Enhancing Digital Security and Trust Act, 2024, S.O. 2024, c. 24, Sched. 1, Enhancing Digital Security and Trust Act, 2024
Enhancing Digital Security and Trust Act, 2024
S.o. 2024, chapter 24
Schedule 1
Consolidation Period: From January 29, 2025 to the e-Laws currency date.
No amendments.
CONTENTS
| Definitions | |
| Regulations made by Lieutenant Governor in Council | |
| Minister’s regulations re standards | |
| Minister’s directives | |
| Use, intended use | |
| Specific uses | |
| Regulations made by Lieutenant Governor in Council | |
| Minister’s regulations re standards | |
| Regulations made by Lieutenant Governor in Council | |
| Minister’s regulations re standards | |
| Minister’s directives | |
| No establishment of private law duty of care | |
| Effect of failure to comply | |
| Conflict, general | |
| Directives, conflict | |
| Regulations, general | |
Definitions
“artificial intelligence system” means,
(a) a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments, and
(b) such other systems as may be prescribed; (“système d’intelligence artificielle”)
“children’s aid society” means a society within the meaning of the Child, Youth and Family Services Act, 2017; (“société d’aide à l’enfance”)
“cyber security” means the security, continuity, confidentiality, integrity and availability of digital information and the infrastructure housing and transmitting digital information, and includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and information from attack, damage or unauthorized access; (“cybersécurité”)
“Minister” means the Minister of Public and Business Service Delivery and Procurement or such other member of the Executive Council as may be designated under the Executive Council Act to administer this Act; (“ministre”)
“prescribed” means prescribed by the regulations made under this Act; (“prescrit”)
“public sector entity” means,
(a) an institution within the meaning of subsection 2 (1) of the Freedom of Information and Protection of Privacy Act, other than the Assembly,
(b) an institution within the meaning of subsection 2 (1) of the Municipal Freedom of Information and Protection of Privacy Act,
(c) a children’s aid society, and
(d) a school board; (“entité du secteur public”)
“school board” means a board as defined in subsection 1 (1) of the Education Act. (“conseil scolaire”)
Artificial intelligence system
(2) For greater certainty, for the purposes of this Act, use of an artificial intelligence system by a public sector entity includes use of a system that is,
(a) publicly available;
(b) developed or procured by the public sector entity; or
(c) developed by a third party on behalf of the public sector entity.
Digital information
(3) For greater certainty, for the purposes of this Act, the collection, use, retention or disclosure of digital information by a public sector entity includes collection, use, retention or disclosure of digital information by a third party on behalf of the public sector entity.
Regulations made by Lieutenant Governor in Council
2 (1) The Lieutenant Governor in Council may make regulations governing cyber security at such public sector entities as may be prescribed, including,
(a) requiring public sector entities to develop and implement programs for ensuring cyber security;
(b) governing programs mentioned in clause (a), which may include prescribing elements to be included in the programs;
(c) requiring public sector entities to submit reports to the Minister or a specified individual in respect of incidents relating to cyber security, which may include different requirements in respect of different types of incidents;
(d) prescribing the form and frequency of reports.
Regulations re programs
(2) Without limiting the generality of clause (1) (b), a regulation made under that clause may require that a public sector entity’s program include,
(a) roles and responsibilities of specified individuals within the public sector entity relating to ensuring cyber security;
(b) reporting on the public sector entity’s progress with respect to ensuring cyber security;
(c) education and awareness measures respecting cyber security;
(d) response and recovery measures for incidents relating to cyber security; and
(e) oversight measures for implementation of the program.
Minister’s regulations re standards
3 The Minister may make regulations setting technical standards that such public sector entities as may be prescribed by the Minister must conform to respecting cyber security.
Minister’s directives
4 (1) The Minister may issue directives to public sector entities respecting cyber security.
Same
(2) A directive may be general or particular in its application, and may provide for different classes or categories.
Status
(3) Part III (Regulations) of the Legislation Act, 2006 does not apply with respect to a directive.
Compliance
(4) A public sector entity to whom a directive is issued shall comply with the directive.
Use of Artificial Intelligence Systems
Use, intended use
Application
5 (1) This section applies to such public sector entities as may be prescribed for the purposes of this section if they use or intend to use an artificial intelligence system in prescribed circumstances.
Information to public
(2) A public sector entity to which this section applies shall, in accordance with the regulations, provide information to the public about their use of the artificial intelligence system.
Accountability framework
(3) A public sector entity to which this section applies shall, in accordance with the regulations, develop and implement an accountability framework respecting their use of the artificial intelligence system.
Risk management
(4) A public sector entity to which this section applies shall take such steps as may be prescribed to manage risks associated with the use of the artificial intelligence system.
Requirements
(5) A public sector entity to which this section applies shall use the artificial intelligence system in accordance with any prescribed requirements.
Prohibited use
(6) A public sector entity to which this section applies shall not use an artificial intelligence system if the use is prohibited by the regulations.
Specific uses
Application
6 (1) This section applies in respect of such public sector entities as may be prescribed for the purposes of this section.
Obligations
(2) A public sector entity to which this section applies shall, when using an artificial intelligence system in prescribed circumstances,
(a) disclose information, in accordance with the regulations, respecting the use of the artificial intelligence system; and
(b) ensure that an individual,
(i) exercises oversight of the use of the artificial intelligence system, in accordance with the regulations, and
(ii) provides additional information, in accordance with the regulations, respecting the use of the artificial intelligence system.
Regulations made by Lieutenant Governor in Council
7 The Lieutenant Governor in Council may make regulations governing the use of artificial intelligence systems by public sector entities, including,
(a) prescribing public sector entities to whom section 5 or 6 applies;
(b) prescribing circumstances for the purposes of subsection 5 (1);
(c) governing the provision of information under subsection 5 (2), which may include,
(i) prescribing the manner in which information must be provided,
(ii) prescribing information that must be provided,
(iii) prescribing information that is not required to be provided,
(iv) specifying when information must be provided and updated,
(v) exempting public sector entities from the requirement to provide information in specified circumstances;
(d) governing the development of accountability frameworks under subsection 5 (3), which may include,
(i) prescribing the form and content of the accountability frameworks,
(ii) specifying when the accountability frameworks must be developed and updated,
(iii) prescribing roles and responsibilities of specified individuals under the accountability frameworks,
(iv) requiring documentation respecting the use of the artificial intelligence system, including documentation respecting different phases of its use, performance and monitoring;
(e) prescribing steps to be taken for the purposes of subsection 5 (4), including reporting and record-keeping;
(f) prescribing requirements for the purposes of subsection 5 (5), which may include requiring that an artificial intelligence system be used only for specified purposes;
(g) prohibiting, for the purposes of subsection 5 (6), the use of an artificial intelligence system;
(h) prescribing circumstances for the purposes of subsection 6 (2);
(i) governing the disclosure of information under clause 6 (2) (a), which may include,
(i) prescribing the manner in which information must be disclosed,
(ii) prescribing information that must be disclosed,
(iii) prescribing information that is not required to be disclosed,
(iv) specifying when information must be disclosed and updated,
(v) exempting entities from the requirement to disclose information in specified circumstances;
(j) governing the exercise of oversight for the purposes of subclause 6 (2) (b) (i);
(k) governing the provision of additional information for the purposes of subclause 6 (2) (b) (ii), which may include requiring the provision of information about how to make inquiries about the use of the artificial intelligence system.
Minister’s regulations re standards
8 The Minister may make regulations setting technical standards that such public sector entities as may be prescribed by the Minister must conform to in their use of artificial intelligence systems.
Digital Technology Affecting Individuals Under Age 18
Regulations made by Lieutenant Governor in Council
9 The Lieutenant Governor in Council may make regulations respecting such children’s aid societies and school boards as may be prescribed,
(a) requiring prescribed digital information relating to individuals under age 18 that is collected, used, retained or disclosed to be collected, used, retained and disclosed in a prescribed manner;
(b) requiring reports to be submitted to the Minister or a specified individual in respect of the collection, use, retention and disclosure of information mentioned in clause (a);
(c) prohibiting the collection, use, retention or disclosure of prescribed digital information relating to individuals under age 18, which may include prohibiting such activities in prescribed circumstances, for prescribed purposes or subject to prescribed conditions.
Minister’s regulations re standards
10 The Minister may make regulations setting technical standards that such children’s aid societies and school boards as may be prescribed by the Minister must conform to respecting,
(a) the collection, use, retention and disclosure of digital information relating to individuals under age 18; and
(b) digital technology made available for use by individuals under age 18.
Minister’s directives
11 (1) The Minister may issue directives to children’s aid societies and school boards respecting digital technology made available for use by individuals under age 18.
Same
(2) A directive may be general or particular in its application, and may provide for different classes or categories.
Status
(3) Part III (Regulations) of the Legislation Act, 2006 does not apply with respect to a directive.
Compliance
(4) A children’s aid society or school board to whom a directive is issued shall comply with the directive.
No establishment of private law duty of care
12 Nothing in the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, this Act or any regulation made or directive issued under this Act establishes a private law duty of care owing to any person.
Effect of failure to comply
13 Failure to comply with this Act or any regulation made or directive issued under this Act does not affect the validity of any policy, Act, regulation, directive, instrument or decision.
Conflict, general
14 If a provision of this Act or the regulations made or directives issued under this Act conflicts with a provision of any other Act or regulation, the provision in the other Act or regulation prevails.
Directives, conflict
15 In the event of a conflict between a requirement set out in a directive issued under this Act and a directive made by the Management Board of Cabinet, the requirement in the directive made by the Management Board of Cabinet prevails.
Regulations, general
16 The Lieutenant Governor in Council may make regulations prescribing anything in this Act that is referred to as prescribed or otherwise dealt with in the regulations, other than anything in respect of which the Minister is given authority to make regulations or which is referred to as prescribed by the Minister.
17 Omitted (provides for coming into force of provisions of this Act).
18 Omitted (enacts short title of this Act).
