Current framework has gone nearly four decades without any major updates
Ontario is updating its access to information, privacy and cyber security framework for the first time in nearly 40 years, in changes that will directly affect HR leaders across hospitals, school boards, children’s aid societies and post‑secondary institutions.
Announced March 13 by the Ministry of Public and Business Service Delivery and Procurement, the reforms are intended to better protect people’s privacy, public information and sensitive data, with particular emphasis on children’s information.
“After nearly 40 years, we are modernizing Ontario’s privacy protections and bringing the province’s technology practices into the 21st century,” said Stephen Crawford, Minister of Public and Business Service Delivery and Procurement. “These updates will strengthen cyber security, protect cabinet confidentiality and ensure responsible modern governance.”
Introduced in 1988, the province’s current framework has “gone nearly four decades without any major updates and is no longer reflective of today’s technology or digital practices,” the government said, noting that it was designed before email, mobile devices and cloud‑based systems became standard. The outdated rules “create unnecessary privacy risks for both government and the public.”
For HR leaders, the overhaul signals a shift toward tighter controls on employee, client and student data, and heightened expectations around compliance, training and incident response.
Workers’ data, Freedom of information
One change with direct HR impact will “allow information contained in employee accounts to move between institutions or ministries when a public sector employee moves positions.”
According to the government, this will help staff within the Ontario Public Service move between ministries or roles “without their email accounts being disrupted,” allowing them to get on the job faster and with less disruption.
This shift may streamline onboarding and internal mobility but will also require clearer policies on what information can follow an employee, how confidential records are handled and where accountability lies when staff transfer.
Ontario is also restructuring of Freedom of Information (FOI) rules. The province will exclude the records of the premier, cabinet ministers, parliamentary assistants and their offices from the Freedom of Information and Protection of Privacy Act (FIPPA).
Ontario is currently “one of only two jurisdictions in Canada (the other being Nova Scotia) without explicit protections for records belonging to cabinet ministers or their offices,” which the government says “weakens clarity of protections for cabinet decision‑making and undermines the confidentiality and candidness of discussions between ministers and their offices.”
The province said “robust FOI requirements will remain in place, including when it comes to government decision‑making in the form of direction from ministers and their offices to the public service.”
Legislation will also be updated to require institutions to provide “reasonable, timely assistance” when a request lacks sufficient detail, and to codify the practice of releasing large (“voluminous”) requests in stages while processing continues. FOI response timelines will be extended to 45 business days, with revised terminology to “provide clarity and certainty” and to give institutions “more flexibility to manage large volume and complex requests.”
Mandatory cyber practices and incident duties
The government is also introducing mandatory cyber security practices for what it calls vital public services, including hospitals, school boards, children’s aid societies and post‑secondary institutions.
School boards will be required to notify parents or guardians when students’ personal information is disclosed to third‑party software, a move the province says will ensure “families have the information they need to make informed decisions.”
Broader public sector organizations will need to complete cyber maturity assessments every two years, report critical incidents and designate a single point of contact in the event of a cyber security incident. The government says this will enhance Ontario’s ability to prevent and respond to cyber attacks.
Ontario previously introduced the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024.
The province says the updates will “help build a more responsible and secure digital framework for the province, enhancing information flow, cutting red tape and strengthening privacy protections to reflect how modern governments operate.”
The reforms build on earlier steps including strengthened oversight by the Auditor General and Financial Accountability Office in 2019, an expanded open data program, and 2024 rules for the “responsible and transparent use of artificial intelligence in government,” with disclosure and oversight requirements.
