ARTICLE
23 April 2025

Employer Due Diligence Required for Employee Use of Generative AI at Work

MR
McLennan Ross LLP

Contributor

McLennan Ross LLP logo
McLennan Ross LLP is a well-established law firm committed to serving the legal needs of Albertans and Northerners for over a century. McLennan Ross is a full service law firm with over 100 lawyers located in Calgary, Edmonton and Yellowknife.
Explore Firm Details
In November 2024 KPMG issued the results of its Generative AI Adoption Index survey which revealed that nearly half (46%) of Canadian employees are using generative artificial intelligence (AI) in their jobs.
Canada Alberta Technology
Teresa R. Haykowsky
Your Author LinkedIn Connections

In November 2024 KPMG issued the results of its Generative AI Adoption Index survey which revealed that nearly half (46%) of Canadian employees are using generative artificial intelligence (AI) in their jobs.

The employees surveyed revealed that:

  • 24% have entered proprietary employer data such as human resources, health and safety or supply chain information into public generative AI platforms (up from 16% in 2023)
  • 19 % have entered private financial data about their employer (up from 12%)
  • 37 % are unaware of employer controls over their generative AI usage for work purposes

While employee usage of generative AI large language models such as ChatGPT, Gemini and Claude.ai for work purposes is convenient, employers and employees are cautioned that generative AI usage may create ethical, legal and financial exposure for employers including:

  • failing to protect confidential, personal, personnel and proprietary information of the employer, employee or third party
  • exposing the employer to potential discrimination claims when workplace decisions are made on the sole basis of generative AI usage in areas, for example, such as recruitment and hiring
  • creating risk to the employer for copyright infringement
  • creating a situation where the employer relies on false content issued by AI generated hallucinations

As highlighted by Alberta's Office of the Information and Privacy Commissioner (OIPC), Alberta currently has no specific laws regulating AI usage. However, Alberta's privacy laws apply to AI system usage, including the processing of personal and health-related information.

McLennan Ross' January 9, 2025, email alert, provides commentary on the proposed legislation to repeal the Freedom of Information and Protection of Privacy Act which received royal assent on December 5, 2024 (to come into force upon proclamation).

Bill 33: The Protection of Privacy Act (Act) includes the following new AI-related rules:

  • when a public body intends to use personal information in an automated system,
    • to generate content or make decisions, recommendations or predictions, that intention must be disclosed;
    • it must make every reasonable effort to ensure the information is accurate, complete and retain the information for at least one year;
  • the public body head must protect personal information in their custody or control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction;
  • individuals must be notified about a privacy breach where there is a real risk of significant harm to an individual as a result of the loss, unauthorized access or unauthorized disclosure;
  • a public body,
    • may only carry out data matching to create data derived from personal information in the circumstances set out in the Act;
    • is prohibited from selling personal information in any circumstance or for any purpose, including for marketing or advertising purposes.

OIPC due diligence-related guidance for employers includes an examination of the following questions:

  • What purpose does the employer seek to achieve through the AI system?
    • Are work processes better done by AI, by a human or by a combination of both?
    • What is the balance of costs, risks and benefits? Does the employer have a clear idea of the risks associated with the AI system?
    • What is the impact of the AI usage for the employer, employees and clients/third parties?
  • Does the data used by the AI system include personal or health information?
  • What guarantees, policies and contractual obligations does the AI system have when employees use generative AI?
  • If personal/health information is used by the AI system is it processed outside of Alberta or Canada?
  • How is the personal/health information secured when an employee uses generative AI?
    • Where is personal/health information stored? Is it stored in a cloud-based service?
    • Is the personal/health information encrypted in transit and in storage using industry standard algorithms? Are the encryption keys securely managed and by whom?
  • Will the personal/health information be used to train the AI system used by employees?

As further background information, employers may also wish to consult the following resources:

  1. The Provincial, Territorial and Federal Information and Privacy Commissioners' document, Principles for responsible, trustworthy and privacy-protective generative AI technologies
  2. Canada's Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems
  3. The OIPC's key recommendations for its privacy-related legislative changes in the privacy sector

It is critical employers implement a sound AI Workplace Usage policy.

To mitigate the risks associated with employee generative AI use in the workplace, ChatGPT suggests employers take the following steps:

  1. Develop and implement an AI Usage Policy
  2. Ensure compliance with privacy and intellectual property laws
  3. Provide employee training and awareness programs
  4. Implement human oversight and accountability measures
  5. Monitor and regularly update your AI Usage Policy

We agree but add that employers and employees should:

  • always read the Privacy Policy of the AI system on which they work. You may be surprised at what you find.
  • always be aware that generative AI hallucinates (outputs false information) and thus cannot be relied upon as factual; human review is always required
  • inform themselves of the risks associated in the use of Deepseek technology. Deepseek's Privacy Policy is here.

Courts and law societies have developed sound AI usage guidelines which employers may also find helpful by analogy:

  1. Alberta Courts: Notice to the Profession & Public - Ensuring the integrity of court submissions when using Large Language Models
  2. Supreme Court of Canada: Guidelines for the Use of Artificial Intelligence in Canadian Courts
  3. Law Society of Alberta: The Generative AI Playbook, How Lawyers Can Safely Take Advantage of the Opportunities Offered by Generative AI

Finally, B.C. Securities Commission's recent campaign on AI-based investment scams in the form of this edgy musical video(https://avoidaiscams.investright.org/ - click on video) is blunt but effective on the dangers of deepfakes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Teresa R. Haykowsky
Teresa R. Haykowsky
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More