Your online picture can be used by others

Australian officials commit to overhaul the Privacy Act

Ontario Proposing Legislation To Better Protect Children

Sophisticated Cyber attacks on BC

Microsoft to make security a top priority

Ontario introduces cybersecurity bill

Ontario IPC probes government use of non-government email accounts

Federal Privacy Commissioner launches breach reporting tool

Ontario IPC issues guidelines on third party procurement


Principles for Responsible, Trustworthy and Privacy-Protective Generative AI Technologies

December 13, 2023 - Renee Barrette, Analyst

Artificial intelligence is transforming the business world including hiring, auditing, accounting and forecasting processes (Khoury, Richard, “Artificial Intelligence in Canadian Industry”). It is expected to improve health care and change the way it is delivered, such as by increasing diagnostic accuracy, improving treatment planning and forecasting outcomes of care (CMPA, “The Emergence of AI in Healthcare”). Governments are exploring the use of AI to improve teaching, learning and support innovative education systems. In the education sphere, AI is reported to have the capability of creating personalized learning experiences and optimized curricula.

To address the exponential growth in the use and development of generative AI solutions and tools, Canada’s federal, provincial and territorial privacy regulators have released joint guidance for responsible, trustworthy and privacy-protective generative AI technologies.

The guidance describes “generative AI” as follows:

a subset of machine learning in which systems are trained on massive information sets – often including personal information – to generate content such as text, computer cord, images, video, or audio in response to a user prompt. The content is probabilistic, and may vary even in response to multiple uses of the same or similar prompts.

The guidance is intended to help organizations developing, providing or using generative AI apply nine key Canadian privacy principles.

It reminds the reader that they may have further obligations, restrictions or responsibilities under other laws, regulations or policies. It includes an important note regarding the need for extra caution to identify and prevent risks to vulnerable groups, including children and groups that have historically experienced discrimination or bias.

Highlights from the nine principles are:

  1. Legal authority and consent – identify and document the legal authority for the collection, use, disclosure and deletion of personal information during the training, development, use or decommissioning of a generative AI system. Where consent is the legal authority, ensure it is valid.
  2. Appropriate purposes – in many Canadian jurisdictions, this means that personal information should be collected, used or disclosed for purposes that a reasonable person would consider appropriate in the circumstances.
  3. Necessity and proportionality – consider whether the use of a generative AI system is necessary and proportionate particularly where it may have a significant impact on individuals or groups of individuals. Use anonymized, synthetic or de-identified data rather than personal information where the latter is not required to fulfill the identified appropriate purposes.
  4. Openness – be open and transparent about the collection, use and disclosure of personal information and the potential risks to privacy. Organizations using generative AI systems should advise affected parties how the system will be used to make a decision or take an action, and about the potential outcomes and safeguards in place.
  5. Accountability – be accountable for compliance with privacy legislation and principles and make AI tools explainable.
  6. Individual access – develop procedures that enable the right of access to personal information collected about them during use of the system and personal information contained in the AI model to be meaningfully exercised.
  7. Limiting collection, use and disclosure – limit the collection, use and disclosure to what is needed to fulfill the explicitly specified, appropriate, identified purpose. Use anonymized or de-identified data where possible.
  8. Accuracy – ensure personal information used to train generative AI models and entered into a generative AI prompt is as accurate, complete and up-to-date as necessary for the purposes.
  9. Safeguards – put in place safeguards to protect personal information and mitigate potential privacy risks.

For further information, please see this news release and Commissioner Philippe Dufresne remarks to the Privacy and Generative AI Symposium on December 7, 2023.

If you or your organization is considering developing or using generative AI systems, you may wish to contact our office for general feedback. For more information about our consultation process, please see this Consultation Request Form.



Categories: BlogTags: ,

Back to Blog