Law: Freedom of Information and Protection of Privacy Act, RSO 1990 c F.31 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at the federal level by the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').

Regulator: The Information and Privacy Commissioner of Ontario ('IPC')

Summary: Although Ontario does not have a comprehensive private sector data protection law, privacy principles are enshrined through the enforcement of public sector and sector-specific laws. In addition, Ontario has shown signs of increasing the scope of privacy protections in the province with recent amendments to the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ('PHIPA'). In particular, the changes to PHIPA include increased penalties, audit requirements for organisations, and additional regulation-making powers for the IPC. Finally, Bill 14 for the Personal Information Protection Act, 2018, which is being discussed in the Standing Committee on Justice, may introduce significant new requirements for private organisations if enacted.