What Bill 97 Means for Your Information Governance

Approx. 10-min read

Bill 97 isn't just changing privacy obligations. It's bringing a longstanding data management problem into focus for many organizations.

Bill 97 Ontario information governance graphic showing FOI response timelines, privacy requirements, records management obligations, and compliance-related documents.

Ontario's Bill 97 received Royal Assent on April 24, 2026. If you operate a municipality, hospital, school board, university, or Crown agency, the clock is already ticking. Royal assets mean these changes are now law, not proposed and not pending.

This means obligations under Freedom of Information and Protection of Privacy Act (FIPPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) are being rewritten whether you’re ready or not.

That's not much runway, and waiting isn’t a strategy. In this piece, we cover what's changing under Bill 97, the information governance gaps that put organizations at risk, and how to build the foundation for compliance. All without replacing your existing systems or disrupting how your team works.

What is Bill 97?

Bill 97, the Plan to Protect Ontario Act (Budget Measures), 2026 is an omnibus budget bill that modernizes Ontario's Freedom of Information (FOI) and privacy legislation. For public sector organizations, it introduces new mandatory obligations around records management, privacy impact assessments, and breach of reporting.

This Bill brings FIPPA and MFIPPA closer in line with each other and with modern expectations around public institutions handling personal information. Organizations that rush to compliance last minute will pay for it in staff hours, risk exposure, and reputational cost.

The good news: organizations with strong information governance practices are already well positioned. For those that aren't, now is the time to act. Here's what the changes mean and how to prepare.

Who does Bill 97 Apply to?

Bill 97 applies to organizations covered by Ontario's FIPPA and MFIPPA, including:

Provincial ministries and government agencies
Boards, commissions and Crown agencies
Municipalities and municipal service boards
Police services and public libraries
School boards, universities and colleges
Conservation authorities
Healthcare organizations

If your organization is responsible for responding to Freedom of Information (FOI) requests or manages public records, Bill 97 applies to you. The changes below affect how you handle information requests, records management, and response timelines.

What Bill 97 Changed in FIPPA and MFIPPA

Bill 97 introduces significant changes to Ontario’s approach to access information and personal data protection. Organizations must follow new requirements, including:

Privacy Impact Assessments (PIAs) are required before collecting personal information through a new program, service, or system.
Privacy breaches that pose a real risk of significant harm must be reported to both the Information and Privacy Commissioner (IPC) and affected individuals.
Breach recordkeeping requires institutions to maintain records of privacy breaches and report breach statistics annually.
Extended FOI response timelines move from 30 calendar days to 45 business days, along with updated rules for managing large or complex requests.
Safeguard obligations require organizations to demonstrate that reasonable administrative, technical, and physical safeguards are in place to protect personal information.
Ministerial Record Exclusions removes records held by ministers and their officers from the scope of FIPPA entirely, a change that took effect retroactively to 1988.

These new requirements come at a time when governance and compliance risks are already under increased scrutiny. Gartner has identified cybersecurity, data governance, and regulatory compliance as top risk areas as top 2026 audit risks. These are the same areas significantly impacted by Bill 97.

Additionally, McKinsey's 2025 analysis has found that manual compliance processes fulfill only a fraction of actual obligations. Bill 97 raises the stakes by introducing new requirements that many organizations are not equipped to manage manually.

Here's what that gap looks like in practice:

Obligation	Without Strong Governance	With Strong Governance
ATIP Response	Manual searches, missed records, late responses	Instant, scoped retrieval with a clear audit trail
PIA Requirements	No visibility into what personal data exists or where	Automated PII identification across all systems
Breach Reporting	Inconsistent records, delayed reporting, IPC exposure	Accurate breach documentation ready for reporting
Safeguard Obligations	Hard to demonstrate, mostly manual	Technical controls enforced automatically
Retention and Disposal	Data accumulates indefinitely, ROT files never addressed	Automated identification and defensible deletion
Revised FOI Response Timelines	More time means nothing without organized records responses are still late and incomplete	Fast, complete, and defensible within 45 business days
Staged Access Plans	No structure to respond in phases, plans rejected or appealed	Clear record categorization with documented schedules
Whistleblower Complaints	No internal process, complaints catch institutions off guard	Documented intake process and confidential reporting channel
Ministerial Record Exclusions	Unclear boundaries lead to over-disclosure or disputes	Defined custody controls with clear scope of exclusions
IPC Audits & Orders	Scrambling to produce evidence of compliance	Governance documentation ready for review at any time
Staff Training	Inconsistent awareness of new obligations	Standardized training aligned to Bill 97 requirements

If your organization sits under "Without Strong Governance, " now is the time to act.

4 Information Governance Risks Threatening Bill 97 Compliance

For many organizations, Bill 97 compliance risk stems from one of three underlying information governance challenges:

1. No Visibility Into Personal Information

You can’t protect what you can’t find. Many organizations struggle with unclassified repositories and have no reliable way to identify where PII lives. This makes PIA compliance and breach reporting difficult to execute accurately. Under Bill 97, organizations are expected to understand what information they collect, store, and manage.

2. No Consistent Classification Across Systems

Systems often label documents with different names or just fail to label them at all. This creates a governance framework gap. Classification inconsistency means search results are unreliable, retention policies don’t apply uniformly, and ATIP responses are incomplete. Consistent classification across every repository is the foundation of compliant information management.

3. No Automated Retention and Disposal

ROT data accumulates silently across file shares, SharePoint and email archives. Under Bill 97, retaining personal information longer than necessary is a liability, not just a storage cost. Without automated retention enforcement, disposal stays manual, inconsistent, and defensible to no one.

4. Whistleblower Complaints

Bill 97 raises the stakes around accountability in how public institutions handle personal information. That pressure can come from within your organization. Without a secure, documented channel for staff to raise privacy concerns internally, complaints are more likely to go directly to the Information and Privacy Commissioner or surface publicly. A formal whistleblower process isn't just good governance; it's a risk management necessity.

Capabilities Required for Bill 97 Compliance

Effective information governance solutions share a few critical capabilities, especially for organizations navigating Bill 97's expanded requirements. Here's what to look for when evaluating your options:

1. Automated Document Classification at Scale

Any solution worth considering should scan all your repositories automatically, identifying personal information, sensitive records, and applying metadata without manual intervention. Classification that relies on human review doesn't scale. Look for tools that work continuously with high accuracy, directly supporting your PIA obligations and breach recordkeeping requirements under Bill 97.

To learn more about automated classification and governance, see our blog What Is Automated Content Identification?

2. Private AI Means Your Data Stays in Your Environment

Data sovereignty is a priority for Ontario public sector organizations. Any AI-powered tool you consider should run entirely within your own environment and not send data to an external cloud provider. This isn't just an IT preference, it directly aligns with Bill 97's explicit safeguard obligations. The right solution gives you the power of AI without introducing new privacy risk.

3. Enterprise Search That Finds Everything

When an ATIP request arrives, your team needs to locate the right records quickly and completely. Look for an intelligent search that lets staff query all connected systems in plain language and not navigate complex folder structures. Under Bill 97, incomplete responses aren't just a process problem; they're a legal liability.

4. Automated Retention and Disposal

A strong solution should automatically identify redundant, obsolete, and trivial (ROT) data files. This reduces your breach risk by shrinking your attack surface and directly supports your document destruction obligations under Bill 97.

5. Minimal Disruption to Existing Workflows

If your team has to change how they work, governance adoption will stall. Look for tools that run quietly across your environment, classifying content in the background while staff keep working as normal.

6. Staged Access Plan Report

Bill 97 allows institutions to respond to complex FOI requests with a staged access plan, but that plan needs to be scoped and documented quickly. Look for a solution that can report on what records exist and where across every repository, so your ATIP team isn't doing a manual inventory every time.

d4df204b-f407-4080-94c0-9239c826d1e8

Information Governance Is Now a Legal Requirement and a Competitive Advantage

Bill 97 makes information governance a legal statutory obligation, with real consequences for Ontario public institutions. You can no longer treat records management as an IT problem or a back-office project. It must be embedded in how your organization operates.

The organizations that handle Bill 97 most confidently are the ones that see beyond compliance. Strong information governance doesn’t just reduce risk, it changes how your organization operates.

What a Governed Information Estate Means for Your Organization

Faster, complete ATIP responses	Intelligent search and consistent classification mean your team finds exactly what's needed, not everything that might be relevant
Reduced legal and regulatory risk	PII is identified, access is controlled, and retention policies are enforced automatically
Lower storage and infrastructure costs	Information lifecycle management removes data you no longer need to keep
Stronger internal trust and adoption	When staff trust the results they get from their systems, governance adoption accelerates
Audit-ready breach documentation	When a breach occurs, you have the records to report it accurately and on time
Faster FOI responses	Intelligent search and consistent classification mean your team finds exactly what's needed, not everything that might be relevant
Reduced IPC complaints and appeals	Organized records and clear decision-making reduce the disputes that escalate to formal IPC appeals
Defensible staged access plans	Documented record categorization and schedules satisfy Bill 97's new staged access requirements
Student and patient data protection	PII specific to school boards and hospitals is identified, classified, and access-controlled automatically
Whistleblower complaint readiness	When a complaint is filed with the IPC, you have the documentation to respond accurately and on time

Strong information governance helps organizations meet ATIP and FOI obligations while reducing risk, controlling costs, and improving confidence in their information.

Key Deadlines to Note for Bill 97

Compliance programs don't get built overnight.

FIPPA amendments start on July 1, 2026. This is the first wave of changes: new timelines calculated in business days, expanded extension powers, and new rules around staged access to records. These directly affect how provincial institutions process FOI requests and manage personal information.

MFIPPA amendments follow January 1, 2027. Municipalities and other MFIPPA covered institutions get a longer runway, but the scope of the change is significant. The changes include mandatory privacy impact assessments, breach of reporting requirements to the Information and Privacy Commissioner, and new provisions for Commissioner-initiated reviews of your institution’s information practices.

April 24, 2026: Bill 97 received Royal Assent. All amendments are now law. The compliance clock is running for every FIPPA and MFIPPA institution regardless of when your specific obligations take effect.
July 1, 2026: FIPPA amendments come into force. Provincial institutions must now respond to FOI requests within revised business-day timelines, manage staged access plans, and apply the new extension rules to every active and incoming request.
September 15, 2026: Additional FIPPA provisions take effect, including data integration requirements and updated data standards governing how personal information is collected, linked, and disposed of.

January 1, 2027: MFIPPA amendments come into force. Municipalities, school boards, and other MFIPPA-covered institutions must have privacy impact assessment processes in place, breach reporting procedures ready for the Information and Privacy Commissioner, and information practices prepared for potential Commissioner-initiated review.

0c785c66-b7ff-441e-bdae-105baba0ad31

The Core Insight: Bill 97 Is a Data Management Problem

Bill 97 is not a policy exercise. It's a data infrastructure challenge.

Without strong information governance, your organization faces:

Incomplete ATIP / FOI responses and missed deadlines
Breach reporting failures from inconsistent records
Regulatory exposure from unclassified personal information
Compounding ROT data that grows the risk surface every day

With, your organization receives:

Precise, defensible FOI responses within the new timelines
Enforceable safeguards that satisfy Bill 97's explicit requirements
Measurable reduction in data risk and storage cost

That difference determines whether Bill 97 becomes a crisis or a manageable obligation.

Prepare Your Organization for Bill 97

Every compliance gap covered here: unclassified PII, inconsistent retention, incomplete ATIP responses, traces back to one root cause: ungoverned information.

Fixing that foundation doesn't require replacing your existing systems or disrupting how your team works. It requires the right tool applied consistently across every repository you manage.

Shinydocs scans and classifies information across every connected repository, enforcing retention schedules and surfacing PII, the groundwork Bill 97 compliance runs on.

Ready to see how Shinydocs can prepare your organization for Bill 97?
📅 Book a demo call today and we'll show you exactly what your current content landscape looks like and what it takes to get it compliance-ready.

Frequently Asked Questions

What is Bill 97?

When do Bill 97 amendments take effect?

Who does Bill 97 apply to in Ontario?

What is ROT data and why does it matter for Bill 97 compliance?

How does Shinydocs support Bill 97 compliance without disrupting existing workflows?

What is a privacy impact assessment and when is one required under Bill 97?

What are the breach reporting requirements under Bill 97?

Topics: AI, Dark Data, GDPR, Risk Management, Information Governance, Data Governance, Unstructured Data, Data Insights, Data Management, Data Strategy, data enrichment AI, AI document tagging, Shadow Copies

shinydocs.com · info@shinydocs.com