New FIPPA requirements take effect on July 1, 2025

New FIPPA requirements take effect on July 1, 2025

There are key changes to mandatory privacy assessments, breach notifications, and annual reporting.

June 26, 2025

Share

Effective July 1, 2025, new rules under Ontario’s will strengthen protections for personal information. The key changes include:

  • Mandatory Privacy Impact Assessments (PIAs) before collecting personal information
  • Mandatory breach notifications when there's a real risk of significant harm
  • Annual breach reporting to the Information and Privacy Commissioner (IPC)

These changes stem from the , which received Royal Assent last fall. The Act modernizes digital privacy rules and aligns Ontario’s privacy framework with some of the stronger standards of other jurisdictions.

 

Privacy Impact Assessments Required

Queen’s must now complete a Privacy Impact Assessment (PIA) whenever it begins a new collection of personal information or significantly changes why such information is used or disclosed.

A PIA evaluates the risks to personal privacy and must follow a legislated format. University personnel can access the required form on the Records Management and Privacy Office website.

Units must submit the completed PIA at least two weeks before collecting personal information. The Records Management and Privacy Office will review the submission and provide approval or feedback on additional risk mitigation steps.
 

Mandatory Breach Notifications

As of July 1, Queen’s is required to notify individuals of any privacy breach that poses a real risk of significant harm and must also inform the .

While the university has generally followed this practice, it is now a legal requirement. Faculty, staff, or students who become aware of a breach must contact the Chief Privacy Officer, who will conduct a Real Risk of Significant Harm (RROSH) assessment. This assessment considers the sensitivity of the data and the likelihood of misuse.


Annual Breach Reporting

The new rules also require Queen’s to track all privacy breaches—regardless of severity—for annual reporting to the IPC. This means all breaches must be reported internally to the Chief Privacy Officer, even if resolved within a unit.

Queen’s has been subject to FIPPA since 2006 for its collection, use, and disclosure of personal information.

For more information, visit the Records Management and Privacy Office website.
 

Campus Updates

Share

Media Contacts

Editors’ Picks

Province announces funding for innovative research at Queen’s
Glaucoma monitoring device receives CIHR commercialization funding
How mathematical models are helping fight syphilis outbreaks

Related Stories

Campus
Academic accommodations update
³ÉÈË´óƬ campus aerial
Update on Queen’s Renew Program
Corinna Fitzgerald
Corinna Fitzgerald to lead the Division of Student Affairs as Interim Vice-Provost and Dean
Summer Camps
Campus getting ready to welcome young campers