Navigating AI in the Workplace: Policy-Drafting for the Inevitable
The last twelve months will almost certainly mark the point at which Artificial Intelligence (AI) has truly captured the attention of the public in nearly every workplace sector. However, like all new technologies, AI technologies offer both benefits and presents potential risks.
By now, most professionals working in Human Resources have been cautioned about the potential risks posed by using AI in the workplace without appropriate planning. They understand the intellectual property pitfalls, privacy considerations and employment and labour issues that might arise.
Human Resources professionals are also increasingly becoming aware of the potential benefits AI offers to employers, including with respect to creativity, efficiency and data analysis. With the fear of falling behind, both technologically and from a productivity standpoint, there may be some reluctance to prohibit AI use in the workplace.
Planning First Steps
Developing an AI policy is an important and necessary first step to preparing for the introduction and use of AI in the workplace.
An AI policy is not only helpful as a training and educational tool to ensure that employees understand basic expectations and avoid liability pitfalls, but it can also be used to manage privacy and human resources risk and liability by ensuring that employment expectations are clear, open and transparent.
The first step to developing an AI policy is to consider how the policy might fit into the framework of other existing policies, for example, a company’s privacy policy, technology-use policy, or bullying and harassment policy. Employers may find it necessary to not only create new policy language, but to update existing policies to reflect how AI will be regulated in the workplace.
Employers operating in a unionized work environment should also consider their collective agreement language to ensure there are no express or implied restrictions with respect to the use of AI, including by closely reviewing the “technological change” clauses if applicable.
Marshalling Expertise
Another helpful step in the planning process is to enlist the help of the employer’s Human Resources and information technology and privacy professionals. The workplace use of AI not only has employment implications, but also has significant implications for both privacy compliance and information technology and data security planning.
IT professionals can provide an indispensable source of knowledge when seeking to understand and clearly describe the technical aspects of how AI is used and may be used by the employer. Additionally, privacy professionals should be consulted about how best to ensure that the use of AI to process personal information is transparent and reasonable and compliant with Canadian privacy laws.
A comprehensive team including human resources, privacy and information technology expertise can offer necessary insight with respect to what AI applications are currently in use, what plans are in place to engage new AI applications, what employee personal information will be processed by AI applications and whether reasonable security measures are in place for any data processed by AI.
Identification, Assessment and Evaluation
At an early stage, employers should also consider conducting a workplace audit to determine if AI is already being used at work and to what extent. Even when AI tools have not been formally introduced in the workplace, some employers may find that their employees are already using AI tools to generate work product, which may give rise to privacy, intellectual property and other significant legal risks. It is important that employers identify ongoing AI usage, assess attendant risks and set appropriate workplace expectations.
Moving forward, employers also need to establish clear processes for vetting new AI tools before they are introduced in the workplace to ensure that attendant risks are identified and mitigated. Otherwise, employers may find that their sensitive confidential, proprietary and personal information is at risk.
Developing Standards and Policies
When it comes to the setting of workplace standards, expectations and policies, all of the following issues should be considered and communicated to employees:
- Purpose and Scope – Policies and standards should set out the purpose and goals of the policy and be clear about where it applies. In addition to risk issues, employers may also wish to highlight some of the benefits of AI tools and applications when used safely and appropriately.
- Types of AI Tools Permitted – Employers should be clear and specific about: what AI tools and applications can and cannot be used by employees, including limitations (if any) and the specific purposes for which AI tools can be used; the definitions of AI and specific types of AI such as Generative AI; and procedures for requesting approval of new AI tools that are not already included in the policy. A schedule to the policy can be used to list the names of prohibited AI applications and permitted AI applications that have already been approved and vetted by the employer.
- Data Privacy and Security Protocols – Employers should impose clear limits on how employees seek approval for the use of AI tools, particularly where privacy, intellectual property or confidential business information may be used in connection with AI tools. Policies should include clearly defined processes to seek and obtain explicit permission before sensitive company data is used in connection with AI tools. Employers should also ensure that policies provide for careful vetting to ensure that providers offering AI tools are not using sensitive company data for unauthorized purposes.
- Notice – Policies should provide employees with clear notice if AI will be used to process employee personal information, for what purpose, and what specific personal information will be processed by AI technology.
- Outline the Risks of AI – Policies should clearly explain the risks posed by AI, and include a warning that inputting confidential, proprietary, personal or otherwise sensitive personal information into an AI tool could result in disclosure of such information to third parties which could place the organization in breach of privacy, contractual and other legal requirements.
- Other Applicable Polices – Remind employees to comply with all contractual obligations and company policies that could apply to the use of AI including confidentiality, non-disclosure, technology use, privacy, bullying and harassment and DEI.
- Obligation to Report Violations – Policies should also impose a requirement on employees to report any actual or suspected privacy breaches or violations of the AI policy and be clear that there may be disciplinary consequences (up to and including termination of employment) for breaches of the policy.
- Self-Disclosure – Employers may wish to consider requiring employees to self-disclose where AI has been used in producing work product.
- Review and Amendment – Policies should expressly state that the policy will be reviewed annually and that the policy may be updated from time to time to reflect changes in the legal/regulatory/risk landscape.
- Contact Information of Privacy Officer – The employer should include the contact information of the company’s privacy officer who can respond to questions and concerns.
Training, Implementation and Enforcement
Once an AI policy is drafted, it is important to:
- train employees on expectations in the use of AI tools;
- explain risks and potential liabilities and consequences of non-compliance;
- establish clear processes for vetting and approving AI tools; and
- implement mechanisms to monitor and enforce compliance with policies and standards.
Training and the roll-out of the AI policy should be well-documented, including through the use of email read receipts, signatures and taking attendance at live training sessions.
Final Thoughts
We are still in the early stages of understanding how the use of AI in the workplace may impact employers and other organizations and the associated risks and liabilities. The law and legal principles in this area are evolving. Going forward, employers seeking to use or to permit the use of AI in the workplace should engage in careful planning and may wish to seek further advice from legal or other human resources advisors.
Bios
Michela Fiorido is a partner at Harris & Company LLP and practices largely in the areas of access and privacy law where she represents clients in proceedings before provincial and federal privacy commissioners and provides strategic advice with respect to the handling of access to information requests; third-party service contracts; the implementation of various technology in the workplace; and the collection, use and disclosure of personal information. Additionally, she provides virtual and in-person workshops to organizations regarding privacy awareness, privacy officer training, and with respect to more specific topics like employee monitoring and diversity data collection. She can be reached at mfiorido@harrisco.com.
Suzanne Kennedy is a partner at Harris & Company LLP where she has built a strong practice in access and privacy law. She advises both public and private sector employers on their responsibilities as they navigate the implications of the Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Information Protection Act (PIPA), the Personal Information Protection and Electronic Documents Act (PIPEDA) and other related legislation. Suzanne regularly provides one-on-one training to in-house privacy and access coordinators on responding to access requests, conducting internal investigations and privacy audits, and the use of internal system information. She can be reached at skennedy@harrisco.com.
Both Michela and Suzanne will be speaking at the HR Conference & Expo, April 30-May 1, 2024.
For the latest HR and business articles, check out our main page.
Reader Feedback
We want to hear from you!
Do you have a story idea you’d like to see covered by PeopleTalk?
Or maybe you’ve got a question we could ask our members in our People & Perspectives section?
Or maybe you just want to tell us how much you liked the article.
The door is always open.