Legislation would 'provide the right tools to prevent and quickly respond to future cyber-attacks and privacy breaches'
Ontario has proposed legislation to strengthen the cybersecurity capabilities of the public sector.
The Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 would establish regulation-making authority and empower the Minister of Public and Business Service Delivery to lead the cyber security direction for select public sector entities.
This applies especially to vulnerable sectors such as hospitals, schools and children’s aid societies, according to the provincial government.
The percentage of IT budgets dedicated to cybersecurity is growing, and this is true for companies of all sizes, according to a previous CDW report.
Regulations may include sector-specific requirements and mandatory cyber incident reporting to the provincial government. Ontario will consult with key government and public sector stakeholders to come up with the regulations.
Ontario is also proposing centralized reporting within government to “better respond, deploy and get involved in emergency management of cyber incidents, particularly with those public sector organizations that don’t have strong cyber security practices,” said the provincial government.
A mere 1% of organizations in Canada have achieved the level of cybersecurity readiness required to effectively defend against modern risks, according to a previous Cisco report.
Privacy breaches, use of AI
The legislation would also increase the authority of the Information and Privacy Commissioner of Ontario (IPC) to investigate and respond to privacy breaches and inappropriate use of personal data and mandate organizations to complete privacy impact assessments.
It would introduce a definition of an “artificial intelligence system” that is “in alignment with leading jurisdictions to create consistency in how AI is defined across the public sector” and to support AI-related initiatives across the government, according to the provincial government.
Ontario is also proposing to establish accountability and transparency requirements for the provincial government and public sector when using AI. This would include, for example, requiring these organizations to inform the public of when they are interacting with AI, or mandating that decisions made by AI always have a channel for human review.
The proposed legislation includes creating regulation-making authority to ensure responsible, risk-based AI use by select public sector organizations.
“Our government is helping ensure people and businesses in Ontario have the right protections in place to freely and safely participate and thrive online,” said Todd McCarthy, minister of public and business service delivery. “This new legislation would provide the right tools to prevent and quickly respond to future cyber-attacks and privacy breaches, improve our digital delivery of services and provide a strong framework for artificial intelligence governance.”
The Council of Canadian Innovators (CCI) welcomes the proposed legislation from Ontario.
"CCI is pleased to see that the government is stepping up to take action on these fundamental policy issues,” said Skaidra Puodziunas, CCI director of Ontario affairs.
“Both technology and policy are moving incredibly quickly in the digital economy, as society adjusts to the realities of digitized services, cyber security, data and artificial intelligence. Clear rules and guardrails are essential for fostering trust in technology systems, and we are pleased to work with the government to develop these policies in partnership with industry.
Ontario is engaging the AI Expert Working Group, experts from tech and AI industry and academia to provide advice and recommendations on the development of Ontario’s Trustworthy AI Framework and responsible use of AI within the public service.
More than a third of employees across the world confessed that their workplace security habits are risky, according to a previous report.
Ontario is accepting comments on the draft bill from the public through the Ontario Regulatory Registry until June 11, 2024.
