Skip to main content
PLITICAL
DATA

Enhancing Digital Security and Trust Act, 2024

Enhancing Digital Security and Trust Act, 2024, S.O. 2024, c. 24, Sched. 1

Ontario· S.O. 2024, c. 24, Sched. 1· 23 sections· current to 2025-01-29In force
See how this Act changed View amendment graphOfficial consolidated text
Policy areas
Digital, Telecom & MediaConsumer ProtectionJustice & the Law

Bills that amended this Act1

  • Bill 194

    Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

    enact
    1ST SESSION, 43RD LEGISLATURE, ONTARIO 3 CHARLES III, 2024 Bill 194 (Chapter 24 of the Statutes of Ontario, 2024) An Act to enact the Enhancing Digital Security and Trust Act, 2024 and to make amendments to the Freedom of Information and Protection of Privacy Act respecting privacy protection measures The Hon.

Sections23

  • [s0]

    Interpretation

  • 1Definitions

    1 (1) In this Act, “artificial intelligence system” means, (a) a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments, and (b) such other systems as may be prescribed; (“système d’intelligence artificielle”) “children’s aid society” means a society within the meaning of the Child, Youth and Family Services Act, 2017; (“société d’aide à l’enfance”) “cyber security” means the security, continuity, confidentiality, integrity and availability of digital information and the infrastructure housing and transmitting digital information, and includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and information from attack, dama…

  • [s2]

    Cyber Security

  • 2Regulations made by Lieutenant Governor in Council

    2 (1) The Lieutenant Governor in Council may make regulations governing cyber security at such public sector entities as may be prescribed, including, (a) requiring public sector entities to develop and implement programs for ensuring cyber security; (b) governing programs mentioned in clause (a), which may include prescribing elements to be included in the programs; (c) requiring public sector entities to submit reports to the Minister or a specified individual in respect of incidents relating to cyber security, which may include different requirements in respect of different types of incidents; (d) prescribing the form and frequency of reports. Regulations re programs (2) Without limiting the generality of clause (1) (b), a regulation made under that clause may require that a public sector entity’s program include, (a) roles and responsibilities of specified individuals within the publ…

  • 3Minister’s regulations re standards

    3 The Minister may make regulations setting technical standards that such public sector entities as may be prescribed by the Minister must conform to respecting cyber security.

  • 4Minister’s directives

    4 (1) The Minister may issue directives to public sector entities respecting cyber security. Same (2) A directive may be general or particular in its application, and may provide for different classes or categories. Status (3) Part III (Regulations) of the Legislation Act, 2006 does not apply with respect to a directive. Compliance (4) A public sector entity to whom a directive is issued shall comply with the directive.

  • [s6]

    Use of Artificial Intelligence Systems Use, intended use

  • 5Application

    5 (1) This section applies to such public sector entities as may be prescribed for the purposes of this section if they use or intend to use an artificial intelligence system in prescribed circumstances. Information to public (2) A public sector entity to which this section applies shall, in accordance with the regulations, provide information to the public about their use of the artificial intelligence system. Accountability framework (3) A public sector entity to which this section applies shall, in accordance with the regulations, develop and implement an accountability framework respecting their use of the artificial intelligence system. Risk management (4) A public sector entity to which this section applies shall take such steps as may be prescribed to manage risks associated with the use of the artificial intelligence system. Requirements (5) A public sector entity to which this s…

  • 6Application

    6 (1) This section applies in respect of such public sector entities as may be prescribed for the purposes of this section. Obligations (2) A public sector entity to which this section applies shall, when using an artificial intelligence system in prescribed circumstances, (a) disclose information, in accordance with the regulations, respecting the use of the artificial intelligence system; and (b) ensure that an individual, (i) exercises oversight of the use of the artificial intelligence system, in accordance with the regulations, and (ii) provides additional information, in accordance with the regulations, respecting the use of the artificial intelligence system.

  • 7Regulations made by Lieutenant Governor in Council

    7 The Lieutenant Governor in Council may make regulations governing the use of artificial intelligence systems by public sector entities, including, (a) prescribing public sector entities to whom section 5 or 6 applies; (b) prescribing circumstances for the purposes of subsection 5 (1); (c) governing the provision of information under subsection 5 (2), which may include, (i) prescribing the manner in which information must be provided, (ii) prescribing information that must be provided, (iii) prescribing information that is not required to be provided, (iv) specifying when information must be provided and updated, (v) exempting public sector entities from the requirement to provide information in specified circumstances; (d) governing the development of accountability frameworks under subsection 5 (3), which may include, (i) prescribing the form and content of the accountability framewor…

  • 8Minister’s regulations re standards

    8 The Minister may make regulations setting technical standards that such public sector entities as may be prescribed by the Minister must conform to in their use of artificial intelligence systems.

  • [s11]

    Digital Technology Affecting Individuals Under Age 18

  • 9Regulations made by Lieutenant Governor in Council

    9 The Lieutenant Governor in Council may make regulations respecting such children’s aid societies and school boards as may be prescribed, (a) requiring prescribed digital information relating to individuals under age 18 that is collected, used, retained or disclosed to be collected, used, retained and disclosed in a prescribed manner; (b) requiring reports to be submitted to the Minister or a specified individual in respect of the collection, use, retention and disclosure of information mentioned in clause (a); (c) prohibiting the collection, use, retention or disclosure of prescribed digital information relating to individuals under age 18, which may include prohibiting such activities in prescribed circumstances, for prescribed purposes or subject to prescribed conditions.

  • 10Minister’s regulations re standards

    10 The Minister may make regulations setting technical standards that such children’s aid societies and school boards as may be prescribed by the Minister must conform to respecting, (a) the collection, use, retention and disclosure of digital information relating to individuals under age 18; and (b) digital technology made available for use by individuals under age 18.

  • 11Minister’s directives

    11 (1) The Minister may issue directives to children’s aid societies and school boards respecting digital technology made available for use by individuals under age 18. Same (2) A directive may be general or particular in its application, and may provide for different classes or categories. Status (3) Part III (Regulations) of the Legislation Act, 2006 does not apply with respect to a directive. Compliance (4) A children’s aid society or school board to whom a directive is issued shall comply with the directive.

  • [s15]

    General

  • 12No establishment of private law duty of care

    12 Nothing in the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, this Act or any regulation made or directive issued under this Act establishes a private law duty of care owing to any person.

  • 13Effect of failure to comply

    13 Failure to comply with this Act or any regulation made or directive issued under this Act does not affect the validity of any policy, Act, regulation, directive, instrument or decision.

  • 14Conflict, general

    14 If a provision of this Act or the regulations made or directives issued under this Act conflicts with a provision of any other Act or regulation, the provision in the other Act or regulation prevails.

  • 15Directives, conflict

    15 In the event of a conflict between a requirement set out in a directive issued under this Act and a directive made by the Management Board of Cabinet, the requirement in the directive made by the Management Board of Cabinet prevails.

  • 16Regulations, general

    16 The Lieutenant Governor in Council may make regulations prescribing anything in this Act that is referred to as prescribed or otherwise dealt with in the regulations, other than anything in respect of which the Minister is given authority to make regulations or which is referred to as prescribed by the Minister.

  • 17

    17 Omitted (provides for coming into force of provisions of this Act).

  • 18

    18 Omitted (enacts short title of this Act). ______________

© King's Printer for Ontario, 2025. Unofficial reproduction — not the official version.