Filion Wakely Thorup Angeletti LLP - Home

May 7, 2026

Bill 97 Introduces Major Changes to Privacy Legislation

Related Practice Areas

Summary

On April 24, 2026, Bill 97, Plan to Protect Ontario Act (Budget Measures) (“Bill 97”) received Royal Assent and was passed into law. Among other things, Bill 97 amends the Freedom of Information and Protection of Privacy Act (the “FIPPA”) and the Municipal Freedom of Information and Protection of Privacy Act (the “MFIPPA”) with the aim of improving operational efficiency in responding to access requests and modernizing the privacy framework for institutions subject to FIPPA and MFIPPA.

One of the amendments will exclude records of the Premier and cabinet members retroactively from the access provisions in the FIPPA. Bill 97 was passed quickly, without the usual committee sessions, following a media request for access to Premier Ford’s personal cell phone records.

The amendments to the FIPPA and MFIPPA outlined in Bill 97 will come into effect on July 1, 2026.

Amendments to the Freedom of Information and Protection of Privacy Act

Changes to the FIPPA include the following:

Increased Timelines: the timeline for institutions to respond to personal information access requests is now increased from 30 days to 45 business days (i.e., any day that is not a Saturday or a holiday).

Staged Access Plan: an institution may, in writing, propose a plan for providing access to the requested records in stages in certain circumstances, such as where the time required would interfere with an institution’s operations, or the scope of the request is overly broad. To be valid, the Staged Access Plan must:

  • divide the request into separate categories of records and set out the areas of the institution where those records will be searched;
  • set out a schedule that addresses whether or not access to records will be granted and when such decisions will be made, as well as when the records will be produced.

The individual or organization requesting the records must then write a response to the shared access plan within 30 business days stating either (a) their acceptance of the plan, (b) any proposed amendments, or (c) any modifications to the scope of plan. Failure to provide a response within that timeline can result in the request being deemed abandoned. The requester can appeal an institution’s initial decision to propose a plan, but once it has been amended, it cannot be subject to an appeal.

Costs: if a fee to be paid for a request under FIPPA is more than $25, the institution must give the requester a reasonable estimate of the amount and inform the requester that they can ask that the payment be waived (although there is no obligation for the cost to actually be waived).

Excluded Categories of Records: Certain documents are now excluded from the scope of FIPPA

  1. Records in the custody of a minister of the Crown or the minister’s office, or a record under the control of a minister of the Crown or the minister’s office (unless the record is in the custody of the rest of the institution of which the minister is the head or any other institution, in which case the record is not excluded).
  2. Records prepared for or collected under the Enhancing Digital Security and Trust Act, 2024, including records that contain information regarding:
    • the names of employees who are considered primary contacts for ensuring cyber security within a public sector entity;
    • assessments or evaluations of a public sector’s status with respect to cyber security, or summaries regarding same;the names of software applications purchased by school boards;
    • other information which could compromise a public sector entity’s cyber security.

Amendments to the Municipal Freedom of Information and Protection of Privacy Act

In a previous Firm Insight, “Ontario’s Bill 194 Proposes More Oversight of Public Sector Digital Systems,” we discussed the fact that Bill 194,Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, did not propose amendments to the FIPPA’s municipal equivalent, MFIPPA. Bill 97 addresses some of those gaps while also making changes unique to Bill 97. These changes include the following:

Staged Access Plans:

Like in the FIPPA, the MFIPPA allows institutions to propose a staged access plan with the same qualifications as outlined above.

Privacy Impact Assessments:

Before collecting personal information, an institution must prepare a written assessment containing certain information, such as the purpose for the collection of personal information, the authority for the use of such information, and the types of personal information to be collected. The assessment must also include where the personal information was collected, who will have access to the information, and any limitations on the use of the information.

Mandatory Data Breach Safeguards:

Institutions collecting personal information must take action before the collection to prevent and mitigate the risks of theft, loss or unauthorized use of personal information. They must also take reasonable steps to ensure that personal information is protected against theft, loss, and unauthorized use.

Mandatory Data Breach Reporting:

An institution must report to the Information Privacy Commissioner (the “IPC”) and to the affected individual(s) any theft, loss or unauthorized use of personal information where there is a real risk that it could cause significant harm.

Significant harm includes, inter alia, bodily harm, humiliation, damage to reputation, and loss of employment. A “real risk of significant harm” depends on:

  1. the sensitivity of the personal information;
  2. the probability the information will be misused;
  3. the availability of steps the individual can take to reduce or mitigate the harm; and
  4. any direction provided by the IPC regarding what constitutes a real risk.

Data Breach Record Keeping Obligations:

Institutions must keep records of every theft, loss, or unauthorized use of personal information and provide a copy to the IPC upon request.

Expanded IPC Powers:

The IPC has further powers under the amendments, including conducting a review of information practices if it receives a complaint about an institution, requiring production of information and records relevant to the review, and issuing compliance orders.

Whistleblowing Protections:

Whistleblowers may contact the IPC regarding contraventions of the MFIPPA. If so, the IPC must keep the whistleblower’s identify confidential.

Excluded Categories of Records:

Like in the FIPPA, records prepared for or collected under the Enhancing Digital Security and Trust Act, 2024 are excluded from the scope of the MFIPPA.

Takeaways

Among other things, Bill 97 takes significant steps towards changing and modernizing the MFIPPA, which are in alignment with the changes implemented to the FIPPA under Bill 194.  Public sector employers subject to the MFIPPA should ensure their policies, practices and procedures are compliant with these new obligations, several of which can have a significant operational impact, e.g. privacy impact assessments.

In addition, changes to both the FIPPA and the MFIPPA will provide institutions with the mechanisms to address requests for records while managing individual and organizations’ expectations regarding the access to information process.

Entities that fall within the provisions of the FIPPA and/or the MFIPPA should be prepared to confront these statutory changes and develop processes to identify and mitigate risks associated with information requests and potential data breaches.

If you are an institution impacted by Bill 97, contact your regular lawyer at the firm to discuss what steps you can take to address the various amendments.

Need More Information?

For more information concerning your obligations under the FIPPA, MFIPPA, or Bill 97, contact Rebecca Rosenberg at rrosenberg@filionlaw.com or your regular lawyer at the firm.