Ontario plans FOI overhaul and tighter cyber rules

Ontario has proposed changes to its access-to-information and privacy framework, including new cybersecurity rules for public bodies and revised Freedom of Information processes.

The province says the reforms will strengthen protections for personal and sensitive information, including children's data, and update prior processes, which were created before email, mobile devices, and cloud services became widespread across the public sector. 

The package would also remove cabinet ministers and their offices from the scope of FOI requests.

The measures fall into two areas: updates to Freedom of Information rules and timelines under the Freedom of Information and Protection of Privacy Act, and mandatory cybersecurity and incident-reporting requirements for parts of the broader public sector.

Ontario says its current access and privacy framework dates to 1988 and has not been significantly updated since then. It argues that the system predates tools that now shape government work, including digital communications and cloud-based systems, and that the gap increases privacy and operational risks.

Stephen Crawford, Minister of Public and Business Service Delivery and Procurement, described the changes as a long-overdue update to government technology and governance practices.

"After nearly 40 years, we are modernizing Ontario's privacy protections and bringing the province's technology practices into the 21st century," said Crawford.

FOI Changes

A central proposed change would exclude records of the premier, cabinet ministers, parliamentary assistants, and their offices from FOI requests under FIPPA. Ontario says it lacks explicit protections for such records and that the move would align the province more closely with other Canadian jurisdictions.

FOI obligations would still apply to government decision-making records held by the public service, including records documenting direction from ministers and their offices to the public service.

Other changes focus on request processing. Institutions would be required by law to provide reasonable, timely assistance when a request lacks sufficient detail or requires clarification. Ontario also plans to legislate the staged release of large requests, allowing partial disclosure while processing continues for the remainder.

The province also plans to revise FOI timelines and terminology. Proposed changes include extending the response period to 45 business days and adding flexibility for large or complex requests.

Cyber Rules

Alongside FOI reform, Ontario is proposing enhanced cybersecurity rules for what it describes as vital public services. Certain practices would become mandatory for hospitals, school boards, children's aid societies, and post-secondary institutions.

For schools, the package would add a notification requirement: school boards would need to inform parents or guardians when students'personal information is disclosed to third-party software.

Under the proposal, broader public sector organisations would also complete cyber maturity assessments every two years, report critical incidents, and designate a single point of contact for cybersecurity incidents.

Ontario says incident reporting and a designated contact would improve its ability to monitor and respond to cyber-attacks across the sector. The maturity assessments would create a recurring cycle of self-evaluation for organisations that handle sensitive data and deliver public services.

Workforce Accounts

The changes also address how employee account information is handled when staff change roles. Ontario would allow information in employee accounts to transfer between institutions or ministries when a public-sector employee changes positions.

The province says the shift would reduce disruption to staff email accounts when moving within the Ontario Public Service and support faster onboarding for employees switching ministries or roles.