Ontario Bill 194, the “Enhancing Digital Security and Trust Act, 2024”, recently received Royal Assent and will become law.
It applies to all Ontario public sector organizations large or small, such as schools, municipal governments, libraries, courts, and hospitals. Many of these organizations also have overlapping regulations around Digital Security and Trust (privacy), so they will have to carefully manage all sets of regulations. These overlapping regulations can be federal (eg PIPEDA), international (eg HIPAA), or set by industry (eg PCIDSS), depending where and how the organizations conduct business.
It doesn’t apply to the private sector. Whew! But, there could be requirements for vendors or suppliers to be compliant as a requirement of supplying goods or services to the public sector, so the scope could eventually include some private sector entities. There is special attention given in the Act around the use of AI, which could have a wider impact.
Although the bill has passed, timelines for implementation have not yet been set. It’s going to move at the speed of government, so it could be years. And it doesn’t apply to political parties or the legislature itself – as usual, they don’t have to follow their own laws.
If you’re an Ontario private sector organization impacted, what can you do now to get ready?
Start developing privacy policies, and consider appointing a Chief Privacy Officer if your organization is large. A lot of the bill is about privacy, and the Information and Privacy Commissioner (IPC) is gaining new powers to monitor and enforce. Don’t collect data you don’t need and can’t protect.
Budget for it. There is no word yet the new bill will come with new funding, so don’t count on it. Cybersecurity is cheaper than it used to be, but from what we see with most provincial institutions, it is mostly unfunded or underfunded. Due to lengthy budgeting cycles, start asking now.
Develop strong partnerships with vendors and providers. You’re going to need them: these aren’t skills you can develop in house, and a strong security provider (like Summer Digital) will have policies, tools, and personnel ready to go.
Governance is essential. Cybersecurity and Privacy needs to be handled at the Board level, and there should be an executive responsible. It isn’t just an “IT issue”.
Don’t wait to start your security program! The IPC may come out with very prescriptive standards, but hopefully not since there are already a plethora of suitable industry standards. Either way, a robust cybersecurity standard pays for itself in incident avoidance, and helps build the trust and security which is the point of this bill. There is no reason to sit on this.
As always, Summer Digital is here to help our public sector institutions. Don’t hesitate to reach out for a free consultation. We’ve studied the act and its implications, including around the use of AI, and can provide more insight beyond the above summary.
Let's Connect and Drive Technology Forward.
Summer Digital is ready to address all your digital needs.
Not a tech expert? No problem at all! We speak your language
We offer advanced digital solutions tailored for ambitious businesses across all sectors.
Summer Digital is committed to simplifying your IT, Software and Digital Marketing needs, making them powerful tools for your success, not hurdles.
+1416 941 7265
325 Front Street, Suite 2048
Toronto, ON, M5V 2Y1