On December 7, 2023, the Office of the Privacy Commissioner of Canada released new guidance on the use of generative artificial intelligence (AI) technologies.

While these principles are not exhaustive in covering all aspects of compliance under privacy laws, they offer valuable insight for organizations involved in the development, provision or use of generative AI technology. Below are the main privacy principles outlined in the guidance document.

Generative AI privacy principles

  • Legal authority and consent: Organizations must ensure they have legal authority for the collection and use of personal information. Consent should be both valid and meaningful.
  • Appropriate purposes: Ensure that any collection, use or disclosure of personal information associated with a generative AI system is for appropriate purposes. In many Canadian jurisdictions, this means for purposes that a reasonable person would consider appropriate in the circumstances.
  • Necessity and proportionality: Consider if the use of a generative AI tool is necessary and proportionate, particularly when it may have a significant impact on individuals or groups. The tool should be more then potentially useful; it must be necessary and likely to be effective for the intended purpose.
  • Openness: Be open and transparent about the collection, use and disclosure of personal information and the potential risks to individuals' privacy. Inform individuals what, how, when and why personal information is collected, used or disclosed throughout any stage of the generative AI system's lifecycle.
  • Accountability: Organizations should have a clear internal governance structure, including defined roles and responsibilities, as well as policies and practices that set clear expectations for privacy compliance.
  • Individual access: Processes should be in place to allow individuals to access or correct their personal information contained within an AI model, particularly where that information may be included in outputs generated in response to a prompt.
  • Limiting collection, use and disclosure: Ensure that the collection and use of personal information for training AI tools is limited to what is necessary for the purpose and use anonymized or de-identified data where possible.
  • Accuracy: Ensure that personal information is as accurate, complete and up-to-date as necessary for the purpose whenever it must be entered into a generative AI prompt or used to train a generative AI model.
  • Safeguards: Appropriate safeguards should be in place to protect personal information throughout the lifecycle of a generative AI tool, proportionate to the sensitivity of the information.

Key takeaways

Overall, organizations using generative AI tools should collect and use personal information meaningfully, appropriately, minimally, accurately and securely, and allow individuals to access or correct their information.

If you're interested in learning more about generative AI and mitigating risks within your organization, our Privacy, Data Protection & Cybersecurity group has a wide range of experience assisting various organizations in this area. We can support you in implementing these guidelines and establishing AI policies for your organization. Contact us to learn more.

Our previous blogs on the topic of AI can be found here: New international guidance for artificial intelligence systems released, Canadian Centre for Cyber Security: Huge concerns with artificial intelligence and Privacy and cybersecurity risks with artificial intelligence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.