top of page

Canada: Principles for the Development, Provision, and Use of Generative AI systems

In this article we provide you with brief overview of 9 principles for Development, Provision, and Use of Generative AI systems, which were published by OPC.



1. Legal Authority and Consent

Ensure you have legal authority for collecting and using personal information. When consent is required, it should be valid and meaningful.

  • Clearly document your legal authority for the collection, use, disclosure, and deletion of personal information throughout the AI system's lifecycle.

  • Ensure that consent for collecting, using, or disclosing personal information is specific and meaningful. Avoid using deceptive design patterns.

  • Verify that any personal information obtained from third parties was collected lawfully and can be legally disclosed.

  • Recognize that inferences about individuals from AI outputs count as personal information collection and require legal authority.

  • For sensitive contexts like healthcare, establish an independent review process that considers privacy and ethics.

2. Appropriate Purposes

The collection, use, and disclosure of personal information should only be for appropriate purposes.

  • Personal information should only be used for purposes deemed appropriate by a reasonable person.

  • Consider the legitimacy of how personal information is collected, used, and disclosed in relation to the AI system.

  •  Do not develop AI systems for profiling or any use that could lead to unfair, unethical, or discriminatory treatment.

  • Use testing methods like red team exercises to identify and mitigate inappropriate uses of the AI system.

  •  Implement technical measures and use policies to prevent inappropriate uses.

3. Guidelines for Developers and Users

  •  Use AI tools that comply with privacy laws and best practices.

  •  Do not prompt AI systems to re-identify de-identified data.

  •  Continuously monitor AI use and inform developers of any inappropriate uses or biases.

  •  Cease any activities that involve unlawful collection, use, or disclosure of personal information, or that lead to unfair or discriminatory treatment.

3. Necessity and Proportionality

Establish the necessity and proportionality of using generative AI and personal information within these systems to achieve intended purposes.

  • Prefer anonymized, synthetic, or de-identified data over personal information when possible.

  •  Ensure the AI system is necessary and proportionate, especially if it significantly impacts individuals or groups.

  • Look for more privacy-protective technologies that can achieve the same purpose.

  • Continuously evaluate the AI tool’s validity and reliability for its intended purpose.

4. Openness

Be open and transparent about the collection, use, and disclosure of personal information and the potential risks to individuals’ privacy.

  •  Clearly communicate what, how, when, and why personal information is collected, used, or disclosed throughout the AI system’s lifecycle.

  •  Ensure that all information about the AI system is understandable and readily available to the intended audience.

  • Inform users about the primary and any secondary purposes of the AI system, such as further training.

  •  Notify users of known or likely risks and how to mitigate them.

  • Maintain and publish detailed documentation about datasets used for training, including their sources and any modifications.

5. Accountability

Establish accountability for compliance with privacy legislation and principles, and make AI tools explainable.

  •  Ensure compliance with privacy legislation and demonstrate this compliance.

  •  Implement a clear internal governance structure for privacy compliance.

  • Conduct assessments like PIAs and AIAs to identify and mitigate potential privacy impacts.

  • Allow independent auditing to assess system validity, reliability, and compliance.

6. Individual Access

Facilitate individuals’ right to access their personal information by developing procedures that enable it to be meaningfully exercised.

  •  Ensure individuals can access and correct their information collected by the system.

  •  Maintain adequate records to fulfill access requests.

7. Limiting Collection, Use, and Disclosure

Limit the collection, use, and disclosure of personal information to only what is needed for the explicitly specified, appropriate identified purpose.

  •  Limit data collection to what is necessary and use anonymized or de-identified data where possible.

  •  Use personal information only for identified purposes and avoid indiscriminate collection.

  •  Establish and adhere to retention schedules for personal information.

8. Accuracy

Ensure personal information is as accurate, complete, and up-to-date as necessary for its intended use.

  •  Ensure training data is accurate and regularly updated.

  • Notify users of any accuracy limitations or known issues with the AI system’s outputs.

9. Safeguards

Establish safeguards to protect personal information and mitigate potential privacy risks.

  • Implement measures to safeguard personal information throughout the AI system’s lifecycle.

  • Stay aware of and mitigate threats such as prompt injection and model inversion attacks.

  •  Design products to prevent misuse and monitor for inappropriate uses.



15 views0 comments

Commentaires


bottom of page