Adapting Canada’s Privacy Act for Automated Decision-Making Systems

This summer the Treasury Board of Canada Secretariat (TBS) announced a public consultation to updating and modernizing Canada’ Privacy Act with the intention of preparing a report on possible legislative updates. The Privacy Act is federal legislation that sets out rules for how personal data is handled by more than 250 federal institutions.

Proposals of particular note were:

  • proposal #4 to create one centralized federal database of personal data holdings instead of each department maintaining its own personal information bank;

  • proposal #5 to amend the Privacy Act to provide individuals the right to notice that an automated decision-making system (ADS) was used in processing their data, the right to to an explanation of how the ADS was used in the decision, and the right to know what personal data was used by the ADS;

  • proposal #6 to amend the Privacy Act to require more detailed privacy notices when programs use personal data to make decisions that directly affect someone and where those decisions are made or supported by ADS.

On July 10, 2026, AIMICI submitted its recommendation to the TBS on how to adapt the Privacy Act account for the proliferation of ADMS use in federal administrative decision-making. AIMICI’s primary recommendations were:

  1. The creation of a centralized federal database of personal data holdings must include appropriate safeguards for individuals. Individuals must be able to control whether or not their data - originally submitted to access benefits and entitlements - is used to as training datasets for federal ADMS.

  2. The TBS’ Directive on Automated Decision-Making should be elevated into law as part II of the Privacy Act to codify the procedural fairness rights of individuals subject to ADMS usage by federal decision-makers. This is a pressing need when current immigration decisions do not disclose the names of the ADMS used during processing, nor what personal data was used by ADMS. The current Privacy Act does not provide a sufficient right of access as individual’s attempts to request this data is nearly always withheld under section 22(b).

A copy of all of AIMICI’s entire submission to the 2026 Privacy Act Review is available here.

Next
Next

AIMICI Presents at ACM FAccT