FIPPA + MFIPPA IT Controls for Ontario Municipalities and Public Sector (2026 Update)

Apr 24, 2026 Bill 97 Royal Assent
Jan 1, 2027 MFIPPA breach reporting live
CISSP-Certified Security leadership
CIS v8.1 Public-sector baseline
Book a Consultation
Municipal IT Services →

Best fit for Ontario municipalities of 25 to 250 staff, school boards, police services boards, and BPS organizations preparing for Bill 97 in-force dates.

MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

What Bill 97 changed for Ontario’s privacy regime

On April 24, 2026, Bill 97, the Plan to Protect Ontario Act (Budget Measures), 2026, received Royal Assent. The bill amends both the Freedom of Information and Protection of Privacy Act (FIPPA, Schedule 7) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA, Schedule 11), bringing the municipal regime closer into alignment with the FIPPA reforms enacted in 2024. FIPPA amendments come into force on July 1, 2026, with certain provisions effective September 15, 2026. MFIPPA changes follow a split timeline: most provisions on the later of July 1, 2026 and Royal Assent, with the substantive privacy provisions coming into force on January 1, 2027.

If your municipality, school board, or BPS organization needs Bill 97 readiness scoped against your existing control set, talk to a FIPPA/MFIPPA-aware IT specialist.

FIPPA vs MFIPPA: which Ontario organization answers to which Act

FIPPA and MFIPPA are parallel statutes. They share most of the same access and privacy machinery, but they apply to different sets of public institutions. Both are administered by the same regulator, the Information and Privacy Commissioner of Ontario.

FIPPA coversProvincial ministries, most provincial agencies and Crown corporations, Ontario universities and publicly assisted colleges, public hospitals, and Local Health Integration Networks. The provincial-government privacy regime.
MFIPPA coversOntario municipalities (cities, towns, townships, regional municipalities), school boards, police services boards, public library boards, transit commissions, conservation authorities, local boards, and certain other municipal-level institutions.
Shared regulatorInformation and Privacy Commissioner of Ontario (IPC) administers both Acts, hears access appeals, investigates privacy complaints, and issues compliance orders. Same office, two statutes, parallel powers.
Shared structureFIPPA s.38 / MFIPPA s.28 govern collection of personal information. FIPPA s.39 / MFIPPA s.29 govern notice of collection. FIPPA s.41-42 / MFIPPA s.31-32 govern use and disclosure. Regulation 460 (FIPPA) and Regulation 823 (MFIPPA) carry the security expectations.
What is not in scopeFIPPA and MFIPPA do not cover private-sector organizations operating in Ontario. Private-sector personal information is governed federally under PIPEDA. Ontario’s health-sector privacy law (PHIPA) covers health-information custodians under a separate regime.
Bill 97 alignmentHistorically MFIPPA lagged FIPPA on safeguards and breach reporting. Bill 97 narrows the gap. By January 1, 2027, municipal institutions face substantially the same safeguard duty, PIA requirement, and IPC breach-reporting obligation as provincial institutions under the 2024 FIPPA reforms.

The 8 IT control categories every FIPPA/MFIPPA organization needs

“Public-sector privacy obligations under FIPPA and MFIPPA are not satisfied by a policy binder, they are satisfied by controls you can demonstrate to the Information and Privacy Commissioner. The recurring gap in Ontario municipalities is records with no access log and no retention schedule, so when a breach or an access request lands, nobody can prove who saw what or when it should have been deleted.”

Mike Pearlstein, CISSP, CEO and CISO, Fusion Computing

The IPC does not publish a NIST-style control catalogue. The published guidance, the IPC’s own privacy-investigation orders, and Regulation 460 / Regulation 823 expectations cluster the safeguard duty into eight practical control categories. These are the families we build the documented controls inventory around for every Ontario municipality and BPS engagement.

1. Data classification and inventoryDocumented inventory of where personal information lives across the institution: HR records, finance systems, planning files, council correspondence, transit ridership data, police records. Sensitivity labels applied. Foundation for the PIA process.
2. Role-based access controlNamed-user accounts for every employee, councillor, and contractor. Role-based access scoped to job function. No shared logins, no “administrator” mailbox handling personal information. Quarterly access review documented.
3. Multi-factor authenticationMFA enforced on every account that touches personal information, including municipal email, the finance system, the HR system, council-portal access, remote access, and any cloud file store. No MFA bypass for senior staff.
4. Encryption at rest and in transitDisk-level encryption on every device touching personal information (BitLocker on Windows, FileVault on macOS). TLS 1.2 or higher on every system that moves data externally. Encrypted backup with documented retention.
5. Audit logging and retentionMicrosoft 365 unified audit log retained at the highest tier the licensing allows. SIEM coverage on the finance system, council-portal access, and remote-access platform. Mailbox forwarding-rule changes alerted in real time.
6. Breach response and IPC notificationWritten incident-response runbook with the IPC contact path, the “real risk of significant harm” assessment framework, internal escalation to the head of the institution under MFIPPA s.3 / FIPPA s.5, council briefing template, and affected-individual notification template.
7. Vendor due diligence and data residencyWritten due-diligence file for every cloud vendor handling personal information. Microsoft 365 tenant region confirmed. Sub-processor list documented. SOC 2 Type II / ISO 27001 evidence on file. Cross-border data-flow assessment retained for PIA support.
8. Records retention and secure disposalRecords retention by-law mapped to the institution’s information asset inventory. Disposal authorization workflow. Certificate-of-destruction process for retired drives. Secure-disposal evidence retained for the audit window.

None of these eight families is novel for municipal IT. The discipline Bill 97 forces is documenting them at the same time, in writing, with evidence the IPC can read. The most common gap we see in Ontario municipalities is not the absence of controls; it is the absence of a documented evidence packet that proves the controls were active on a specific date.

Practical IT controls map for a 50-employee Ontario municipality

According to the Government of Ontario (2024), the FIPPA Manual sets out the operational expectations for safeguarding personal information held by provincial institutions, with Regulation 460 (FIPPA) and Regulation 823 (MFIPPA) carrying the named security expectations municipalities must meet. The 50-employee control map below is sized to those expectations.

Data classification and inventoryMicrosoft Purview Information Protection deployed across the M365 tenant. Sensitivity labels applied to HR folders, finance folders, council-confidential folders, and planning-act materials. Data-loss-prevention policies on the most sensitive label tier. Information asset inventory maintained alongside the records retention by-law.
Role-based access controlMicrosoft Entra ID groups mapped to municipal functions (Finance, HR, Public Works, Recreation, Clerk’s Office). SharePoint sites scoped by department. Council-confidential SharePoint scoped to council and the CAO only. Quarterly access review run from Entra ID access reviews and minuted by the clerk.
Multi-factor authenticationEntra ID Conditional Access requiring MFA on every sign-in to the municipal tenant. Authenticator app preferred over SMS. Councillor accounts under the same policy. Finance system (Vadim Software, MuniWare, GP Public Sector) and HR system MFA configured to honour the same identity where the vendor supports SSO.
Encryption at rest and in transitBitLocker enforced on every Windows workstation and laptop via Microsoft Intune. Server-side encryption on Microsoft 365 by default. TLS 1.2 or higher across the board. SQL Server Transparent Data Encryption on any on-premise finance or asset-management database. Encrypted backup to Azure Canada Central or AWS ca-central-1.
Audit logging and retentionMicrosoft 365 unified audit log retained for the maximum window the licensing allows (one year on E3, longer on E5). Microsoft Sentinel or an equivalent SIEM ingesting M365, Entra ID, Defender, and the finance-system logs. Mailbox forwarding-rule changes alerted in real time. CAO and clerk sign-ins reviewed monthly.
Breach response and IPC notificationWritten incident response plan covering: IPC Ontario notification path, the “real risk of significant harm” assessment framework that becomes mandatory January 1, 2027, internal escalation to the head of the institution (typically the clerk under MFIPPA s.3), council and CAO briefing template, affected-individual notification template, evidence-preservation steps. Annual tabletop exercise.
Vendor due diligence and data residencyMicrosoft 365 tenant region confirmed as Canada at sign-up and documented. Vendor due-diligence file covering the finance system, HR system, asset-management platform, GIS, backup vendor, and any cloud-hosted council-portal product. SOC 2 Type II or ISO 27001 evidence on file. Cross-border data-flow review documented in support of the PIA process.
Records retention and secure disposalRecords retention by-law mapped to the M365 retention labels and the on-premise file shares. Microsoft Purview retention policies configured to match the by-law. Certificate-of-destruction workflow for retired drives, signed by IT and witnessed by the clerk’s office. Disposal log retained for the audit window.

For a Bill-97-ready evidence map sized to your headcount and existing tooling, request a costed scoping conversation.

Common IPC Ontario investigation findings worth pre-empting

The IPC publishes its privacy-investigation orders, and the patterns repeat. Six findings show up across municipal and BPS investigations often enough that a defensible municipality treats them as pre-emptive remediation items, not lessons-learned-after-the-fact items.

Inadequate vendor contracts and oversightIn the 2025 PowerSchool breach investigation, the IPC found that school boards had failed to include required privacy and security provisions in their vendor agreements and lacked adequate oversight of the vendor’s technical safeguards. Fix: ensure every cloud-vendor contract includes breach-notification commitments, sub-processor disclosure, audit rights, and documented oversight cadence.
Privacy training gaps as a root causeIn IPC privacy-complaint decision MR21-00090, the IPC noted that privacy training is required to comply with Regulation 823 s.3(1) and is material to preventing unauthorized access. Fix: deliver annual mandatory privacy training to all staff and councillors, retain attendance records, and refresh the curriculum to track Bill 97 changes ahead of January 1, 2027.
Unpatched edge appliances and legacy softwareThe Durham Region breach was traced to the Accellion File Transfer Appliance, an end-of-life product that had been compromised in similar attacks worldwide. Fix: maintain a documented inventory of internet-facing appliances, replace EOL products, and subscribe to vendor and CCCS advisories.
Inadequate breach-response readinessA repeated finding across IPC investigations is the absence of a tested breach-response plan that includes vendor coordination. Fix: write a one-page runbook covering IPC notification, affected-individual notification, vendor escalation, evidence preservation, and council briefing. Tabletop it annually.
Over-broad remote access to sensitive systemsThe PowerSchool findings called out the need to limit remote access to student information systems on an as-needed basis. The same logic applies to municipal finance, HR, and council-confidential systems. Fix: conditional access policies scoping remote access to managed devices and approved geographies, with just-in-time elevation for administrators.
Shared logins and absent named-user accountsA common finding in municipal investigations is shared logins to finance or council systems, often originating in informal “everyone signs in as the clerk” arrangements. Fix: deprovision shared accounts, issue named credentials with role-based scoping, and document the transition.

Bill 97 readiness checklist for the January 1, 2027 in-force date

The MFIPPA privacy provisions come into force on January 1, 2027. Most municipalities have eighteen to twenty months from Bill 97 Royal Assent to be operationally ready. The checklist below is what a defensible municipality wants in place before then, broken into what existing controls already satisfy, what new artifacts the bill requires, and what gaps tend to surface in readiness assessments.

Already covered by existing safeguard practice (refresh and document)MFA enforcement, encryption at rest and in transit, named-user accounts, audit logging, conditional access, encrypted backup, EDR on every endpoint. These satisfy the express safeguard duty being added to MFIPPA, but each one needs an evidence artifact (policy export, coverage report, retention configuration) on file by January 1, 2027.
New artifacts Bill 97 requiresA documented PIA template and PIA register covering every new personal-information collection initiative. Then a mandatory breach-reporting runbook with the IPC contact path and the “real risk of significant harm” assessment criteria. Pair this with a breach-statistics tracking spreadsheet feeding the annual IPC report. Finally, a revised privacy policy aligned to the new statutory safeguard duty.
Gaps that surface in readiness assessmentsNo documented sensitivity labelling on the council-confidential SharePoint. No record of when the last access review happened. No quarterly restore test on the backup. Vendor contracts missing breach-notification language. No tabletop on the breach-response plan in the last twelve months. Records retention by-law not mapped to actual M365 retention labels.
EDSTA coordination layerThe Enhancing Digital Security and Trust Act, 2024 has been in force since July 1, 2025. Municipalities and BPS organizations should already have a cybersecurity-program owner identified, an incident response capability, and an awareness program in place under EDSTA. Bill 97 sits on top of EDSTA, not in place of it. The cybersecurity-records access exemption added by Bill 97 protects the EDSTA work-product from public access requests.

What this costs for a 50-employee Ontario municipality

FIPPA and MFIPPA IT controls rarely justify a separate “FIPPA compliance” line on the IT bill. The eight families are the same controls a CIS Controls v8.1-aligned managed-IT engagement deploys for any small to mid-sized Ontario public-sector organization, so the cost lives inside the regular monthly managed-IT spend.

FIPPA and MFIPPA resources for Ontario public-sector IT leaders

“Bill 97 felt impossible to operationalize. Fusion built our PIA template and IPC breach-notification runbook to match the ’real risk of significant harm’ threshold, then ran a tabletop with our records team. Our board signed off on the FIPPA July 2026 readiness plan in one meeting. We are no longer the only Ontario agency without a story.”

Privacy and FOI Officer, 140-staff municipal agency, Halton Region.

Talk to a FIPPA/MFIPPA-aware IT specialist

Thirty-minute walk-through of your municipality’s current stack, the eight FIPPA/MFIPPA control families you should be able to evidence, and what tagging your readiness plan to the January 1, 2027 MFIPPA in-force date actually changes in practice. No charge, no obligation.

Book a Consultation

Frequently asked questions about FIPPA and MFIPPA IT

What is the difference between FIPPA and MFIPPA?
When does Bill 97 come into force?
Does my Ontario municipality have to report a privacy breach to IPC Ontario?
What CIS Controls v8.1 mappings satisfy FIPPA and MFIPPA expectations?
Can a municipality use Microsoft 365 if some workloads touch US data centers?
How does FIPPA/MFIPPA differ from PIPEDA for private-sector Ontario organizations?
What is the minimum IT control set for a 25-employee Ontario municipality?

Updated