Alberta OIPC Issues Report Regarding Responsible AI Governance

Written By Stephen Burns, Sebastien Gittens and David Wainer

The Office of the Information and Privacy Commissioner of Alberta (the "OIPC") recently issued a report (the "Report") summarizing the OIPC's recommendations for a framework to regulate the use of artificial intelligence ("AI") in Alberta. While these recommendations are not yet law, organizations should consider their potential impact.

The Report notes that AI laws "generally form part of legislative frameworks addressing broader digital strategies." Accordingly, the Report broadly touches on three aspects of a potential AI framework in Alberta: (i) a standalone AI law; (ii) modernization of existing privacy legislation in Alberta; and (iii) ensuring that the first two points complement broader digital strategies. This blog will discuss each of the foregoing.

Made in Alberta AI Law

The OIPC recommends that existing privacy legislation in Alberta "be complemented by a standalone AI law" and that an "AI Act should be broad in scope… ." The OIPC recommends that any such standalone AI law in Alberta broadly aligns with other existing AI regulation, such as the EU Artificial Intelligence Act and the proposed Artificial Intelligence and Data Act. For example, the OIPC notes that certain uses of AI are prohibited in the EU Artificial Intelligence Act, and queries if these restrictions should be included in AI-specific legislation in Alberta.

A key recommendation made by the OIPC in respect of a standalone AI law in Alberta is that it includes privacy by design principles, and expressly states that the least invasive forms of information are used to train AI wherever possible. The OIPC notes that such forms of information, in order of the OIPC's preference, are: (i) anonymized information or synthetic data; (ii) de-identified information; (iii) pseudonymized information; and (iv) personal information.

The OIPC also recommends that such legislation should: (i) "provide recourse and oversight by various regulators" where fundamental rights of individuals or groups (such as a result of bias) may be affected by AI uses; and (ii) clearly delineate responsibility for AI information security between developers of the AI system and of the entity deploying the AI system.

Modernizing Existing Privacy Legislation in Alberta

As part of the Alberta Standing Committee on Resource Stewardship's review, the OIPC recommended that additional privacy rights be encoded in Alberta's Personal Information Protection Act ("PIPA") in March 2024. For a review of the non-AI related considerations put forth by the OIPC at that time, please see our insight on the topic.

With respect to AI, the OIPC recommended that the Government of Alberta consider: (i) expressly enumerating authorized purposes for collecting, using and disclosing personal information for AI in PIPA; and (ii) codifying certain rights to ensure fair and privacy-respecting operation of AI systems.

Highlighting concerns with the use of automated decision-making in the private sector, the OIPC expressly recommended that PIPA be amended to:

1. permit individuals to contest automated decision-making and be notified (in plain language) when same is planned to be used (before the decision is made);
2. make policies and procedures publicly available (in plain language) that describe an organization's use of automated decision-making systems, an individual's associated privacy rights, and how an individual can exercise those rights;
3. notify individuals of automated decision-making before or at the time the personal information to be used is collected from the individual, and if the personal information was indirectly collected, a disclosure as to where that personal information was obtained and under what authority;
4. inform the individual about the personal information being used to make a decision, and the reasons and criteria that led to that decision;
5. establish a process to enable an individual to review the accuracy of personal information, contest the use of automated decision-making to make a decision, and request reconsideration by a human after the decision is made;
6. if an organization uses an automated system that may lead to harm or unfairness to an individual or group, report statistics associated with same (in a form determined by the OIPC or regulation), regularly evaluate the outputs to mitigate these effects, submit a privacy impact assessment or algorithmic impact assessment to the OIPC for review prior to using the system, and allow the OIPC to establish how algorithmic impact assessments are to be conducted; and
7. if an organization plans to use an automated system that may lead to harm or unfairness to an individual or group, authorize the OIPC to audit the use of same, review and comment on any assessments submitted by an organization, and order an organization to stop using a system if the system may be, has been, or is causing harm to an individual or group.

The Report also: (i) reiterates some of the OIPC's proposed requirements to privacy legislation governing public-sector bodies that were submitted to the Department of Technology and Innovation in March 2024; and (ii) notes that "if changes to [the Health Information Act] are made and AI is addressed, it should follow the same high-level recommendations as provided for in PIPA and [public-sector privacy legislation] … ." The OIPC has issued guidance to provide some information and recommended practices regarding the privacy-preserving adoption of AI in certain circumstances for custodians of health information.

Alberta's Digital Strategy

The Report makes clear that a standalone AI law and amendments to existing privacy legislation must occur in tandem with the proposed digital strategy currently being undertaken by Alberta's Department of Technology and Innovation (the "Digital Strategy"). Once the Digital Strategy has been finalized, we anticipate that it will guide Alberta through a transformation to modernize technical teams who "support applications or services, digital service delivery processes and [Alberta's] overall approach to technology and innovation."

Recommendations

The Report lists some measures which organizations can currently undertake to mitigate potentially adverse impacts when using AI to process personal information. These include, for example: (i) limiting the high risk uses of AI (as that term would be "derived from the EU AI Act"), and when undertaking such uses, making same transparent; and (ii) monitoring for breaches, bias, discrimination and other harms. The OIPC notes, however, that these are interim measures for an organization to bridge to eventual AI-related legislation.

Conclusion

The Report discusses a broad legislative framework to regulate AI in Alberta, including the implementation of a standalone AI law and amendments to legislation, each of which should be completed harmoniously with the Government of Alberta's Digital Strategy. While this proposed framework has not yet been implemented, the Report demonstrates that the OIPC is actively monitoring the privacy risks related to the use of AI.

While the Report provides other recommendations that are germane to public bodies or those that collect, use or disclose health information, private sector organizations are encouraged to take stock of how they use, or are planning to use, AI in their operations and take proactive measures to: (i) mitigate potentially adverse impacts resulting from such use; and (ii) ensure compliance with future regulation is not materially disruptive at the time that such regulation comes into force.

If you have any questions about how your organization may use and implement AI, we invite you to contact one of the authors of this article.

Download PDF