SCHEDULE 1
ENHANCING DIGITAL SECURITY AND TRUST ACT, 2024

The Schedule enacts the Enhancing Digital Security and Trust Act, 2024.

The Act addresses cyber security and artificial intelligence systems at public sector entities. Public sector entities are institutions within the meaning of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, children’s aid societies and school boards.

Regulations may be made respecting cyber security at public sector entities, including regulations requiring them to develop and implement programs. Regulations may also set technical standards respecting cyber security.

Public sector entities may be required to comply with requirements respecting the use of artificial intelligence, including requirements to provide information, to develop and implement accountability frameworks and to take steps respecting risk management. In prescribed circumstances, they may be required to disclose information and ensure an individual provides oversight of the use of an artificial intelligence system. The regulations may also set technical standards respecting artificial intelligence systems.

The Act also addresses digital technology affecting individuals under age 18 as it relates to children’s aid societies and school boards. Regulations may be made respecting the collection, use, retention and disclosure of digital information relating to individuals under age 18. Regulations may also set technical standards respecting this information and digital technology.

SCHEDULE 2
FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

The Schedule amends the Freedom of Information and Protection of Privacy Act. Here are some highlights:

   1.  The definition of “information practices” is added to subsection 2 (1).

   2.  Section 34 is amended to, among other things, add a requirement for the annual report of a head of an institution to specify the number of thefts, losses or unauthorized uses or disclosures of personal information reported to the Commissioner during the year.

   3.  Section 38 is amended to add a requirement to assess various things before collecting personal information and to require the head of an institution to implement steps to prevent or reduce the likelihood of a theft, loss or unauthorized use or disclosure of personal information from occurring and to mitigate the risks to individuals in the event of such an occurrence. A new subsection 38 (5) requires that assessments be updated before making any significant change to the purpose for which personal information is used or disclosed.

   4.  A new subsection 40 (5) requires the head of an institution to take steps to ensure that personal information in the custody or under the control of the institution is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

   5.  A new section 40.1 requires that the head of an institution notify the Commissioner and the affected individual in the case of any theft, loss or unauthorized use or disclosure of the individual’s personal information if there is a real risk of significant harm to the individual or if any other prescribed circumstances exist. Factors relevant to determining a real risk of significant harm are set out in subsection 40.1 (7).

   6.  A new section 49.0.1 authorizes the Commissioner to conduct a review of the information practices of an institution if the Commissioner has received a complaint under subsection 40.1 (4) or has other reason to believe that the requirements of Part III are not being complied with.

   7.  Subsection 55 (1) is amended to provide that information may be disclosed for a prescribed purpose.

   8.  A new section 57.1 requires the Commissioner to keep confidential the identity of a person who has notified the Commissioner of a contravention or potential contravention of the Act or regulations.

   9.  Subsection 58 (2) is amended to require that the Commissioner’s annual report to the Speaker of the Assembly provide for the number of complaints received by the Commissioner in respect to the information practices of institutions and the number of reviews conducted under section 49.0.1

10.  Section 59 is amended to authorize the Commissioner to, subject to some limitations, consult with a law enforcement officer or any person who, under an Act of Canada or of another province or territory of Canada, has powers, duties and functions similar to those of the Commissioner with respect to the protection of personal information.

11.  Section 65.1 is amended to add more information to the definition of “customer service information” and to authorize a service provider organization that collects customer service information to, with the consent of the individual, retain and use the information for the purposes of providing any designated service to the individual.