Skip Navigation

Ontario Updates its Freedom of Information Legislative Frameworks

By Mallory Gallant, Ellie Marshall and Wendy Mee
May 15, 2026
Overview
More information

Ontario is the latest province to make updates to its public-sector privacy and freedom of information legislation. Ontario’s Bill 97, Plan to Protect Ontario Act (Budget Measures), 2026 (Bill 97) received royal assent on April 24, 2026. Bill 97, among other things, introduces amendments to Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). In this bulletin, we highlight some of the changes that are most likely to impact businesses that work with public-sector institutions in Ontario. 

FIPPA

Timeline to Respond to Access Requests

The amendments to FIPPA create a new procedure where, in some instances, access to records can be provided to a requester in stages. Institutions may utilize this new procedure where: 

(a) The time required to search for records would unreasonably interfere with regular duties of the employees of the institution

(b) The scope of the request is overly broad due to the time period that it covers

(c) Preparing the materials would unreasonably interfere with the institution’s operations

(d) A requester has submitted multiple requests and the combined effort to respond to such requests would unreasonably interfere with the institution’s operations

Additionally, the time to comply with an access request has been expanded from 30 days to 45 business days (defined to include days that are not Saturdays or a holiday). Institutions will also be permitted to utilize a one-time “second extension” to respond to access requests in instances where (a) the requester consents to the extension, (b) the number of records identified as being responsive is significantly more than the number of records initially identified, or (c) where employees who are knowledgeable in the subject matter of the request are unable to assist in responding to the request or where additional consultations are needed to respond to the request. FIPPA now expressly provides that an individual’s access request must comply with the Act’s requirements to “start the clock” for the institution’s deadline to respond. These amendments bring FIPPA more in line with how many provincial institutions operate in practice with respect to responding to requests and are reflective of an overburdened freedom of information system. 

Importantly, these amendments do not change the exemption set out in FIPPA for third-party trade secret or confidential information or the consultation process related to the application of the third-party exemption. 

Creation of Data Standards

The amendments to FIPPA require the Chief Digital and Data Officer to establish data standards regarding the collection, use, disclosure, linking and de-identification, retention, disposal, and reporting on the use of personal information. These standards are to be published by the Chief Digital and Data Officer and made publicly available on a Government of Ontario website.

Excluded Records

FIPPA now expressly indicates that it does not apply to records in the custody or control of a minister of the Crown or the minister’s office, unless the record is in the custody of the institution of which the minister is the head.

Additionally, FIPPA does not apply to records prepared or collected under the Enhancing Digital Security and Trust Act (EDSTA), including the names of employees who are responsible for cybersecurity within the public-sector entity, cybersecurity assessments or evaluations, software applications purchased by school boards that are owned or operated by third parties authorized to access student’s personal information, and records that could reasonably be expected to compromise cybersecurity for an institution. 

MFIPPA

The amendments made to MFIPPA under Bill 97 are similar to those as outlined for FIPPA, particularly as it relates to the process for an institution to provide access through a staged procedure, the extension of time to respond to requests, and the non-application of the Act to records prepared or collected under EDSTA. 

However, MFIPPA also contains new obligations for MFIPPA institutions as it relates to their practices with respect to the handling of personal information. These new obligations bring MFIPPA closer in line with FIPPA amendments made by Bill 194. For more information on those amendments, see our Blakes Bulletin: New Ontario Bill 194 to Reform FIPPA and Introduce Mandatory Privacy Breach Reporting.

Privacy Impact Assessments

MFIPPA now requires institutions to complete privacy impact assessments prior to collecting personal information. These assessments must consider prescribed requirements, such as the purposes for collection, use or disclosure of personal information, a description of the safeguards implemented to protect the personal information, and steps taken by the institution to mitigate, reduce or prevent any risks of theft, loss or unauthorized use or disclosure of personal information. These assessments must be updated as practices change. 

Information Security Practices

MFIPPA institutions must take steps that are reasonable in the circumstances to ensure that the personal information under their custody or control is protected. The Ontario Information and Privacy Commissioner is granted the power to review the information security practices of an institution. 

Mandatory Breach Notification

Additionally, MFIPPA now contains mandatory breach reporting obligations. MFIPPA institutions are required to notify the Commissioner and impacted individuals of any theft, loss, or unauthorized use or disclosure of personal information in their custody or control, where it is reasonable in the circumstances to believe that there is a real risk of significant harm. MFIPPA prescribes the factors to be considered with respect to the analysis of risk of significant harm, which include the sensitivity of the personal information, the probability that the personal information has been or will be misused, the availability of steps an individual can take to reduce or mitigate against the harm, and any recommendations or guidance from the Commissioner regarding what constitutes a real risk of significant harm. MFIPPA institutions must maintain records of reported breaches. 

For more information, please contact the authors or any other member of our Privacy & Data Protection group.


Related Insights

OPC Releases Draft Age Assurance Guidance
Bulletins

Learn how the Office of the Privacy Commissioner of Canada’s draft guidance addresses privacy-protective age assurance.
When Joint Venture Financing Fails: Mortgage Structures, Value Protection and Partner Alignment
Bulletins

Key financing considerations for real estate joint ventures, including separate mortgage rights, financing shortfalls...
Canada Ratifies the United Kingdom’s Accession to the CPTPP: Implications for Trade and Investment
Bulletins

Learn how the United Kingdom’s accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership...
More insights

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.

For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2026 Blake, Cassels & Graydon LLP

Ask Our Lawyers

Practices

Save as PDF