London Bylaw: Vendor Security for Third-Party Systems

Technology and Data Ontario 3 Minutes Read · published February 12, 2026 Flag of Ontario

London, Ontario requires organizations contracting with the city to meet specific security and privacy expectations when third-party systems process city data or connect to municipal networks. This guide summarizes the applicable purchasing rules, IT and privacy controls, enforcement pathways, and practical steps suppliers and city staff should follow to reduce risk, protect personal information, and maintain service continuity.

Scope & Minimum Expectations

Third-party systems include cloud services, hosted platforms, subcontracted software, and managed service providers that store, transmit, or process city information. Basic expectations generally cover data classification, encryption in transit and at rest, access controls, incident notification, and contract clauses for confidentiality and liability. For procurement rules and supplier obligations see the City of London purchasing framework.[1]

Confirm contract clauses and data handling requirements before onboarding a vendor.

Risk Assessment & Onboarding

Before approval, vendors should complete a security questionnaire and provide evidence of controls: SOC 2 or equivalent reports, data flow diagrams, encryption standards, and a documented incident response plan. City IT and Procurement typically coordinate the review; technical assessments may include vulnerability scans and penetration test summaries required by the city IT team.[2]

  • Complete security questionnaire and supply attestations.
  • Sign contractual terms covering privacy, confidentiality, and rights to audit.
  • Provide evidence of technical controls (encryption, MFA, logging).

Penalties & Enforcement

Fines and specific monetary penalties for vendor security breaches or noncompliance are not stated in a single consolidated city bylaw; enforcement typically proceeds under contract remedies and applicable municipal purchasing rules.[1] Where statutory privacy breaches involve personal information, provincial obligations under MFIPPA may apply and could lead to provincial oversight or orders; specific fine amounts are not specified on the cited pages.[2]

Contract termination and remedial orders are common enforcement outcomes in procurement disputes.

Escalation and sanctions:

  • Monetary fines: not specified on the cited page; remedies usually contractual.[1]
  • Escalation: first notice, corrective action plan, suspension or termination for continued noncompliance (ranges not specified).[3]
  • Non-monetary sanctions: corrective orders, suspension of access, termination, claims for damages, and referral to regulatory authorities where privacy breaches occur.

Applications & Forms

No city-published standard "vendor security permit" form is listed on the public procurement pages; supplier onboarding typically uses procurement-specific questionnaires and contract attachments administered by Purchasing and IT.[3]

Common Violations

  • Failure to encrypt personal data in transit or at rest.
  • Delayed incident notification or inadequate breach reporting.
  • Unauthorized access due to weak access controls or missing MFA.
Document evidence of controls during procurement to avoid common onboarding delays.

Action Steps for Vendors and City Staff

  • Vendors: prepare SOC reports, encryption details, and a privacy incident plan before bid submission.
  • City staff: route privacy-impact assessments to the Access & Privacy contact and involve IT Security early.[2]
  • If noncompliance is found, enforce contract remedies promptly and document corrective timelines.

FAQ

Who enforces vendor security requirements for city contracts?
The City Purchasing office together with Information Technology Services and the Access & Privacy office coordinate enforcement and contract remedies.[3]
Are there published fines for vendor security breaches?
Specific monetary fines for vendor security breaches are not published on the city procurement or IT pages; enforcement is usually contractual and may involve provincial privacy obligations where applicable.[1]
What documentation should a vendor provide during onboarding?
Typical documentation includes security questionnaires, attestations (SOC 2 or equivalent), encryption details, incident response plans, and subcontractor lists.

How-To

  1. Identify whether the service will store or process City of London data and classify the data sensitivity.
  2. Complete the city security questionnaire and gather required evidence (SOC reports, encryption specs).
  3. Submit required documents with your procurement bid or supplier profile to Purchasing.
  4. Respond to IT Security review requests and provide remediation evidence within requested timelines.
  5. If a breach occurs, follow incident notification timelines in the contract and notify the Access & Privacy office immediately.

Key Takeaways

  • Early engagement with Purchasing and IT reduces onboarding delays.
  • Provide third-party attestations and clear data flow documentation.

Help and Support / Resources

  1. [1] City of London - Purchasing By-law and procurement framework
  2. [2] City of London - Information Technology Services (security and policies)
  3. [3] City of London - Business procurement and supplier information

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data