New Framework for Canadian AI Governance: IPC–OHRC Principles

Introduction

On January 21, 2026, the Information and Privacy Commissioner of Ontario (“IPC”) and the Ontario Human Rights Commission (“OHRC”) jointly released six principles (the “IPC-OHRC Principles”) to guide organizations in the responsible use of artificial intelligence (“AI”). These principles are intended to steer organizations in implementing AI technologies in a manner that promotes innovation while upholding privacy protections and human rights obligations under Ontario law.

AI systems increasingly have the potential to enhance the lives of Ontarians across both the public and private sectors. At the same time, they introduce complex legal and ethical risks that require thoughtful oversight. In response to the rapid adoption of these technologies, Canadian and international regulators are developing governance frameworks to address the legal, ethical and operational risks associated with AI. Notably, on January 7, 2026, the Ontario government also issued a directive applicable to all provincial ministries and agencies on the responsible use of AI.

The IPC-OHRC Principles are designed to complement recent provincial, federal and international initiatives aimed at promoting safe, trustworthy and accountable AI governance. Taken together, these efforts reflect a growing recognition that AI requires oversight mechanisms comparable to those applied to other high-impact technologies. Set out below is an overview of the six principles and their implications for organizations deploying AI systems.

The IPC-OHRC Principles

The IPC-OHRC Principles establish a clear and practical framework for assessing risk, guiding system design and deployment, and ensuring compliance with Ontario’s privacy and human rights legislation. Adherence to the IPC-OHRC Principles can help organizations meaningfully reduce risk by mitigating potential harms, demonstrating a commitment to fairness and substantive equality, and fostering public trust in AI-assisted decision-making and automated systems. The six principles are interconnected and intended to apply with equal importance across an AI system’s lifecycle.

1. Validity and Reliability: AI systems must be demonstrably reliable and accurate prior to deployment. They should perform consistently in the environments in which they are intended to operate, such that their outputs can reasonably be relied upon as valid and accurate. Additionally, AI systems should be regularly assessed throughout their operational lifecycle to confirm that they continue to produce valid and accurate results.
2. Safety: AI systems must be developed, acquired, adopted and governed in a manner that prevents harm or unintended outcomes, including harms that infringe upon human rights, such as the rights to privacy and non-discrimination. This includes anticipating foreseeable misuse and establishing safeguards before deployment.
3. Privacy Protection: AI systems should be designed and implemented using a privacy-by-design approach. Developers, providers and users must take proactive measures to protect the privacy and security of personal information and support access to information rights from the outset of system development and use. This approach helps ensure compliance with both existing privacy legislation and evolving regulatory expectations around AI.
4. Human Rights – Affirming Design and Use: Human rights are inalienable and must be embedded into the design, deployment and governance of AI systems. Organizations using AI must take active steps to prevent and remedy discrimination and to ensure the benefits of AI are distributed equitably and without bias. This principle is closely aligned with substantive equality frameworks that require more than mere procedural fairness.
5. Transparency: Organizations that develop, provide or use AI systems must ensure that such systems and their outputs are transparent, understandable, traceable and explainable to affected individuals and oversight bodies. Transparent systems enable meaningful oversight and support public confidence in automated decision-making.
6. Accountability: Organizations must establish robust internal governance frameworks with clearly defined roles, responsibilities and oversight mechanisms. This includes maintaining a meaningful human-in-the-loop approach to ensure accountability throughout the entire lifecycle of an AI system. Accountability also requires monitoring system performance, documenting decisions and updating controls as risks evolve.

Key Takeaways and Practical Considerations

The IPC-OHRC Principles emphasize the continued importance of human oversight and regular validity assessments when deploying AI systems in both the public and private sectors. While AI presents significant opportunities to drive efficiency and innovation, these systems can introduce distinct risks due to their capacity to operate at scale and, in some cases, autonomously.

To support responsible, transparent and accountable AI use, organizations should adopt a consistent and informed approach to identifying and managing AI-related risks. Applying the IPC-OHRC Principles across all stages of an AI system’s lifecycle – from design and procurement to deployment and monitoring – can help organizations manage legal and operational exposure while realizing the benefits of AI technologies.

The IPC-OHRC Principles are broadly aligned with the nine principles guiding the use of generative AI released by the Office of the Privacy Commissioner of Canada (“OPC”) on December 7, 2023. This alignment reflects an emerging national consensus on the need for AI governance frameworks that ensure privacy, human rights and transparency. For more information on the OPC’s nine principles for generative AI, please see our article here.

The alignment of the IPC-OHRC’s six principles for the responsible use of AI with the OPC’s nine principles guiding the use of generative AI underscores a growing Canadian regulatory expectation that organizations develop and maintain AI governance frameworks that safeguard personal information and incorporate meaningful human oversight.

Although the IPC-OHRC Principles are not legally binding, inadequate governance, oversight or control of AI systems may give rise to legal, regulatory and reputational consequences. Organizations are, therefore, advised to review these principles alongside their existing privacy, human rights and risk management policies.

Canada has not yet enacted comprehensive legislation governing the use of AI, and it remains uncertain whether forthcoming federal initiatives will incorporate or harmonize with the IPC-OHRC’s approach. In the interim, organizations that proactively align with emerging principles will be better positioned to meet future compliance obligations and stakeholder expectations. The IPC-OHRC Principles provide a useful reference point for organizations seeking to adapt to evolving technologies while remaining compliant with applicable privacy and human rights obligations.

For more information about the legal implications of the use of generative AI or other AI technology, please contact Lisa R. Lifshitz, Roland Hung, and Laura Crimi of Torkin Manes’ Technology and Privacy & Data Management Groups.

The author would like to acknowledge Torkin Manes’ Articling Student Alex Mazzadi for his invaluable contribution in drafting this bulletin.