By Cameron A. Axford and Martin U. Wissmath

Federal and provincial privacy regulators have tightened their collaboration by entering into a new agreement designed to strengthen enforcement and harmonize oversight across federal and provincial boundaries. Announced September 11, 2025, the Privacy Commissioner of Canada (OPC) signed a Memorandum of Understanding (MoU) with Ontario’s Information and Privacy Commissioner (ON IPC), which updates and broadens an earlier 2014 framework.

The MoU, titled “Memorandum of Understanding Between the Information and Privacy Commissioner of Ontario and the Privacy Commissioner of Canada on Mutual Assistance and Information Sharing in the Administration and Enforcement of Laws Protecting Personal Information”, sets out how the two regulators (the “Regulators”) will share information and provide mutual assistance in carrying out their respective privacy mandates. For charities and not-for-profits, the development is significant because it signals closer regulatory coordination in areas where their activities often straddle both federal and provincial privacy laws.

The original 2014 MoU largely focused on health information through Ontario’s Personal Health Information Protection Act (PHIPA) and its interaction with federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Since then, the ON IPC’s role has expanded in practice, and the 2025 MoU makes this cooperation explicit to include the Freedom of Information and Protection of Privacy Act (FIPPA) and the Child, Youth and Family Services Act (CYFSA). The 2025 MoU responds to these developments by explicitly extending cooperation to these additional statutes. It also builds on the Privacy Commissioner of Canada’s mandate under PIPEDA and the Privacy Act.

The heart of the agreement is practical: it sets out procedures for sharing information, coordinating investigations, and making referrals when a matter falls within both commissioners’ jurisdictions. Designated contacts in each office will oversee communication, and both regulators commit to sharing information to the extent permitted by law. Importantly, the MoU provides that information may only be used for the purpose for which it was shared, and each office must maintain confidentiality. Statutory limits remain. Ontario’s commissioner cannot disclose cabinet records or solicitor-client privileged information, for example, and the federal commissioner remains bound by restrictions under the Access to Information Act.

The new MoU is structured around key operational principles. The Objective is to provide a comprehensive framework for cooperation. Section II details the Procedures Relating to Mutual Assistance. A core function is the ability of the Regulators to jointly investigate a matter arising under Ontario statutes and PIPEDA. As part of such joint efforts, the Commissioners may jointly investigate, deliberate on matters, and issue joint decisions, recommendations, or reports. Furthermore, the Regulators may share information relevant to an ongoing or potential investigation, complaint, audit, or review, or information that could assist either Participant in fulfilling their respective functions. The MoU also outlines practical steps, such as designating primary contacts for requests for assistance and establishing procedures for the prompt notification of inaccurate or incomplete shared information.

Section III introduces essential Limitations on Assistance and Use. This section provides that assistance or information sharing remains discretionary and must always be consistent with applicable laws, important interests, and priorities of the Regulators. For instance, the ON IPC is expressly prohibited from disclosing information that qualifies for exemptions under FIPPA, such as Cabinet records, law enforcement records, or records protected by solicitor-client privilege. Similarly, the OPC is restricted by federal statutes (PIPEDA, the Privacy Act, and the Access to Information Act) from disclosing information pertaining to Confidences of the King’s Privy Council, law enforcement records, or solicitor-client privilege. The Regulators affirm that information will only be shared to the extent necessary for the MoU's purposes and will not be used for unauthorized purposes. Importantly, Section VII confirms that the MoU is not intended to create binding legal obligations or exceed a Participant’s jurisdiction or legal authorization.

Further provisions of the MoU govern data security and legal privilege. Section IV mandates that information shared must be treated as confidential and cannot be further disclosed without the express written consent of the providing Participant. The Regulators must take reasonable steps to ensure shared information is transferred, retained, and disposed of securely. In cases of joint activities, communications protected by legal professional privilege will be subject to common interest privilege. Section V regulates the Length of Retention of Information, requiring that data not be retained longer than necessary to fulfill the purpose for which it was shared.

The new MOU represents continuity with past practice but also a maturation of regulatory cooperation. For charities and not-for-profits, it underscores that privacy is part of a wider governance framework that increasingly expects organizations to manage information responsibly across borders and statutes. As regulators close ranks, so too must charities and not-for-profits close any gaps in their privacy practices.

​Read the September 2025 Charity & NFP Law Update