Canada: Office of the Information and Privacy Commissioner of Alberta released AI scribe privacy impact assessment guidance

On 3 September 2025, the Office of the Information and Privacy Commissioner of Alberta (OIPC) issued guidance titled Artificial Intelligence (AI) Scribe Privacy Impact Assessment Guidance. It sets out requirements under Section 64 of the Health Information Act (HIA) for custodians acquiring and implementing AI scribe tools in health care delivery. The guidance covers project descriptions, data flow diagrams, contractual obligations, the limitation principle under Section 58, the duty of accuracy under Section 61, security obligations under Section 60, breach reporting under Section 60.1, and patients’ rights of access and correction under Sections 7 and 13. Custodians are advised to structure vendor contracts so that the AI scribe vendor, acting as an affiliate or information manager under Section 66, collects, uses, discloses, retains, and destroys health information strictly in accordance with the HIA and its Regulation. Contracts must prohibit unauthorised uses such as AI training, require the secure destruction of information at termination, and mandate policies, procedures, and staff training pursuant to Section 63. Vendors are also expected to provide detailed technical information, including tool architecture, training data, hosting arrangements, integration with electronic medical records, accuracy and session controls, logging and retention capabilities, privacy and security governance, and employee training. This information enables the OIPC to evaluate compliance with the HIA.