach creates a RROSH to an affected individual. These include:

• the sensitivity of the personal information;
• as noted in recently issued guidance from the IPC,[5] institutions should consider both the type of information and the context and circumstances of the breach, including that: certain types of information will generally be considered sensitive because of the specific risks to individuals (e.g., ethnic and racial origins, political opinions, genetic and biometric data, sex life or sexual orientation, geolocation data, religious/philosophical belief or disciplinary records);
• breaches of sensitive personal information (e.g., health information, financial information, or government-issued identifiers) are more likely to result in significant harm; and
•  the number of data elements involved in a breach can also affect sensitivity and consideration should also be given to whether the exposed data elements could be combined with other publicly available information to cause significant harm.
• the probability that the personal information has been, is being or will be misused;
•  in addition to considering the context of the incident, institutions should consider what is known about the person who caused the breach, their intent and their relationship to the affected individuals, how long the information was exposed, whether the data is encrypted or has been recovered, and whether the information is in the possession of malicious actors or persons posing a safety or reputational risk.
• the availability of steps that the individual could take to reduce the risk of the harm occurring or mitigate the harm should it occur (for instance, via password changes, credit monitoring, bank alerts, or legal steps); and
• any direction, recommendation or guidance provided by the IPC pertaining to what constitutes a RROSH (which would include decisions and guidance posted to their website) or any other factor prescribed in regulations.[6] 

Timing, Content and Record Keeping Requirements and Considerations

If an institution is required to report a privacy breach and notify affected individuals, it must do so “as soon as feasible”.[7] The institution will be required to provide the IPC and affected individuals with detailed information, including a deion of the circumstances of the breach, the personal information affected and the steps taken to contain and remediate/mitigate the breach. The notice to affected individuals must inform the individual of their right to complain to the IPC.[8]

Institutions must maintain a record of every privacy breach that was reported to the IPC and provide a copy to the IPC upon request.[9] The number and types of such breaches must also be included in the institution’s annual report to the IPC.[10]

Complying with the New Obligations

Responding to a privacy breach can be a resource intensive and costly exercise; however, institutions can implement proactive measures to help them prepare, including:

• ensuring that they maintain a documented privacy breach response plan or protocol in place that sets out the roles and responsibilities of management and staff and includes clear contact information for those internal personnel who must be immediately notified;
• periodically testing their response plan or protocol through simulated exercises to make sure that everyone involved knows what to do in the event of a privacy breach and acts in a timely and coordinated manner;
• proactively engaging with insurance providers and third-party cybersecurity experts to ensure that all parties understand their roles and responsibilities in the event of a breach;
• reviewing existing written privacy policies and procedures to ensure they reflect the new statutory requirements; 
• conducting privacy impact assessments and creating data inventories to know what information is collected by the institution, where it is stored and who can access it;
• reviewing agreements with third-party service providers to ensure that service providers are required to promptly notify the institution of any privacy breaches that impact personal information under the custody or control of the institution; and
• reviewing privacy training materials to ensure that all personnel within the institution are trained on how to escalate suspected breaches.

As noted above, while organizations that provide services to institutions are not directly subject to these new rules, they should anticipate that institutions will require robust information security and breach response commitments from them going forward. It would be prudent for service providers to also review their written policies and procedures, incident response plans and protocols and training materials to ensure they will be able to meet contractual commitments required by the institution.  

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.