Passed in the Dark: What Bill 97 Means for Ontario's Public Sector Privacy Landscape

Privacy
Written By Albina Magomedova

Ontario's access-to-information framework has changed significantly.

On April 23, 2026, the Ontario legislature passed Bill 97, the Plan to Protect Ontario Act (Budget Measures), 2026. The following day, on April 24, 2026, it received Royal Assent and became law. For public sector institutions operating under the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the window to prepare is narrow. Some provisions are already in effect.

Two Bills, Two Competing Visions

To understand Bill 97, it helps to understand where it sits in the broader arc of Ontario's public sector privacy reform.

In 2024 and 2025, Bill 194 (the Strengthening Cyber Security and Building Trust in the Public Sector Act) modernized the FIPPA privacy framework in meaningful ways: mandatory privacy impact assessments, mandatory breach reporting to the IPC, strengthened safeguards, and new accountability requirements for public institutions. The spirit of Bill 194 was transparency and trust-building, acknowledging that when things go wrong, institutions have an obligation to tell people.

Bill 97 reflects a different impulse. While it extends many of Bill 194's privacy-strengthening measures to MFIPPA-governed institutions for the first time (a welcome development for municipalities that were previously excluded), its most controversial elements move in the opposite direction on access. New exclusions limit what records can be requested in the first place. Retroactive application narrows what was already requestable.

The tension is real:

  • Bill 194 says: build trust by disclosing breaches and strengthening governance.

  • Bill 97 says: limit what people can ask to see in the first place.

These two bills coexist in Ontario's legislative landscape, but they do not reconcile easily. Public sector institutions now need to navigate a framework that simultaneously demands greater privacy accountability and grants greater control over access. Understanding how to operate at that intersection is one of the central compliance challenges ahead.

What Changes Under FIPPA (Provincial Institutions)

The FIPPA amendments are deemed to have come into force on March 26, 2026, meaning they effectively apply immediately for provincial institutions.

New exclusions and limits on access. The most widely discussed change is the exclusion of records in the custody or control of a Minister or Minister's office from the access regime, applied retroactively. A similar exclusion covers parliamentary assistants and their offices. In practice, this means that a broad category of communications and records at the most senior levels of government is no longer reachable through FOI requests, including requests that were already filed.

Extended and restructured timelines. The standard response period for access requests shifts from 30 calendar days to 45 business days. Institutions will also gain expanded ability to extend timelines in defined circumstances, including the option of a second extension where record volumes are unexpectedly large or unforeseen staffing or consultation challenges arise. For institutions managing high request volumes with limited dedicated FOI staff, this provides meaningful operational relief, though it also requires updated internal processes and tracking.

Staged access to records. One of the more significant procedural changes is the introduction of a formal staged access mechanism. Where a request is particularly broad or would significantly disrupt operations, institutions may propose a written plan for responding in stages. That plan must categorize the records involved, identify where searches will occur, and lay out a schedule for decisions and disclosure. Requesters then have 30 business days to respond, either by accepting the plan, proposing modifications, or in limited circumstances, appealing. This is a meaningful new tool, but it introduces new procedural obligations and requires staff to be trained on how and when to use it appropriately.

Fee estimate reforms. Bill 97 also tightens and standardizes fee estimate rules. Institutions will be required to inform requesters of their right to request a fee waiver, and to issue fee estimates before the response clock expires. Fee estimates will pause the response clock, aligning fee processes with the new staged access mechanisms.

What Changes Under MFIPPA (Municipal Institutions)

For municipalities, school boards, and other institutions governed by MFIPPA, Bill 97 represents a meaningful expansion of obligations. When Bill 194 modernized FIPPA in 2024/2025, MFIPPA was largely left out. Bill 97 addresses that gap while introducing changes unique to the municipal context.

The privacy-related MFIPPA provisions generally come into force on January 1, 2027, giving municipal institutions a slightly longer runway to prepare, but the operational implications are significant and preparation should begin now.

Mandatory privacy impact assessments. Before collecting personal information, municipal institutions will be required to complete a written privacy impact assessment that addresses the purpose of collection, legal authority, retention, safeguards, and risk mitigation. This mirrors the obligation introduced for provincial institutions under Bill 194 and aligns MFIPPA-governed organizations with current best practices, but it will require formal PIA processes to be established or updated.

Mandatory breach reporting and notification. Where there is a real risk of significant harm, institutions must report privacy breaches to the IPC and notify affected individuals. Again, this aligns MFIPPA with the FIPPA framework and with expectations that many organizations had already anticipated, but it needs to be reflected in formal breach response procedures.

Expanded safeguard obligations. Institutions will face an express statutory duty to implement reasonable administrative, technical, and physical safeguards to protect personal information, and must maintain records of privacy breaches and report breach statistics to the IPC annually.

Expanded IPC oversight. The Information and Privacy Commissioner will have new authority to review institutional information practices and, in some circumstances, to make binding orders. This significantly raises the stakes for organizations whose privacy programs are informal or underdocumented.

Whistleblower protections. Individuals will be able to confidentially report suspected contraventions of MFIPPA to the IPC, a provision that underscores the importance of having robust internal compliance programs, since failure to do so may now be surfaced through formal reporting channels.

Staged access and extended timelines. Municipal institutions will also gain access to the staged access mechanism and the extended 45 business day response period described above.

What This Means for Your Organization

The combination of new access controls, extended timelines, and expanded privacy obligations means that virtually every public sector institution in Ontario will need to assess how its internal operations align with the new framework.

Some practical questions to be working through now:

  • Are your privacy policies and access procedures updated to reflect the new timelines, staged access process, and fee estimate requirements?

  • Do you have a documented PIA process, and are staff equipped to complete assessments before new collection activities begin?

  • Is your privacy breach protocol formalized, and does it address both internal reporting and external notification to the IPC and affected individuals?

  • Do your confidentiality agreements and staff training programs reflect the expanded obligations under the new framework?

  • Are your records management practices organized in a way that would support a staged access response, or would a broad FOI request create significant operational disruption?

The exclusions in Bill 97, particularly around ministerial records, are primarily a concern at the provincial level. But the procedural changes, extended timelines, and new MFIPPA obligations affect municipal institutions directly, and the January 1, 2027 effective date for privacy-related MFIPPA provisions may feel distant, but the groundwork needs to be laid now.

Urgency Is Not Optional

Bill 97 received Royal Assent on April 24, 2026. Many FIPPA provisions are already in force. MFIPPA privacy obligations take effect January 1, 2027. The time to begin reviewing and updating your policies, training, and procedures is now, not when the first access request arrives under the new framework, and certainly not when the IPC comes to review your information practices under its expanded authority.

Bamboo Data Consulting helps public sector organizations navigate exactly this kind of legislative change, from updating privacy policies and breach response procedures to designing PIA frameworks and delivering staff training that reflects current legal requirements.

For reference: Lerners LLP,"Amendments to MFIPPA and FIPPA Passed: A Controversial Process for a Controversial Bill"; BLG,"Major Access to Information and Privacy Reform Comes to Ontario"

Albina Magomedova
Next

What PHIPA Decision 334 Means for Health Information Custodians and Their Agents