Schedule 11 of Bill 97 proposes significant changes to the Municipal Freedom of Information and Protection of Privacy Act. Following second reading, the Bill has been referred to the Standing Committee on Finance and Economic Affairs.

The Bill signals a fundamental shift in how Ontario municipalities will be expected to manage personal information moving from passive record-keeping frameworks toward active, accountable privacy governance.

A Shift from Old Ways

The Bill would eliminate the concept of a Personal Information Bank, which has been used as a framework for collecting personal information that can be retrieved using an individual’s name or other identifying references. The proposed changes shift the focus from transparency about what is stored, to how personal information is stored, handled and protected. The Bill introduces the concept of “Information Practices”, that encompass an institution’s practices and procedures for collecting, using, disclosing, retaining and safeguarding the personal information.

Clarifying existing terminology

The definition of “record” is broadened by including data in digital or intangible form. Business days are clarified to be a day that is not a Saturday or a holiday. Applicable timelines are also proposed to be amended and refer to business days for calculation.

Staged Access to Records

Bill 97 proposes several procedural changes governing when access to records may be provided in stages. It details circumstances in which an institution may propose staged access, sets requirements for the contents of the access plan, outlines notification requirements of the institution, defines requester’s obligations with regard to response, and clarifies when a request may be deemed abandoned.

Where a head proposes a plan respecting access to records, the time limit stops running and resumes when the person who requested the records has responded. The Bill requires that the requestor appeal or respond in writing within 30 days of a plan being proposed or the request will be deemed to be abandoned.

The response must indicate one of three things:

1. Acceptance of the plan;
2. Proposed amendments to the plan; or
3. Modified scope of the request.

Access to Information Timelines

The changes require institutions to respond to inquiries about formulating a request promptly (“as soon as possible in the circumstances”) and require them to provide assistance for any requests that are unclear or contain defects. While assistance is proposed to be mandatory, many municipalities already assist with these inquiries and will not need to change their practices.

The time for the head of the institution to respond to requests is proposed to be increased from 30 days to 45 business days. Requests are to be considered received only when they have complied with all the formal requirements under subsection 24(1).

Fee Waivers

Where the amount required to be paid for the records of information is estimated to be over $25 and a reasonable estimate is provided, the amendments require that the head also inform the requester of the option to seek a fee waiver.

Annual Reporting Requirements

A report is required to be submitted to the commissioner for the previous calendar year. The scope of the report’s contents is expanded to include the number of thefts, losses or unauthorized uses/disclosures of personal information. There is also expanded reporting for health information. The report is required to be submitted in the form and by the deadline provided by the commissioner.

Privacy impact assessment

Before collecting personal information, institutions must prepare a written Privacy Impact Assessment addressing some key elements, such as the purpose and necessity, legal authority, types of information collected, sources of information, who has access to this information within the institution, restrictions on collection/use/disclosure, retention periods, applicable safeguards, assessment of risks in case of a breach, and the prevention and mitigation steps set up by the institution.

For the purposes of risk mitigation, the institution is required to ensure that these steps are implemented before the information is collected, and where this is not possible, the steps must be implemented within a reasonable time after collecting the information.

Privacy Safeguards

In cases of a breach leading to risk or significant harm, as assessed using the factors set out, the institution must report the breach to the commissioner in a prescribed form, notify the affected individual, inform them of their right to make a complaint, and maintain breach records. The Bill also authorizes Lieutenant Governor in Council to make any regulations in this regard.

Commissioner’s Power

The commissioner is provided with supervisory authority to review the information practices of an institution. This may involve an attempt at informal dispute resolution before a formal review. The institution is required to assist and cooperate with the requirements for the review. Following the review and after giving the head of the institution an opportunity to be heard, the commissioner may issue orders setting out the required next steps.

Whistleblower Protection

The Bill proposes a new section to protect any person who wishes to confidentially report suspected contraventions of the MFIPPA to the commissioner. The commissioner must protect the whistleblower’s identity where confidentiality is requested.

Conclusion

Municipalities will need to prepare for stricter obligations around how personal information is handled, mandatory Privacy Impact Assessments before collection begins, updated response timelines, expanded breach reporting requirements, and stronger Commissioner oversight.

Internal policies should be reviewed and considered now to be ready for the proposed changes.

If you have questions about how the proposed legislation may affect you, please contact a member of our municipal law group.