Skip to Main Content
You are now in the main content area

Enhancing Digital Security and Trust Act (EDSTA)

Effective July 1, 2025, Ontario implemented Bill 194, the Enhancing Digital Security and Trust Act, 2024 (external link) . This bill makes privacy-related amendments to the Freedom of Information and Privacy Act (FIPPA) (external link)  that requires institutions to strengthen its privacy protection practices. The changes add new privacy obligations, enable greater regulatory investigations and introduce mandatory breach reporting.

Over the past several months, the Privacy Office has been reviewing the changes of the act and working to meet these new requirements. Here, we’ve outlined key changes that impact TMU leaders, faculty and staff in their work. If you have any questions, please reach out to privacy@torontomu.ca.

Highlights of the act

Personal information (also referred to as PI) is recorded information about an identifiable individual. As an institution subject to FIPPA, TMU has legislated responsibilities to protect the personal information in its custody and control. Below are specific changes legislated by Bill 194. Under the new act, if there is a complaint or concern about how TMU is handling an individual’s personal information, the Information Privacy Commissioner of Ontario (IPC) now has the power to investigate the information practice and may compel an institution to change this information practice.

Privacy Impact Assessments

Under the act, it is mandatory to have a completed privacy impact assessment (PIA) on record before collecting personal information or making any significant changes to how we already use or disclose personal information in the university’s custody. 

This could include adoption of a new tool or technology, but it also applies to collecting personal information unrelated to the use of technology or software. This also applies to existing practices, processes, systems and technology. 

Privacy Impact Assessments must be completed for all personal information collection

TMU has a well-established practice of privacy impact assessments (PIAs) being conducted by the Privacy Office when departments across the university identify that personal information is involved with a new university initiative. As of July 1, it is mandatory to conduct a privacy impact assessment any time you plan to collect, use, or share personal information.

This could include adoption of a new tool or technology, but it also applies to collecting personal information unrelated to the use of technology or software. This also applies to existing practices, processes, systems and technology.

Additionally, the Information Privacy Commissioner of Ontario (IPC) can now request copies of our PIAs and related documentation for review.

What you need to do now

If you own, manage or are responsible for any practice, process, system or technology at the university that collects, uses, stores or shares personal information:

  • Confirm that you have a record of a completed privacy impact assessment that was assessed by TMU’s Privacy Office.  
  • If you have not completed a privacy assessment, please contact the Privacy Office as soon as possible privacy@tornotmu.ca.   
  • If you have done a privacy impact assessment in the past, but since that time have updated or modified the process or system in any way that affects the personal information, or the agreement is up for renewal, we strongly advise you update the privacy impact assessment.
    • The Privacy Office is here to help, guide and assist you through this process.  Contact us at privacy@torontomu.ca.

Mandatory Breach Reporting

A privacy breach occurs when personal information is collected, retained, used, disclosed or disposed of in ways that do not comply with Ontario’s privacy laws. This includes loss of devices or data containing personal information and can also include malicious acts (such as theft or cyberattacks) but it also includes accidents (like attaching the wrong document to an email).  

In instances where a privacy breach could reasonably be expected to result in a real risk of significant harm to individual(s), FIPPA now requires TMU to report these breaches to the Information Privacy Commissioner of Ontario (IPC) and notify those who are impacted.

What you should do if you have knowledge of a privacy breach

As before, if you suspect or have knowledge of a privacy breach or incident, you must report this to the TMU Privacy Office as soon as you become aware of it (privacy@torontomu.ca) or complete the  (google form) Privacy Incident Reporting Form (external link) .  This includes any suspected breaches involving contractors or third-party service providers working for TMU. Follow the steps in the Privacy Breach Protocol.  Contact the Privacy Office with questions you may have about appropriate best practices for collecting, handling, processing, storing, sharing, and disposing of personal information (privacy@torontomu.ca).