Directive on Automated Decision-Making
VERSION DRAFT IN DEVELOPMENT - v.1.0
Version
Date
Updates
0.4
May 4, 2018
● New title! May the fourth be with you
● Advisory Board removed in lieu of a new peer review section
● Requirement to issue open code included
0.4.1
May 15, 2018
● Definitions added
● Scope statement has been narrowed and removed from
requirements into its own section
● Coming into force clause rolled into effective date
0.5
June 6, 2018
● New appendices for scaling requirements to level of impact
● Refined scope statement
● Legal authority section amended
● Amended contracting language, including IP clause better
conforming to the Policy on Title to Intellectual Property Arising
Under Crown Procurement Contracts
● Automated Decision System now being used as the core term
0.5.1
June 15, 2018
● More precision to scope statement
● Explainability statements for level III and IV shifted to “variables”
from “all variables” as many decisions will be guided by
respective case law
1.0
August 2, 2018
● Elevated to a directive
● Consequence section updated
● Version sent for translation
● Added new scaling requirements for Notice and Contingency
Planning, reducing burden on low impact projects
● Ensured coherence with new template for Treasury Board
Directives
○ Application moved to the end;
○ Context section removed and replaced with
Authorities. Some former context section content
moved to introduction.
1
Introduction
The Government of Canada is increasingly looking to utilise technology and automated systems
to make, or assist in making, administrative decisions to improve service delivery. It is
committed to doing so in a manner that is compatible with core administrative law principles
such as transparency, accountability, legality and procedural fairness.
1. Effective Date
1.1. This Directive takes effect on ((Approval +12 months))
1.2. All Automated Decision Systems that were in production prior to the coming into
force of this Directive, must complete an Algorithmic Impact Assessment within
three months, and comply with all applicable provisions of this Directive within a
timely manner.
2. Authorities
2.1. This Directive is issued under the authority of section 7 of the Financial
Administration Act, and under section 8.1.1 of the Policy on the Management of
Information Technology;
2.2. This Directive supports the Policy on Information Management, the Policy on
Service, the Policy on Privacy Protection, and the Policy on Government Security.
3. Definitions
3.1. Definitions to be used in the interpretation of this Directive are listed in Appendix
A.
4. Objectives and Expected Results
4.1. The objective of this Directive is to ensure that Automated Decision Systems are
deployed in a manner that minimizes risks to Canadians and federal institutions,
and leads to more efficient, accurate, consistent, and interpretable decisions
made pursuant to Canadian law and core principles of administrative law.
4.2. The expected results of this Directive are as follows:
2
4.2.1. Administrative decisions using Automated Decision Systems are more
transparent and accountable;
4.2.2. An increase in the use of automated systems to make, or assist in
making, administrative decisions.
5. Scope
5.1. This Directive applies only to Automated Decision Systems that recommend or
render, in whole or in part, administrative decisions. This includes systems that:
5.1.1. Classify cases in terms of risk and priority;
5.1.2. Identify cases for human review or investigation;
5.1.3. Provide recommendations about whether an application should be
approved;
5.1.4. Render the complete administrative decision.
5.2. This Directive applies only to systems that provide external services as defined in
the Policy on Service.
6. Requirements
The institution’s Chief Information Officer, as well as the Assistant Deputy Minister, Chief Data
Officer, or equivalent are responsible for the following activities described in this section:
6.1. Algorithmic Impact Assessment
6.1.1. Complete an Algorithmic Impact Assessment, prior to the production of
any Automated Decision System.
6.1.2. Apply the relevant requirements prescribed in Appendix C as determined
by the Algorithmic Impact Assessment.
6.1.3. Ensure that the Algorithmic Impact Assessment remains up to date and
accurately reflects the functionality of the Automated Decision System.
6.1.4. Release the final results of Algorithmic Impact Assessments in an
accessible format via Government of Canada websites and services
3
designated by the Treasury Board of Canada Secretariat pursuant to the
Directive on Open Government.
6.2. Transparency
Providing Notice Before Decisions
6.2.1. Notify affected individuals that the decision rendered will be undertaken
in whole or in part by a Automated Decision System as prescribed in
Appendix C.
Providing Explanations After Decisions
6.2.2. Provide a meaningful explanation to affected individuals of how and why
the decision was made as prescribed in Appendix C.
Source Code
6.2.3. Make available to the public all of the source code used for the
Automated Decision Systems on the Open Resource Exchange.
6.2.4. In cases where it is deemed that source code should not be disclosed,
seek the approval of the Enterprise Architecture Review Board to exempt
the disclosure. In these cases, the justification as to why code was not
disclosed shall be published according to the process specified in the
Directive on Open Government.
6.2.5. Source code for systems that are classified SECRET or TOP SECRET are
exempt from section 6.2.3.
Licensing
6.2.6. Ensure that all licenses required for the Automated Decision Systems are
open licenses as listed in the Open Source Software Registry.
6.2.7. Ensure that Canada maintains the right to have access to foreground
intellectual property to respond to any legal challenges.
6.3. Quality Assurance
Testing and Monitoring Outcomes
4
6.3.1. Before going into production, develop the appropriate processes to
ensure that training data is tested for unintended data biases and other
factors that may unfairly impact the outcomes.
6.3.2. Monitor the outcomes of Automated Decision Systems on an ongoing
basis to safeguard against unintentional outcomes and to ensure
compliance with institutional and program legislation, as well as this
Directive.
Data Quality
6.3.3. Ensure that data being used by the Automated Decision System is
routinely tested to ensure that it is still relevant, accurate and up-to-date
and follow any applicable policy or guidelines with regards to data
management practices in accordance with the Policy on Information
Management.
Peer Review
6.3.4. Retain the appropriate expert to review the Automated Decision System,
as prescribed in Appendix C based on the Impact Assessment Level.
Employee Training
6.3.5. Ensure that the relevant employees are sufficiently trained in the design,
function, and implementation of the Automated Decision System to be
able to review, explain and oversee automated decision-making, as
prescribed in Appendix C.
Contingency
6.3.6. Subject to requirements prescribed Appendix C, ensure that a
contingency systems and/or processes are available should the
Automated Decision System be unavailable for an extended period of
time.
Security
6.3.7. Conduct risk assessments throughout the development of the system
and ensure appropriate safeguards to be applied, as per the Policy on
Government Security.
Legal
5
6.3.8. Consult with the institution’s legal services unit, to ensure that the use of
the Automated Decision System System is compliant with applicable
legal requirements.
6.4. Recourse
6.4.1. Provide affected individuals with information regarding options that are
available to them for recourse to challenge the automated decision or
recommendation.
6.5. Reporting
6.5.1. Publish information on the effectiveness and efficiency of Automated
Decision Systems annually on a website or service designated by the
Treasury Board of Canada.
6.5.2. When requested, provide information on the achievement of the expected
results of the Automated Decision System and compliance with this
Directive to the Treasury Board of Canada Secretariat.
7. Consequences
7.1. Consequences of non-compliance with this policy can include any measure
allowed by the Financial Administration Act that the Treasury Board would
determine as appropriate and acceptable in the circumstances.
7.2. For an outline of the consequences of non‑compliance, refer to the Framework
for the Management of Compliance, Appendix C: Consequences for Institutions
and Appendix D: Consequences for Individuals.
8. Roles and Responsibilities of Treasury Board of Canada Secretariat
Subject to the necessary delegations, the Chief Technology Officer for the Government of
Canada is responsible for:
8.1. Providing government-wide guidance on the use of Automated Decision
Systems.
8.2. Developing and maintaining the Algorithmic Impact Assessment and any
supporting documentation.
6
8.3. Communicating and engaging government-wide and with partners in other
jurisdictions and sectors to develop common strategies, approaches, and
processes to support the responsible use of Automated Decision Systems.
8.4. Reviewing this Directive every three years after its effective date.
9. Application
9.1. This Directive applies to all institutions referenced in the Policy on the
Management of Information Technology, unless excluded by specific acts,
regulations or orders-in-council;
9.2. Agencies and Crown Corporations may enter into Specific Agreements with the
Treasury Board of Canada Secretariat to adopt the requirements of this Directive
and apply them to their organization, as required.
10. References
10.1. Financial Administration Act
Access to Information Act
Privacy Act
Security of Information Act
10.2. Policy on Access to Information
Policy on Service
Policy on Government Security
Policy on Information Management
Policy on Management of Information Technology
Policy on Privacy Protection
Directive on Open Government
11. Enquiries
For information on this policy instrument, please contact the Treasury Board of Canada
Secretariat Public Enquiries.
7
Appendix A - Definitions
Automated Decision System
An Automated Decision System includes any information technology designed to provide a
specific recommendation to a human decision-maker on an administrative decision, and/or
designed to make an administrative decision in lieu of a human decision maker.
Administrative Decision
Any decision that is made by an authorized official of an institution as identified in section 2
pursuant to powers conferred by an Act of Parliament or an order made pursuant to a
prerogative of the Crown that affects an individual’s legal rights, privileges or interests.
Algorithmic Impact Assessment
A framework to help institutions better understand and mitigate the risks associated with
Automated Decision Systems and to provide the appropriate governance, oversight and
reporting/audit requirements that best match the type of application being designed.
Source Code
Computer program in its original programming language, human readable, before translation
into object code usually by a compiler or an interpreter. It consists of algorithms, computer
instructions and may include developer's comments.
8
Appendix B - Impact Assessment Levels
Level
Description
I
The decision has a little to no impact on the rights or interests of an
individual, entity or Government organization.
Erroneous decision could reasonably be expected to cause nil to
minimal harm.
II
The decision has a moderate impact on the rights or interests of an
individual, entity or Government organization.
Compromise could reasonably be expected to cause minimal to
moderate harm.
III
The decision has a high impact on the rights or interests of an
individual, entity or Government organization.
Compromise could reasonably be expected to cause moderate to
serious harm.
IV
The decision has a very high impact on the rights or interests of an
individual, entity or Government organization.
Compromise could reasonably be expected to cause serious to
catastrophic harm.
9
Appendix C - Impact Level Requirements
Requirement
Level I
Level II
Level III
Level IV
Peer Review
None
At least one of:
Qualified expert from a federal,
provincial, territorial or municipal
government institution
Qualified members of faculty of a
post-secondary institution
Qualified researchers from a relevant
non- governmental organization
Contracted third-party vendor with a
related specialization
Publishing specifications of the
Automated Decision System in a
peer-reviewed journal
At least two of:
Qualified experts
from the National
Research Council
of Canada or
Statistics Canada
Qualified
members of
faculty of a
post-secondary
institution
Qualified
researchers from
a relevant non-
governmental
organization
Contracted
third-party vendor
with a related
specialization
OR:
Publishing
specifications of
the Automated
Decision System
in a
peer-reviewed
journal
Notice
None
Plain language
notification
posted on the
program or
service website.
Plain language notification posted on
the program or service website.
If the service involves an online
application, the notice must be made
at the time of application.
10
Website must link to additional
information where information about
the system is provided, including:
● The role that the Automated
Decision System has within the
decision process,
● A description of the training data,
or a link to the anonymized
training data if this data is
publicly available, and
● A description of the criteria used
for making the decision, including
relevant business rules.
Explanation
Requirement
for
Recommenda
tion (5.1.1
and 5.1.2)
None
Meaningful
explanation
provided upon
request based on
machine or
human review.
Meaningful
explanation,
including the
variables used in
the decision,
provided with the
decision
rendered.
Explanation can
be human or
machine
generated.
Explanation
Requirement
for Decisions
(5.1.3 and
5.1.4)
An explanation
provided upon
request based on
machine or
human review.
This could
include a
Frequently Asked
Questions
section of a
website.
Meaningful
explanation
provided upon
request based on
machine or
human review.
Meaningful explanation, including the
variables used in the decision,
provided with the decision rendered.
Explanation can be human or
machine generated.
Testing
Before going into production, develop the appropriate processes to ensure
that training data is tested for unintended data biases and other factors that
may unfairly impact the outcomes.
Ensure that data being used by the Automated Decision System is routinely
tested to ensure that it is still relevant, accurate and up-to-date.
11
Monitoring
Monitor the outcomes of Automated Decision Systems on an ongoing basis
to safeguard against unintentional outcomes and to ensure compliance with
institutional and program legislation, as well as this Standar
Training
None
Documentation
on the design and
functionality of
the system
Documentation
on the design and
functionality of
the system of the
system.
Training courses
must be
completed.
● Documentatio
n on the
design and
functionality of
the system.
● Reoccurring
training
courses.
● A means to
verify that
training has
been
completed.
Contingency
Planning
None
Ensure that a contingency plans
and/or backup systems are available
should the Automated Decision
System be unavailable.
Approval
Requirement
None
Government of Canada Enterprise
Architecture Review Board
Government of
Canada
Enterprise
Architecture
Review Board
Requires specific
authority from
Treasury Board
12
