Amendments to MFIPPA and FIPPA Passed: A Controversial Process for a Controversial Bill

Background

On March 26, 2026, the Ontario government introduced Bill 97, the Plan to Protect Ontario Act (Budget Measures), 2026. This omnibus budget bill includes changes to the Freedom of Information and Protection of Privacy Act (FIPPA) (Schedule 7) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) (Schedule 11). On April 23, 2026, the bill was passed.

The amendments at issue encompass a range of provisions, from routine, process-oriented updates that have drawn little opposition to highly controversial changes that restrict access to certain categories of records. Notably, there has been significant backlash to changes that will exempt records (even retroactively) in the custody or under the control of a Minister or a Minister's office from the access to information regime. It has been assumed that these changes are, at least in part, related to an existing freedom of information request from Global News seeking to obtain Premier Ford’s cellphone records.

We can now add to the controversy the process by which the bill was passed. Under the usual legislative process, bills are referred to committee, where stakeholders and members of the public can provide input and where government and opposition committee members have the opportunity to propose and debate amendments. Consistent with that process, Bill 97 was referred to the Standing Committee on Finance and Economic Affairs on April 2. However, the government ultimately elected to bypass the committee process entirely. On April 17, government House Leader Steve Clark introduced a motion that effectively cancelled public hearings and fast-tracked the bill to third reading and a final vote. Opposition parties strongly criticized the decision. NDP Leader Marit Stiles called it "an attack on our democracy," Interim Liberal Leader John Fraser called the move hypocritical, and Green Party Leader Mike Schreiner said Ford "clearly has something to hide."

The bill passed its final vote on April 23 with 57 votes in support and 33 against. Once the bill receives Royal Assent (which presumably will occur shortly), it will become law. As to when the new provisions will take effect, it varies:

• FIPPA: with certain exceptions, the FIPPA amendments will have immediate effect upon Royal Assent, as they will be deemed to have come into force on March 26, 2026.

• MFIPPA: some of the MFIPPA amendments come into force on the later of July 1, 2026 and the date of Royal Assent; other changes, predominantly the privacy-related provisions, come into force on January 1, 2027.

In this blog, you will learn:

• How MFIPPA is being updated to align with FIPPA,

• The key process changes affecting access rights under both statutes, including any limits on access to information, and

• What these changes mean in practice for institutions and requesters.

Aligning MFIPPA with FIPPA

In 2024, FIPPA was amended by Schedule 2 of the Strengthening Cyber Security and Building Trust in the Public Sector Act (Bill 194), which modernized the public-sector privacy framework (see our blog on these changes) by strengthening existing obligations related to safeguards, introducing new requirements for privacy impact assessments and breach reporting, and putting in place enhanced oversight and enforcement powers for the IPC. Those changes, however, were not extended to MFIPPA. That changes with Bill 97. With the passage of this bill, MFIPPA will be amended to include:

• mandatory obligations to complete privacy impact assessments before collecting personal information, including analysis of purpose, legal authority, retention, safeguards, and risk mitigation.

• mandatory privacy breach reporting and notification where there is a real risk of significant harm.

• expanded obligations to implement reasonable safeguards to protect personal information.

• expanded oversight powers for the Information and Privacy Commissioner, including the ability to review an institution's information practices and make binding orders.

• Whistleblower protections allowing individuals to confidentially report suspected contraventions of MFIPPA to the Commissioner.

These amendments bring FIPPA and MFIPPA into alignment, ensuring that expectations and obligations are consistent across Ontario's public sector. While these information practices had long been recommended, and the Information and Privacy Commissioner of Ontario (IPC) made clear, following the passage of Bill 194, that municipal entities were also expected to comply with the new FIPPA requirements, these obligations are now formally codified in statute.

Process Changes to Access Rights Under Both Acts

Beyond privacy governance, the bill makes significant procedural changes to how access to information requests are managed under both FIPPA and MFIPPA.

Business Days, Not Calendar Days

Many statutory timelines will now be calculated in business days rather than calendar days. This change applies across both statutes. At the same time, the baseline deadline for responding to an access request increases from 30 days to 45 business days.

Staged Access to Records

The major procedural reform is the introduction of a new mechanism that allows institutions to respond to certain requests by proposing a plan to provide access to records in stages.
Under both FIPPA and MFIPPA, an institution may now propose staged access where:

• the scope of the request is overly broad,

• the volume of records is large,

• processing would unreasonably interfere with operations, or

• the requester has made multiple requests that collectively create an undue burden.

A staged access plan must categorize records, identify where searches will occur, and establish a schedule for decisions and disclosure. Requesters must respond within 30 business days, either by accepting the plan, proposing amendments, modifying the request, or appealing (in limited circumstances). If a requester does not respond within the established timelines, the request may be deemed abandoned.

Additional Time Extensions

Both Acts currently allow an institution to extend the time to respond to a request, but these changes will allow for a second time extension when the requester consents to the extension or the volume of records is larger than initially identified. Institutions can also rely on a second time extension due to staff unavailability or the need for additional consultations required to respond to the request, if these circumstances were not reasonably foreseeable at the time of the initial extension.

Limits on Access

Bill 97 amends both FIPPA and MFIPPA to clarify that certain records prepared or collected under the Enhancing Digital Security and Trust Act, 2024 are excluded from the application of access legislation.

These include:

• records identifying cybersecurity points of contact,

• assessments of an institution's cybersecurity status or progress,

• records containing the names of software applications acquired by school boards to access a student's personal information, and

• information that could reasonably be expected to compromise digital security

Minister's Records Excluded from FIPPA

Further changes to FIPPA specifically exclude from the Act records that are in the custody of a Minister or a Minister's office, or are under the control of a Minister or a Minister's office, unless the record is in the custody of an institution. These exclusions apply even where an institution may otherwise have control over the record, and the same treatment is extended to records in the custody or control of parliamentary assistants and their offices. These exclusions narrow the types of records available through FIPPA and place greater importance on where records are held, by whom, and in what capacity.

Notably, these amendments are retroactive, deemed to have come into force on January 1, 1988, and are accompanied by transitional provisions that eliminate existing access rights and render prior access orders ineffective to the extent they conflict with the new exclusions. The retroactive nature of these changes has been particularly controversial.

The IPC has argued that the amendments materially reduce transparency, are out of step with other Canadian jurisdictions, and undermine democratic accountability. She also noted that by excluding these records from the Act entirely, they are not only removed from the freedom of information regime, but also the protection of privacy requirements.

The Practical Impact: Flexibility for Institutions, Structure for Requesters

Access to Information

From an institutional perspective, changes to the access to information process acknowledge that modern access requests often involve expansive digital records, overlapping systems, and competing operational demands. Staged access and extended timelines provide tools to manage those challenges. While the changes formally allow for some additional flexibility in the processing of requests, which is needed in this digital age where processing access requests has become onerous and resource-intensive, many of these practices are already in use today under the current iterations of FIPPA and MFIPPA. As such, from a practical perspective, they may not have much impact on institutions' day-to-day operations.

For requesters, staged access can lead to earlier, partial disclosure and more meaningful engagement about scope and priorities. On the other hand, the new framework places greater responsibility on requesters to actively participate in the process and respond within prescribed timelines, and introduces new exclusions to the types of records that can be sought.

Privacy

From a privacy perspective, the amendments to MFIPPA carry more significant practical implications for municipal institutions. By extending the privacy framework introduced in FIPPA into MFIPPA, municipal institutions will now also be required to conduct privacy impact assessments, implement formal breach reporting and notification procedures, and ensure stronger safeguards to protect personal information.

For many municipalities, particularly smaller ones that may not have robust privacy governance programs in place, these new obligations will require meaningful operational changes, including developing internal policies, organizing staff training, and allocating resources. The expanded oversight and enforcement powers of the Information and Privacy Commissioner, including the ability to make binding orders and receive whistleblower reports, further underscore the need for municipal institutions to prioritize compliance.

Institutions subject to MFIPPA should begin assessing their current privacy practices against the new requirements and take steps to close any gaps before the provisions come into force on January 1, 2027.