Ontario introduces long-anticipated overhaul of its digital governance and privacy rules

On March 13, 2026, Ontario signaled a long-anticipated overhaul of its digital governance and privacy rules. The province's access and privacy legislation—anchored by the Freedom of Information and Protection of Privacy Act (FIPPA)—has remained largely unchanged since 1988, and the announced reforms represent the first comprehensive attempt to bring the framework in line with how government now operates. The package spans three broad areas: recalibrated freedom of information (FOI) processes, new cybersecurity obligations for the broader public sector, and revised protections for cabinet-level records.

This article outlines the key elements of the reforms and their practical implications for businesses that serve, contract with, or supply technology to Ontario public sector institutions.

New cybersecurity obligations for the broader public sector

Perhaps the most consequential element for private sector vendors is the introduction of mandatory cybersecurity requirements for institutions that deliver vital public services—hospitals, school boards, children's aid societies, and post-secondary institutions among them.

Key requirements for these institutions include:

• completing cyber maturity assessments on a biennial cycle;
• reporting critical cybersecurity incidents to the province;
• designating a single point of contact for incident response; and
• in the education sector, notifying parents and guardians when students' personal information is shared with third-party software providers—a requirement that will likely prompt renegotiation of data-sharing terms between boards and their technology vendors.

The reforms also contemplate portability of employee account information across ministries and institutions when public servants change positions, reducing friction in internal transfers.

For businesses that supply digital services, cloud infrastructure, or software to affected institutions, the practical takeaway is that these public sector obligations will almost certainly be passed through via procurement contracts and service agreements. Vendors should expect:

• enhanced security certification requirements;
• expanded audit and reporting provisions; and
• tighter incident notification timelines in future (and potentially renegotiated) contracts.

Changes to the FOI regime

Ontario currently stands as one of only two jurisdictions—alongside Nova Scotia—that does not expressly shield cabinet ministers' records from FOI requests. The reforms will carve out records of the Premier, cabinet ministers, parliamentary assistants, and their offices from FIPPA's scope. The government has emphasized that FOI obligations will continue to cover the substance of government decision-making, including ministerial direction to the public service, so the practical impact on access to policy-related records remains to be seen.

On the procedural side, several changes are designed to streamline FOI administration:

• Institutions will face a clearer duty to assist requesters whose applications lack sufficient detail.
• Large-volume requests will be released on a rolling basis as records are processed, rather than held until the entire request is complete.
• Response timelines will shift to a 45-business-day standard, with additional flexibility for complex or high-volume matters.

Businesses that rely on FOI requests as part of procurement challenges, regulatory proceedings or commercial due diligence should account for these revised timelines in their planning.

What this means for businesses

The full legislative text has yet to be introduced, and implementation timelines and regulatory detail will follow. That said, the direction of travel is clear: Ontario is raising the baseline for cybersecurity and privacy across its public sector, and private sector partners will need to meet that baseline as a condition of doing business with government.

Organizations that serve the Ontario public sector should consider taking early steps to:

• review existing contractual arrangements for gaps relative to the anticipated requirements;
• benchmark their cybersecurity posture against the biennial assessment standards the province is expected to adopt; and
• evaluate how personal information is handled under current agreements.

If you are concerned that your business may be impacted, contact a member of our Intellectual Property and Technology group for assistance.