Law: Freedom of Information and Protection of Privacy Act, RSO 1990 c F.31 (the Act). Please note that the Act applies to public bodies only. Private organisations are regulated at the federal level by the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA).

Regulator: The Information and Privacy Commissioner of Ontario (IPC)

Summary: Although Ontario does not have a comprehensive private sector data protection law as private organizations are regulated at the federal level by the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA), privacy principles are enshrined through the enforcement of public sector and sector-specific laws. For example, the Freedom of Information and Protection of Privacy Act, RSO 1990 c F.31 (the Act) only applies to public bodies but includes the right to personal privacy and the right to access, while the Child, Youth and Family Services Act, 2017 (the Child Services Act) stipulates that a child in care has a right to have reasonable privacy and possession of their own personal property.

Furthermore, the Information and Privacy Commissioner of Ontario (IPC) is the regulator responsible for ensuring compliance with the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (PHIPA). Following the entry into force of the amendments to Section 61.1 of the PHIPA and Regulation O. Reg. 329/04, the IPC's enforcement powers have further widened to increase the administrative monetary penalties to a maximum of CAD 50,000 (approx. $37,000) for individuals and CAD 500,000 ($370,000) for organizations.

Finally, Bill 14 for the Personal Information Protection Act, 2018, which is being discussed in the Standing Committee on Justice, may introduce significant new requirements for private organizations if enacted.