The Commission d'accès à l'information (CAI)—Québec's privacy regulator—has released a set of guidelines outlining recommendations on the use of AI in the workplace, which offer "good guidance" to employers who wish to update their best practices, says partner Julie Himo in an interview with HR Reporter.
Though the new guidelines are not binding law, they provide insight into what could soon become standard AI and privacy regulation across Canada.
"It gives us a sense of where the CAI is heading in terms of regulatory positioning, and it'll help employers—who are all considering what AI tools they want to use in their day to day—to identify where the issues are, what they would be if they decided to use an AI tool and what risks they could be running by using these tools," Julie says.
Read: Québec privacy regulator identifies best practices for the use of AI in the workplace
In the guidelines, the CAI encourages employers to go beyond the requirements under current legislation, including being transparent about when and why AI is being used. This is easier said than done though, Julie says.
"It can be challenging to distill, into simple, easy-to-understand language, the complicated and integrative process of collecting data, inputting it into an AI system, producing an output, and using that output in organizational decision-making process," Julie explains.
Another recommendation by the CAI is engaging employees in the process of identifying risks and assessing the impact of any new AI tool—which will also help increase transparency within the organization, Julie adds.
"As the CAI noted, it would be difficult for employees to understand the rights when they are insufficiently informed about how these systems will operate," she says.
"So, I think it's a good suggestion, and then the devil will be in the details as to how you integrate employees and how you get their input."
When assessing impact, the CAI suggests conducting an "algorithmic impact assessment" to evaluate a broader range of risk, beyond just privacy-related issues.
"An algorithmic impact assessment typically will include a series of steps, which include: what the AI system is, what it does, its intended uses and potential misuses, also what data is being used, and who are the stakeholders and potential impacts on," Julie explains.
While the CAI recommendations are a step in the right direction, Julie suggests that any organization wanting to enhance their AI mitigation and monitoring mechanisms look to the EU AI Act, which includes "adequate risk assessment, detailed documentation and activity logs, and appropriate human oversight."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
