FIPPA + MFIPPA IT Controls for Ontario Municipalities and Public Sector (2026 Update)

A working IT controls map for Ontario municipalities, school boards, police services boards, and broader-public-sector organizations preparing for the Bill 97 amendments to FIPPA and MFIPPA, the Enhancing Digital Security and Trust Act, 2024 cybersecurity expectations, and the new mandatory privacy-breach reporting obligation taking effect on January 1, 2027.

Written for 25 to 250-employee Ontario municipalities, school boards, and BPS organizations that have to evidence reasonable security safeguards to IPC Ontario and, starting in 2027, file mandatory breach reports under MFIPPA. CISSP-led, CIS Controls v8.1-aligned, and built around an evidence packet a municipal council, an internal auditor, or a sophisticated FOI requester can read.

Apr 24, 2026 Bill 97 Royal Assent
Jan 1, 2027 MFIPPA breach reporting live
CISSP-Certified Security leadership
CIS v8.1 Public-sector baseline
Book a Consultation
Municipal IT Services →

Best fit for Ontario municipalities of 25 to 250 staff, school boards, police services boards, and BPS organizations preparing for Bill 97 in-force dates.

MP
Authored by Mike Pearlstein, CISSP, Founder & CEO, Fusion Computing. CISSP-certified, MSc Computer Science (Guelph 2011).
Reviewed and last updated 2026-05-18 · Named in Canada’s 50 Best Managed IT Companies 2024 & 2025.

What Bill 97 changed for Ontario’s privacy regime

According to the Information and Privacy Commissioner of Ontario (2024), FIPPA and MFIPPA set the rules for collection, use, and disclosure of personal information by Ontario public institutions, with FIPPA covering provincial bodies and MFIPPA covering municipal bodies. Bill 97, which received Royal Assent April 24, 2026, amends both statutes and brings the municipal regime substantially in line with the FIPPA reforms enacted in 2024.

On April 24, 2026, Bill 97, the Plan to Protect Ontario Act (Budget Measures), 2026, received Royal Assent. The bill amends both the Freedom of Information and Protection of Privacy Act (FIPPA, Schedule 7) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA, Schedule 11), bringing the municipal regime closer into alignment with the FIPPA reforms enacted in 2024. FIPPA amendments come into force on July 1, 2026, with certain provisions effective September 15, 2026. MFIPPA changes follow a split timeline: most provisions on the later of July 1, 2026 and Royal Assent, with the substantive privacy provisions coming into force on January 1, 2027.

For Ontario municipalities, four operational changes matter most. First, an express statutory duty to implement reasonable administrative, technical, and physical safeguards to protect personal information. Second, a mandatory requirement to complete a privacy impact assessment (PIA) before collecting personal information, and to update the PIA whenever the use or disclosure changes materially. Third, mandatory breach reporting to the Information and Privacy Commissioner of Ontario (IPC) and to affected individuals where there is a real risk of significant harm. Fourth, an annual breach-statistics report to the IPC and expanded IPC oversight including compliance orders. These four obligations live on top of the existing FIPPA Regulation 460 and MFIPPA Regulation 823 security expectations, not in place of them.

Bill 97 also touches the cybersecurity-records side of the access regime. It clarifies that certain records prepared or collected under the Enhancing Digital Security and Trust Act, 2024 (EDSTA, enacted as part of Bill 194) are excluded from access requests under FIPPA and MFIPPA. That includes records that could reasonably be expected to compromise the cybersecurity of an institution, the names of staff responsible for cybersecurity, and certain cybersecurity assessments. The practical effect is that the EDSTA cybersecurity-program work an institution does sits inside a protected envelope from an access-request perspective. Substantively, the EDSTA itself is the public-sector cybersecurity law that came into force on July 1, 2025; Bill 97 does not change EDSTA, it adjusts the access-exemption interaction.

Why this matters operationally: until Bill 97, MFIPPA had no express duty to implement reasonable safeguards and no mandatory breach-notification obligation. Municipalities operated against IPC guidance and the implied safeguard expectation in Regulation 823 s.3(1). Starting January 1, 2027, that gap closes. Every municipality, school board, and police services board needs a documented controls inventory, a PIA process, and a breach-reporting runbook the IPC can read. Sources: BLG, Hicks Morley, Blakes, Filion Wakely Thorup Angeletti, IPC Ontario.

If your municipality, school board, or BPS organization needs Bill 97 readiness scoped against your existing control set, talk to a FIPPA/MFIPPA-aware IT specialist.

FIPPA vs MFIPPA: which Ontario organization answers to which Act

According to the Information and Privacy Commissioner of Ontario (2024), FIPPA applies to provincial ministries, agencies, boards, commissions, colleges, universities, and hospitals, while MFIPPA applies to municipalities, school boards, police services boards, and public library boards. Both are administered by the same IPC office with parallel access, privacy, and oversight powers.

FIPPA and MFIPPA are parallel statutes. They share most of the same access and privacy machinery, but they apply to different sets of public institutions. Both are administered by the same regulator, the Information and Privacy Commissioner of Ontario.

FIPPA coversProvincial ministries, most provincial agencies and Crown corporations, Ontario universities and publicly assisted colleges, public hospitals, and Local Health Integration Networks. The provincial-government privacy regime.
MFIPPA coversOntario municipalities (cities, towns, townships, regional municipalities), school boards, police services boards, public library boards, transit commissions, conservation authorities, local boards, and certain other municipal-level institutions.
Shared regulatorInformation and Privacy Commissioner of Ontario (IPC) administers both Acts, hears access appeals, investigates privacy complaints, and issues compliance orders. Same office, two statutes, parallel powers.
Shared structureFIPPA s.38 / MFIPPA s.28 govern collection of personal information. FIPPA s.39 / MFIPPA s.29 govern notice of collection. FIPPA s.41-42 / MFIPPA s.31-32 govern use and disclosure. Regulation 460 (FIPPA) and Regulation 823 (MFIPPA) carry the security expectations.
What is not in scopeFIPPA and MFIPPA do not cover private-sector organizations operating in Ontario. Private-sector personal information is governed federally under PIPEDA. Ontario’s health-sector privacy law (PHIPA) covers health-information custodians under a separate regime.
Bill 97 alignmentHistorically MFIPPA lagged FIPPA on safeguards and breach reporting. Bill 97 narrows the gap. By January 1, 2027, municipal institutions face substantially the same safeguard duty, PIA requirement, and IPC breach-reporting obligation as provincial institutions under the 2024 FIPPA reforms.

The 8 IT control categories every FIPPA/MFIPPA organization needs

According to the Information and Privacy Commissioner of Ontario (2025), the Enhancing Digital Security and Trust Act, 2024 (EDSTA, enacted under Bill 194) requires Ontario public-sector entities to operate a documented cybersecurity program covering technical, administrative, and physical safeguards, with reporting obligations to the Minister of Public and Business Service Delivery. The eight FIPPA/MFIPPA control families below dovetail directly with the EDSTA program a municipality already operates.

The IPC does not publish a NIST-style control catalogue. The published guidance, the IPC’s own privacy-investigation orders, and Regulation 460 / Regulation 823 expectations cluster the safeguard duty into eight practical control categories. These are the families we build the documented controls inventory around for every Ontario municipality and BPS engagement.

1. Data classification and inventoryDocumented inventory of where personal information lives across the institution: HR records, finance systems, planning files, council correspondence, transit ridership data, police records. Sensitivity labels applied. Foundation for the PIA process.
2. Role-based access controlNamed-user accounts for every employee, councillor, and contractor. Role-based access scoped to job function. No shared logins, no “administrator” mailbox handling personal information. Quarterly access review documented.
3. Multi-factor authenticationMFA enforced on every account that touches personal information, including municipal email, the finance system, the HR system, council-portal access, remote access, and any cloud file store. No MFA bypass for senior staff.
4. Encryption at rest and in transitDisk-level encryption on every device touching personal information (BitLocker on Windows, FileVault on macOS). TLS 1.2 or higher on every system that moves data externally. Encrypted backup with documented retention.
5. Audit logging and retentionMicrosoft 365 unified audit log retained at the highest tier the licensing allows. SIEM coverage on the finance system, council-portal access, and remote-access platform. Mailbox forwarding-rule changes alerted in real time.
6. Breach response and IPC notificationWritten incident-response runbook with the IPC contact path, the “real risk of significant harm” assessment framework, internal escalation to the head of the institution under MFIPPA s.3 / FIPPA s.5, council briefing template, and affected-individual notification template.
7. Vendor due diligence and data residencyWritten due-diligence file for every cloud vendor handling personal information. Microsoft 365 tenant region confirmed. Sub-processor list documented. SOC 2 Type II / ISO 27001 evidence on file. Cross-border data-flow assessment retained for PIA support.
8. Records retention and secure disposalRecords retention by-law mapped to the institution’s information asset inventory. Disposal authorization workflow. Certificate-of-destruction process for retired drives. Secure-disposal evidence retained for the audit window.

None of these eight families is novel for municipal IT. The discipline Bill 97 forces is documenting them at the same time, in writing, with evidence the IPC can read. The most common gap we see in Ontario municipalities is not the absence of controls; it is the absence of a documented evidence packet that proves the controls were active on a specific date.

Practical IT controls map for a 50-employee Ontario municipality

According to the Government of Ontario (2024), the FIPPA Manual sets out the operational expectations for safeguarding personal information held by provincial institutions, with Regulation 460 (FIPPA) and Regulation 823 (MFIPPA) carrying the named security expectations municipalities must meet. The 50-employee control map below is sized to those expectations.

For a 50-employee Ontario municipality covering town hall, public works, parks and recreation, and a small treasury team, the eight control families translate into a fairly compact technical stack. The mapping below is what we deploy at most municipal onboardings, with the vendor names that show up most often in Ontario’s lower- and single-tier municipal market.

Data classification and inventoryMicrosoft Purview Information Protection deployed across the M365 tenant. Sensitivity labels applied to HR folders, finance folders, council-confidential folders, and planning-act materials. Data-loss-prevention policies on the most sensitive label tier. Information asset inventory maintained alongside the records retention by-law.
Role-based access controlMicrosoft Entra ID groups mapped to municipal functions (Finance, HR, Public Works, Recreation, Clerk’s Office). SharePoint sites scoped by department. Council-confidential SharePoint scoped to council and the CAO only. Quarterly access review run from Entra ID access reviews and minuted by the clerk.
Multi-factor authenticationEntra ID Conditional Access requiring MFA on every sign-in to the municipal tenant. Authenticator app preferred over SMS. Councillor accounts under the same policy. Finance system (Vadim Software, MuniWare, GP Public Sector) and HR system MFA configured to honour the same identity where the vendor supports SSO.
Encryption at rest and in transitBitLocker enforced on every Windows workstation and laptop via Microsoft Intune. Server-side encryption on Microsoft 365 by default. TLS 1.2 or higher across the board. SQL Server Transparent Data Encryption on any on-premise finance or asset-management database. Encrypted backup to Azure Canada Central or AWS ca-central-1.
Audit logging and retentionMicrosoft 365 unified audit log retained for the maximum window the licensing allows (one year on E3, longer on E5). Microsoft Sentinel or an equivalent SIEM ingesting M365, Entra ID, Defender, and the finance-system logs. Mailbox forwarding-rule changes alerted in real time. CAO and clerk sign-ins reviewed monthly.
Breach response and IPC notificationWritten incident response plan covering: IPC Ontario notification path, the “real risk of significant harm” assessment framework that becomes mandatory January 1, 2027, internal escalation to the head of the institution (typically the clerk under MFIPPA s.3), council and CAO briefing template, affected-individual notification template, evidence-preservation steps. Annual tabletop exercise.
Vendor due diligence and data residencyMicrosoft 365 tenant region confirmed as Canada at sign-up and documented. Vendor due-diligence file covering the finance system, HR system, asset-management platform, GIS, backup vendor, and any cloud-hosted council-portal product. SOC 2 Type II or ISO 27001 evidence on file. Cross-border data-flow review documented in support of the PIA process.
Records retention and secure disposalRecords retention by-law mapped to the M365 retention labels and the on-premise file shares. Microsoft Purview retention policies configured to match the by-law. Certificate-of-destruction workflow for retired drives, signed by IT and witnessed by the clerk’s office. Disposal log retained for the audit window.

For a Bill-97-ready evidence map sized to your headcount and existing tooling, request a costed scoping conversation.

Common IPC Ontario investigation findings worth pre-empting

According to the Information and Privacy Commissioner of Ontario (2024), the IPC publishes interpretation bulletins documenting how it and the courts have interpreted FIPPA and MFIPPA on appeal, and the patterns across published privacy-investigation findings repeat year after year. The six investigation findings below are the recurring patterns Ontario municipalities can pre-empt before they trigger an IPC complaint.

The IPC publishes its privacy-investigation orders, and the patterns repeat. Six findings show up across municipal and BPS investigations often enough that a defensible municipality treats them as pre-emptive remediation items, not lessons-learned-after-the-fact items.

Inadequate vendor contracts and oversightIn the 2025 PowerSchool breach investigation, the IPC found that school boards had failed to include required privacy and security provisions in their vendor agreements and lacked adequate oversight of the vendor’s technical safeguards. Fix: ensure every cloud-vendor contract includes breach-notification commitments, sub-processor disclosure, audit rights, and documented oversight cadence.
Privacy training gaps as a root causeIn IPC privacy-complaint decision MR21-00090, the IPC noted that privacy training is required to comply with Regulation 823 s.3(1) and is material to preventing unauthorized access. Fix: deliver annual mandatory privacy training to all staff and councillors, retain attendance records, and refresh the curriculum to track Bill 97 changes ahead of January 1, 2027.
Unpatched edge appliances and legacy softwareThe Durham Region breach was traced to the Accellion File Transfer Appliance, an end-of-life product that had been compromised in similar attacks worldwide. Fix: maintain a documented inventory of internet-facing appliances, replace EOL products, and subscribe to vendor and CCCS advisories.
Inadequate breach-response readinessA repeated finding across IPC investigations is the absence of a tested breach-response plan that includes vendor coordination. Fix: write a one-page runbook covering IPC notification, affected-individual notification, vendor escalation, evidence preservation, and council briefing. Tabletop it annually.
Over-broad remote access to sensitive systemsThe PowerSchool findings called out the need to limit remote access to student information systems on an as-needed basis. The same logic applies to municipal finance, HR, and council-confidential systems. Fix: conditional access policies scoping remote access to managed devices and approved geographies, with just-in-time elevation for administrators.
Shared logins and absent named-user accountsA common finding in municipal investigations is shared logins to finance or council systems, often originating in informal “everyone signs in as the clerk” arrangements. Fix: deprovision shared accounts, issue named credentials with role-based scoping, and document the transition.

Bill 97 readiness checklist for the January 1, 2027 in-force date

According to BLG (2026) and other Canadian legal commentary on Bill 97, MFIPPA privacy provisions come into force January 1, 2027, with new express safeguard duties, mandatory PIA requirements, mandatory IPC breach reporting on the “real risk of significant harm” threshold, and annual breach-statistics reporting. Most municipalities have eighteen to twenty months from Royal Assent to be operationally ready.

The MFIPPA privacy provisions come into force on January 1, 2027. Most municipalities have eighteen to twenty months from Bill 97 Royal Assent to be operationally ready. The checklist below is what a defensible municipality wants in place before then, broken into what existing controls already satisfy, what new artifacts the bill requires, and what gaps tend to surface in readiness assessments.

Already covered by existing safeguard practice (refresh and document)MFA enforcement, encryption at rest and in transit, named-user accounts, audit logging, conditional access, encrypted backup, EDR on every endpoint. These satisfy the express safeguard duty being added to MFIPPA, but each one needs an evidence artifact (policy export, coverage report, retention configuration) on file by January 1, 2027.
New artifacts Bill 97 requiresA documented PIA template and PIA register covering every new personal-information collection initiative. Then a mandatory breach-reporting runbook with the IPC contact path and the “real risk of significant harm” assessment criteria. Pair this with a breach-statistics tracking spreadsheet feeding the annual IPC report. Finally, a revised privacy policy aligned to the new statutory safeguard duty.
Gaps that surface in readiness assessmentsNo documented sensitivity labelling on the council-confidential SharePoint. No record of when the last access review happened. No quarterly restore test on the backup. Vendor contracts missing breach-notification language. No tabletop on the breach-response plan in the last twelve months. Records retention by-law not mapped to actual M365 retention labels.
EDSTA coordination layerThe Enhancing Digital Security and Trust Act, 2024 has been in force since July 1, 2025. Municipalities and BPS organizations should already have a cybersecurity-program owner identified, an incident response capability, and an awareness program in place under EDSTA. Bill 97 sits on top of EDSTA, not in place of it. The cybersecurity-records access exemption added by Bill 97 protects the EDSTA work-product from public access requests.

What this costs for a 50-employee Ontario municipality

FIPPA and MFIPPA IT controls rarely justify a separate “FIPPA compliance” line on the IT bill. The eight families are the same controls a CIS Controls v8.1-aligned managed-IT engagement deploys for any small to mid-sized Ontario public-sector organization, so the cost lives inside the regular monthly managed-IT spend.

A small Ontario municipality of 15 to 50 employees (one town hall, public works, modest recreation) typically lands at $3,000 to $6,500 per month for fully managed IT and cybersecurity that produces a defensible FIPPA/MFIPPA evidence packet. That covers Microsoft 365 administration, Entra ID Conditional Access, MFA enforcement, Microsoft Purview sensitivity labels, EDR on every device, encrypted backup with quarterly tested restore, SIEM ingestion of M365 and Entra ID, helpdesk, and a documented controls inventory. The package is CIS Controls v8.1-aligned at the implementation-group 1 to 2 level, which is the de-facto baseline for Ontario municipalities of this size.

A mid-size Ontario municipality of 50 to 250 employees (multiple departments, an OPS or in-house police complement, a transit operation, multiple facilities) typically lands at $6,500 to $14,000 per month under the same scope. The headline drivers are the per-user Microsoft 365 licensing tier (Business Premium or E3/E5 for the sensitivity-label and conditional-access features), EDR licensing, SIEM ingestion volume, the documented vCIO engagement covering quarterly council briefings, and the breadth of vendor-coordination work. Software licensing on the municipal-software side (finance, asset management, GIS, council-portal product) flows through without a Fusion markup.

CIS Controls v8.1 alignment is the baseline most Ontario municipalities benchmark against because it maps cleanly to the IPC’s reasonable-safeguards expectation and to the EDSTA cybersecurity-program expectation. The CIS framework is free to adopt, the implementation groups scale to organization size, and the evidence map carries directly into a Bill 97 readiness assessment. For municipality-sized scoping and a defensible CIS v8.1 evidence map, request a readiness conversation.

FIPPA and MFIPPA resources for Ontario public-sector IT leaders

“Bill 97 felt impossible to operationalize. Fusion built our PIA template and IPC breach-notification runbook to match the ’real risk of significant harm’ threshold, then ran a tabletop with our records team. Our board signed off on the FIPPA July 2026 readiness plan in one meeting. We are no longer the only Ontario agency without a story.”

Privacy and FOI Officer, 140-staff municipal agency, Halton Region.

Talk to a FIPPA/MFIPPA-aware IT specialist

Thirty-minute walk-through of your municipality’s current stack, the eight FIPPA/MFIPPA control families you should be able to evidence, and what tagging your readiness plan to the January 1, 2027 MFIPPA in-force date actually changes in practice. No charge, no obligation.

Book a Consultation

Frequently asked questions about FIPPA and MFIPPA IT

What is the difference between FIPPA and MFIPPA?

FIPPA, the Freedom of Information and Protection of Privacy Act, applies to provincial ministries and most provincial agencies, Ontario universities and publicly assisted colleges, public hospitals, and Local Health Integration Networks. MFIPPA, the Municipal Freedom of Information and Protection of Privacy Act, applies to Ontario municipalities, school boards, police services boards, public library boards, transit commissions, conservation authorities, and other municipal-level institutions. Both statutes are administered by the Information and Privacy Commissioner of Ontario, share most access-request and privacy machinery, and have parallel section numbering (for example, FIPPA s.38 and MFIPPA s.28 on collection of personal information). Neither covers private-sector organizations; private-sector personal information in Ontario is governed federally under PIPEDA.

When does Bill 97 come into force?

Bill 97, the Plan to Protect Ontario Act (Budget Measures), 2026, received Royal Assent on April 24, 2026. The FIPPA amendments come into force on July 1, 2026, with certain provisions effective September 15, 2026. The MFIPPA amendments are split: most provisions on the later of July 1, 2026 and Royal Assent, with the substantive privacy provisions (express safeguard duty, mandatory PIA requirement, mandatory breach reporting to the IPC, annual breach-statistics reporting) coming into force on January 1, 2027. Municipalities and BPS organizations should treat January 1, 2027 as the operational deadline for full readiness.

Does my Ontario municipality have to report a privacy breach to IPC Ontario?

Starting January 1, 2027, yes. Bill 97 amends MFIPPA to require municipal institutions to notify the Information and Privacy Commissioner of Ontario and affected individuals of any theft, loss, or unauthorized use or disclosure of personal information in their custody or control where it is reasonable in the circumstances to believe that there is a real risk of significant harm. Bill 97 also requires municipalities to maintain a record of all privacy breaches and to report breach statistics annually to the IPC. Prior to January 1, 2027, MFIPPA had no mandatory breach-notification obligation, though the IPC has long encouraged voluntary reporting and many municipalities already do so. The defensible posture today is to operate as if mandatory reporting already applies, so the runbook and the tracking process are in place ahead of the in-force date.

What CIS Controls v8.1 mappings satisfy FIPPA and MFIPPA expectations?

The IPC does not publish a control-framework mapping, but CIS Controls v8.1 is the framework most Ontario municipalities benchmark against because it maps cleanly to the reasonable-safeguards expectation under FIPPA Regulation 460 and MFIPPA Regulation 823 s.3(1), and because it aligns with the EDSTA cybersecurity-program expectation. CIS Implementation Group 1 covers basic cyber hygiene (inventory, authorized software, secure configuration, account management, access control management, vulnerability management, audit log management) and is the floor most Ontario municipalities of 25 to 100 staff are expected to meet. Implementation Group 2 layers email and web browser protections, malware defenses, data recovery, network infrastructure management, network monitoring, security awareness training, service provider management, and application software security, and is the working baseline for municipalities above 100 staff and for most BPS organizations.

Can a municipality use Microsoft 365 if some workloads touch US data centers?

Yes, with documentation. FIPPA and MFIPPA do not prohibit cross-border data flow outright in the way some provincial public-sector statutes historically did. What both require is reasonable safeguards and, under the Bill 97 amendments coming in force in 2026 and 2027, a documented PIA assessing the risks. Microsoft 365 offers Canadian data residency for core workloads (Exchange Online, SharePoint Online, OneDrive for Business, Teams chat) at the tenant region level, and a municipality whose council has committed to Canadian-resident data should select Canada as the tenant data location at sign-up and confirm the configuration in writing. Some workloads (telemetry, certain Copilot processing paths, Defender investigation evidence) may still transit US infrastructure, and the municipality’s due-diligence file and PIA should record what does and does not stay in Canada. The IPC has not prohibited this configuration; it has expected institutions to be able to explain it.

How does FIPPA/MFIPPA differ from PIPEDA for private-sector Ontario organizations?

PIPEDA is the federal private-sector privacy law that applies to commercial activity in Ontario (Ontario does not have a substantially-similar provincial private-sector statute, unlike BC, Alberta, and Quebec). FIPPA and MFIPPA are Ontario public-sector statutes. The regulators differ: PIPEDA is administered by the Office of the Privacy Commissioner of Canada (OPC); FIPPA and MFIPPA are administered by the Information and Privacy Commissioner of Ontario (IPC). The substantive obligations overlap significantly (reasonable safeguards, breach notification, accountability), but the section numbers, the enforcement mechanisms, and the regulator-contact tree are entirely different. A private-sector vendor selling services to an Ontario municipality answers to PIPEDA itself; the municipality answers to MFIPPA and must do vendor-level diligence to make sure the contract bridges the two regimes.

What is the minimum IT control set for a 25-employee Ontario municipality?

For a 25-employee Ontario municipality, the practical minimum is the CIS Controls v8.1 Implementation Group 1 set, layered onto Microsoft 365 Business Premium. That gives you: Entra ID with mandatory MFA on every account, Entra ID Conditional Access blocking unmanaged devices, BitLocker on every workstation, Microsoft Defender for Business EDR coverage, Exchange Online Protection plus Defender for Office 365 anti-phishing, SharePoint Online with sensitivity labels on the council-confidential and HR folders, encrypted backup of the M365 tenant and any on-premise file shares to an Azure Canada Central or AWS ca-central-1 destination, the Microsoft 365 unified audit log retained at the maximum window the licensing allows, annual mandatory privacy training for all staff and councillors, and a written incident response runbook covering the IPC notification path. That control set satisfies the express safeguard duty being added to MFIPPA by Bill 97, supports the PIA process, and produces an evidence packet a council, an auditor, or the IPC can read.