As a follow-up to our previous advocacy update outlining proposed changes to the Municipal Freedom of Information and Protection of Privacy Act, 1990 (MFIPPA) made through the budget bill, we want to highlight our concerns regarding the scope and depth of proposed changes on the privacy side. These changes align the Act with similar changes made previously to the Freedom of Information and Protection of Privacy Act, 1989 (FIPPA), but do not consider municipal staff capacity or financial constraints.
Privacy-related changes include:
- Requiring that the head of an institution ensure that a written assessment is prepared and contains certain information respecting any Personal Information (PI) that is to be collected. This includes but is not limited to:
- The purpose, intended use, and explanation for collection
- Who will have access to the PI
- Limitations or restrictions on collection, use or disclosure
- Safeguard practices to protect the PI
- Steps taken to prevent the likelihood of theft, loss, unauthorized use, or disclosure of the PI
- Requiring that risks are mitigated by ensuring the above steps are implemented before collecting PI
- Requiring that institutions provide access to the written assessment to the Information and Privacy Commissioner (IPC)
- Reporting any breach of privacy safeguards to the IPC and notifying affected individuals
- Outlining factors to determine the real risk of significant harm
- Removing the definition of personal information bank
- Imposing a right of access to PI
- Authorizing the IPC to review information practices of an institution where the IPC has received a complaint, with authorization to resolve the matter through mediation, conciliation, and other informal means.
- Requiring an institution to assist the IPC in conducting a review
While we acknowledge that many of these proposals are important best practices moving forward, we would like to offer the following recommendations to the Ministry of Public and Business Service Delivery for consideration:
- Over 80% of Ontario municipalities have populations under 50,000. In many municipalities, the administrative function is performed by a single employee, often the municipal clerk, who manages FOI and privacy programs along with 80 other statutory responsibilities, which can include council governance, bylaw enforcement, and elections.
- As 2026 is a municipal and school board election year, wherein municipal budget processes are disrupted with councils inaugurated in November, requests for resources to support new requirements may not be contemplated until 2027. This timing makes it extremely challenging to transition to new rules that are proposed to be in effect by January 1, 2027.
- The January 1 deadline for privacy impact assessments is too short a timeframe for municipalities to address new requirements and seek new resources, including staff and funding support to action the new requirements.
- The scope of the privacy impact assessments is exceptionally broad. It is not clear whether these would apply to information collected going forward or would also retroactively apply, which would be an insurmountable task for already overburdened municipal staff.
- If retroactively applied, this will likely result in substantial costs for institutions and take years for many municipalities to come into compliance, given the above-noted limitations.
Given the varying levels of capacity and maturity across MFIPPA institutions, we want to understand what resources the Ministry and the Information and Privacy Commissioner are developing to support municipalities in this transition and when they will be made available.
In the meantime, we have prepared the following redline version of the Act, which shows the amendments Bill 97 proposes. We hope this makes it easier for members to see the exact changes that are being proposed.
Review Redline Version of the Act
We also invite you to send us your templates, policies, procedures, and other relevant resources related to:
- Privacy impact assessments
- Information management best practices
- Risk and breach management
- Job advertisement requirements for staffing
- Budget/business cases for more resources
Over the coming weeks, we will be reviewing materials to determine the best next steps for how to support members, municipal clerks, and their staff with implementing the proposed new requirements.
Please provide any resources you'd like to share with our policy and advocacy team by Monday, April 20.
Our team will be continuing to evaluate the proposals to determine the full impacts on municipal administration and service delivery, and welcomes feedback from members with expertise in FOI and privacy.
We will also be applying to speak at Standing Committee where your feedback will help inform our submission. Please provide your feedback as soon as possible.
We will be seeking clarity with the Ministry over the coming days and will provide updates as appropriate.