guide

AI in Canada AI in Canada

A legal guide to developing and using artificial intelligence
September 10, 2025 67 MIN READ
Download the PDF

Home Insights Reports AI in Canada

Contents

Contents

Public sector

Things to know

  • The use of AI by federal public sector entities is addressed by Treasury Board of Canada Secretariat (TBS) policies, directives and guidelines; particularly, the Directive on Automated Decision-Making and related materials. This directive applies to all automated decision systems developed or procured after April 1, 2020, and is intended to ensure that systems used by federal institutions to support or make administrative decisions, including systems that rely on AI, are transparent, accountable, and legally compliant, promoting fairness and reducing risks to Canadians.
  • The federal governmenthas also issued guidance that advises federal institutions on responsibly using and developing generative AI tools, emphasizing cautious use, risk assessments, and limiting usage to scenarios where risks can be effectively managed.
  • The provinces and territories are developing their own guidance use and procurement of AI. In Ontario, the Strengthening Cyber Security and Building Trust in the Public Sector Act enacted in November 2024, provides a legislative framework for governing the use of AI by public sector entities. Public sector entities may be required to publicly disclose specified information about their use of AI systems, develop and implement accountability frameworks applicable to such use, and take steps to manage related risk. The specific requirements governing the use of AI systems will be set out in future regulations.

Things to do

  • Review the Directive on Automated Decision-Making to assess if it applies to you and, if so, identify the applicable compliance requirements. By way of example, the requirements may include completing a prescribed Algorithmic Impact Assessment (AIA) and meeting transparency, quality assurance and procedural fairness rules.
  • When deciding whether to use generative AI tools:
    • identify and review any guidance or policies applicable to the use of AI within the public body or institution
    • consider experimenting with low-risk uses of generative AI, for example, editing a draft of a document that will undergo additional human review, before considering higher‑risk uses like deploying a tool for use by the public
    • ensure that employees can access and participate in training on the effective and responsible use of the tools
  • Before proposing to use generative AI tools:
    • assess and mitigate ethical, legal and other risks
    • determine whether a Privacy Impact Assessment is needed
    • consult with key stakeholders (including legal counsel and privacy office) before deploying generative AI tools for use by the public and before using such tools for service delivery purposes
    • implement risk management strategies to identify, assess and mitigate potential risks associated with AI systems
    • update external policies/notices to provide information to the public about the use of AI systems
    • review applicable privacy legislation and related policy instruments, which govern the handling of personal information by the public body, to identify requirements for when and how personal information is collected, created, used or disclosed using a generative AI system
    • avoid inputting personal information into publicly available online generative AI tools
    • be aware of integrity and security risks of using generative AI and consider the best practices recommended by the Canadian Centre for Cyber Security in their guidance Generative Artificial intelligence (AI) – ITSAP.00.041
    • tailor risk‑mitigation measures to each use
    • consider aligning use of AI with the Treasury Board Secretariat’s “FASTER” principles: Fair, Accountable, Secure, Transparent, Educated and Relevant.
    • review applicable directives or policies (e.g., for federal public bodies, the Directive on Service and Digital) to identify requirements with respect to documenting activities and decisions related to the use of AI tools. By way of example, you may be required to keep records of decisions to develop or deploy generative AI tools and steps taken to ensure that outputs produced by the tools are accurate
    • identify requirements in respect of the retention and disposal of documentation surrounding the use, development and deployment of generative AI systems under the control of a government institution

Useful resources

Next
RELATED EXPERTISE

SUBSCRIBE

Stay Informed

Subscribe to Osler Insights to stay informed on issues impacting your business

Subscribe

Osler is a leading business law firm practising internationally from offices across Canada and in New York. Our clients include industry and business leaders in all segments of the market and at various stages in the growth of their businesses. We have built our reputation on our commitment to our clients' success and the experience, expertise and collaborative approach for which we are recognized. We believe that our success is a reflection of our clients' success.