Regulation

Canada Directive on Automated Decision-Making

Canada's Directive on Automated Decision-Making, issued by the Treasury Board of Canada Secretariat and effective from April 2019, was the first mandatory government regulation in the world requiring systematic assessment and accountability for automated decision systems used by federal departments and agencies. Updated multiple times since, it requires all federal entities using automated decision systems to complete an Algorithmic Impact Assessment (AIA), implement safeguards proportionate to the potential impact of the system and provide meaningful transparency and recourse to affected individuals.

The AIA is a structured risk classification tool that evaluates automated systems across multiple dimensions—impacts on rights and freedoms, affected population characteristics, decision reversibility and existing governance controls—and assigns one of four impact levels, each with corresponding mandatory requirements around human oversight, explanation, audit trails and redress. The higher the impact level, the more extensive the safeguards required.

The AIA tool is open-source, freely available and has been adopted or adapted by numerous organisations worldwide beyond the Canadian federal government. It provides a practical, structured approach to AI risk assessment that is more operationally useful than many principle-based frameworks.

Our take on this

Canada got here first and they got it right. The Directive on Automated Decision-Making demonstrates what accountable AI governance actually looks like when you move from principles to requirements. The Algorithmic Impact Assessment is a genuinely useful tool—not because it's Canadian, but because it asks the right questions in the right order. What decision is being automated? Who is affected? What are the consequences of errors? What oversight exists? The answers determine the controls required. It's logic, not bureaucracy.

For Australian organisations, the interest in this framework is partly model-watching—understanding what a mandatory regime looks like before Australia introduces one—and partly practical, since the AIA tool itself can be adapted for private sector use regardless of any regulatory obligation.

Why this matters for Australian organisations

Australia's regulatory approach to automated decision-making is evolving. The Privacy Act reforms include provisions around automated decision-making and profiling. ASIC, APRA and the ACCC are all examining how AI is being used in their regulated sectors. The Australian Human Rights Commission has published extensively on the human rights implications of automated decision-making. All of this points toward increasing mandatory requirements for organisations that use automated systems to make or substantially influence decisions affecting people.

The Canadian model shows what a proportionate, risk-based mandatory regime looks like: straightforward for low-risk applications and appropriately rigorous for high-impact ones. Australian regulators reference the Directive in domestic policy discussions as a model for what 'good' looks like. Organisations that understand and can adapt to this kind of framework will be better prepared for domestic regulatory requirements as they develop.

For government technology vendors, the Directive is directly relevant for Canadian clients and indirectly relevant as a signal of where government procurement requirements globally are heading. Being able to demonstrate compliance with AIA-style assessment processes is increasingly a competitive advantage.

Practical steps for adoption

  • Use Canada's open-source AIA tool as a starting framework for your own AI risk assessments—it's a well-designed questionnaire that surfaces important governance questions regardless of any obligation to use it.
  • Apply AIA-style impact categorisation to your existing AI systems: classify each by impact level and audit whether your current controls are proportionate.
  • Review your automated decision-making practices against the Directive's human oversight requirements—ensure humans can meaningfully intervene in high-impact decisions.
  • If you're selling AI solutions to government (Australian or Canadian), proactively address AIA-style questions in your procurement documentation—expect these requirements to formalise.

Ready to transform your AI strategy?

Partner with Australia's AI strategy and governance specialists. From adoption roadmaps to ISO 42001 audit readiness.