Changes aim to strengthen data security, modernize privacy rules and align FOI policies nationwide
Ontario is moving to modernize its cyber security and privacy framework, introducing legislative updates intended to strengthen protection for personal data, streamline access to public information and align the province’s policies more closely with those used in other Canadian jurisdictions.
Announced Friday by the Ministry of Public and Business Service Delivery and Procurement, the proposed changes would introduce enhanced cyber security requirements for a wide range of public sector institutions while updating Freedom of Information (FOI) rules that have remained largely unchanged since the late 1980s.
The initiative is designed to address gaps in the province’s current privacy and information-access framework, which officials say has not kept pace with the technological transformation of government operations and digital communications over the past four decades.
“After nearly 40 years, we are modernizing Ontario’s privacy protections and bringing the province’s technology practices into the 21st century,” said Stephen Crawford, Minister of Public and Business Service Delivery and Procurement. “These updates will strengthen cyber security, protect cabinet confidentiality and ensure responsible modern governance.”
Framework designed before modern digital systems
Ontario’s existing access and privacy framework was introduced in 1988, well before email, mobile devices and cloud-based technologies became standard tools for government administration. As a result, provincial officials say the legislation no longer reflects the realities of modern digital systems or the volume of information handled by public institutions.
The outdated framework, the ministry said, can create unnecessary privacy risks for both government agencies and the public by failing to address contemporary cyber threats and evolving digital practices.
While most Canadian provinces and the federal government have updated their privacy and access legislation to reflect technological change, Ontario has not undertaken a major modernization of the framework since its introduction nearly four decades ago.
The proposed updates aim to close those gaps by strengthening data protection requirements, improving processes for accessing public information and reducing administrative burdens for public institutions.
Changes to Freedom of Information rules
One of the most significant elements of the proposal involves changes to Ontario’s Freedom of Information framework.
Under the plan, records belonging to the premier, cabinet ministers, parliamentary assistants and their offices would be excluded from the Freedom of Information and Protection of Privacy Act (FIPPA). Provincial officials say the change would bring Ontario more closely in line with practices used in other jurisdictions across Canada.
Currently, Ontario is one of only two jurisdictions in the country—alongside Nova Scotia—that does not explicitly exclude such records from FOI legislation. According to the government, the absence of this clarification weakens protections around cabinet decision-making and could undermine confidential discussions between ministers and their offices.
At the same time, the province says key transparency requirements would remain in place. Government decisions communicated to the public service, including formal direction from ministers, would continue to be subject to access rules.
Additional updates to the FOI system would also aim to improve clarity and efficiency. Institutions would be required to provide reasonable and timely assistance when information requests lack sufficient detail, helping applicants refine their requests and avoid unnecessary delays.
The framework would also formalize the practice of releasing large requests in stages while processing continues, allowing requesters to receive portions of information more quickly.
Response timelines for FOI requests would also change. The province proposes extending the standard response period to 45 business days while updating terminology and procedures to provide greater flexibility in handling large or complex requests.
Expanded cyber security requirements
Alongside FOI reforms, the proposed framework would introduce strengthened cyber security requirements for institutions delivering essential public services.
Hospitals, school boards, children’s aid societies and post-secondary institutions would be required to implement mandatory cyber security practices under the updated rules.
The government says these measures are designed to improve protection against cyber threats and enhance the province’s ability to prevent and respond to cyber incidents affecting critical public services.
New notification requirements would also be introduced for schools. School boards would be required to inform parents or guardians when students’ personal information is shared with third-party software providers, giving families greater visibility into how children’s data is used in digital learning tools.
Broader public sector organizations would also face additional requirements, including mandatory cyber maturity assessments every two years and the reporting of critical cyber security incidents.
Institutions would also need to designate a single point of contact responsible for responding to cyber security incidents, a measure intended to streamline coordination during attacks or data breaches.
Supporting a modern digital government
The proposed changes also include operational updates aimed at improving internal government workflows. One measure would allow information stored in employee accounts to move with staff members when they transfer between ministries or institutions within the Ontario Public Service.
Officials say this would reduce disruptions when employees change roles by ensuring that email accounts and related information remain accessible, allowing staff to begin new assignments more quickly.
Taken together, the province says the reforms are intended to modernize Ontario’s digital governance framework, strengthen protections for sensitive data and improve the flow of information across public institutions.
By aligning policies more closely with other jurisdictions across Canada, the government says the changes will help build a more secure and efficient system for managing public information while reflecting how modern governments operate in an increasingly digital environment.