Algorithmic Impact Assessment tool
On this page
1. Introduction
The Algorithmic Impact Assessment (AIA) is a mandatory risk assessment tool intended to support the Treasury Board’s Directive on Automated Decision-Making. The tool is a questionnaire that determines the impact level of an automated decision-system. It is composed of 51 risk and 34 mitigation questions. Assessment scores are based on many factors, including the system's design, algorithm, decision type, impact and data.
The AIA was developed based on best practices in consultation with both internal and external stakeholders. It was developed in the open and is available to the public for sharing and reuse under an open licence.
2. Using and scoring the assessment
This assessment is organized according to Government of Canada policy, ethical, and administrative law considerations applied to the context of automated decision-making. It draws on Treasury Board of Canada Secretariat’s consultations with public institutions, academia, and civil society. The AIA is designed to help departments and agencies better understand and manage the risks associated with automated decision systems. The AIA is composed of questions in various formats to assess the areas of risk defined in Table 1.
| Risk area | Description |
|---|---|
| 1. Project | |
Project phase |
Project owner, description and stage (design or implementation) |
Reasons for automation |
Reasons for introducing automation into the decision-making process |
Risk profile |
High-level risk indicators for the project (e.g., vulnerability of clients) |
Project authority |
Need to seek new policy authority for the project |
| 2. System | |
About the system |
Capabilities of the system (e.g., image recognition, risk assessment) |
| 3. Algorithm | |
About the algorithm |
Limitations on disclosure of the algorithm; ability to explain how it arrives at outputs |
| 4. Decision | |
About the decision |
Classification and description of the decision being automated (e.g., health services, social assistance, licensing) |
| 5. Impact | |
Impact assessment |
Type of automation (full or partial); duration and reversibility of the decision; and areas impacted (e.g., rights, privacy and autonomy, health, economic interests, the environment) |
| 6. Data | |
Source |
Provenance, method of collection, and security classification of data used by the system |
Type |
Nature of the data used as structured or unstructured (audio, text, image or video) |
The AIA also assesses the mitigation measures in place to manage the risks identified. These mitigation questions are organized into the categories defined in Table 2.
| Mitigation area | Description |
|---|---|
| 1. Consultation | |
Internal and external stakeholders |
Internal and external stakeholders consulted, including privacy and legal advisors; digital policy teams; and subject matter experts in other sectors |
| 2. De-risking and mitigation measures | |
Data quality |
Processes to ensure that data is representative and unbiased, as well as transparency measures related to those processes |
Procedural fairness |
Procedures to audit the system and its decisions, as well as the recourse process |
Privacy |
Measures to safeguard personal information used or generated by the system |
2.1 Scoring
Each area contains one or more questions, and the responses to the questions contribute to a maximum score for the area. The value of each question is weighted based on the level of risk it introduces or mitigates in the automation project. The raw impact score measures the risks of the automation, while the mitigation score measures how the risks of automation are managed. The questions in risk areas 1 to 6 increase the raw impact score, and the questions in mitigation areas 7 and 8 increase the mitigation score.
| Risk area | No. of questions | Maximum score |
|---|---|---|
| 1. Project | 16 |
27 |
| 2. System | 1 |
0 |
| 3. Algorithm | 2 |
6 |
| 4. Decision | 2 |
7 |
| 5. Impact | 20 |
42 |
| 6. Data | 10 |
44 |
| Raw impact score | 51 |
126 |
| Mitigation area | No. of questions | Maximum score |
|---|---|---|
| 7. Consultations | 2 |
2 |
| 8. De-risking and mitigation measures | 32 |
44 |
| Mitigation score | 34 |
46 |
The current score is determined as follows:
- If the mitigation score is less than 80% of the maximum attainable mitigation score, the current score is equal to the raw impact score
or - If the mitigation score is 80% or more than the maximum attainable mitigation score, 15% is deducted from the raw impact score to yield the current score
2.2 Impact levels
The impacts of automating an administrative decision are classified into 4 levels, ranging from Level I (little impact) to Level IV (very high impact). The AIA is intended to identify risks and assess impacts in a broad range of areas, including:
- the rights of individuals or communities
- the health or well-being of individuals or communities
- the economic interests of individuals, entities, or communities
- the ongoing sustainability of an ecosystem
Impact levels are distinguished based on criteria of reversibility and expected duration: automated decisions with little to no impact are reversible and brief, while those with a very high impact are irreversible and perpetual.
Each impact level corresponds to a score percentage range. The level of impact assigned to an automation project depends on the range bracket in which the project’s score percentage falls (Table 5). Impact levels determine the mitigations required under the Directive on Automated Decision-Making. Appendix C of the directive lists mitigation measures required for each of the 4 impact levels. The requirements are designed to be proportionate to the impact level. While the measures are intended to reduce the identified risks, their implementation does not alter the impact level assigned to a project. A project’s impact level can only be changed through the completion of a new AIA with updated information about the project. Under the directive (subsection 6.1.3), departments are required to update their AIAs following changes to system functionality or scope of use.
| Impact level | Definition | Score percentage range |
|---|---|---|
| Level I | Little to no impact |
0% to 25% |
| Level II | Moderate impact |
26% to 50% |
| Level III | High impact |
51% to 75% |
| Level IV | Very high impact |
76% to 100% |
3. Instructions
The AIA is available as an online questionnaire on the Open Government Portal. When the questionnaire is completed, the results provide an impact level and a link to the requirements under the directive. The detailed results page will also explain why the system was rated a certain level. The results and the explanation can be printed or saved as a PDF.
The AIA assesses automated decisions on a broad range of topics, including service recipients, business processes, data, and system design decisions. It is best to complete the AIA with a multi-disciplinary team that brings expertise in all of these areas.
Each question in the AIA must be answered. If the answer to a question is unknown, please select the lowest score option for the question. Where applicable, be prepared to provide the documentary evidence upon request.
Section 6 of the directive provides a comprehensive list of the requirements that departments are responsible for. Some of the requirements increase for higher impact levels, including the type of peer review and the extent of human involvement in the decisions. For a complete list of requirements which vary with the impact level, refer to the appendix Impact Level Requirements in the directive. Other requirements are baseline requirements that do not vary according to the impact level, such as consulting with the institution’s legal services prior to the development of the system, training employees and providing applicable recourse options to challenge the decisions.
3.1 When to complete the AIA
The AIA should be completed at the beginning of the design phase of a project. The results of the AIA will guide the mitigation and consultation requirements to be met during the implementation of the automated decision system as per the directive.
The AIA should be completed a second time, prior to the production of the system, to validate that the results accurately reflect the system that was built. The revised AIA should be released on the Open Government Portal as the final results.
3.2 What to consider when completing an AIA
Collect information about your project
A broad range of information about an automation project is required to fully answer the questions in the risk and mitigation areas of the AIA. Prior to starting the AIA, it is useful to have information about:
- the administrative decision that the automated decision system will inform or make, the context in which the system will be used, and the way the system will assist or replace the judgement of a human decision-maker
- the clients subject to the decision, including evidence of any vulnerability (for example, socioeconomic, demographic, geographic)
- the potential impacts of the decision on clients, including their duration and reversibility
- the algorithm, including data processing parameters and techniques, and the output
- the input data used by the system, including details on type, source, method of collection, and security classification
- planned or existing quality assurance measures
- planned transparency measures to communicate information about the initiative to clients and the public
- internal and external stakeholders to be consulted
- record of recommendations or decisions made by the system, and any log or explanation generated by the system for such a record
- institutional information technology service management (ITSM) practices
The information above will also be useful in consultations with the stakeholders described below. It can also support engagements with vendors and peer reviewers.
Consult your ATIP office
The institutional Access to Information and Privacy (ATIP) office or other delegated authority for privacy should be consulted to ensure that the privacy impacts of automated decision systems using or processing personal information, or that otherwise have an impact on individuals’ privacy rights, are identified, assessed, and mitigated. Engagements can enable project leads to:
- determine whether the automated decision system will make use of personal information as defined in section 3 of the Privacy Act
- verify whether the proposed system’s use of personal information is accounted for in relevant Privacy Impact Assessments (PIAs) and Personal Information Banks (PIBs), and identify actions and approvals required under privacy legislation and policy
- determine applicable requirements in the Policy on Privacy Protection and supporting policy instruments, with the goal of ensuring that the appropriate safeguards are in place for the creation, collection, and handling of personal information throughout the lifecycle of the system, including plans for responsive action in the event of a privacy breach
- inform approaches to notifying the Office of the Privacy Commissioner of Canada of the proposed system and any foreseeable impacts on the privacy of Canadians, as required in the Policy on Privacy Protection
- ensure any personal information collected or created by or for the automation project is demonstrably necessary for the program or activity, as required by the Directive on Privacy Practices
- ensure that appropriate privacy protection clauses are included in contracts, agreements or arrangements with vendors or partners providing automation services, solutions, or products
- ensure the AIA is reviewed by privacy officials prior to its publication on the Open Government Portal, in accordance with the Directive on Open Government
Engage with Legal Services
When completing an AIA, legal services must be consulted to identify and address legal risks arising from the development, procurement, or use of an automated decision system. Consultations should begin at the concept stage of an automation project, prior to the development or procurement of a system. The nature of legal risks significantly depends on the design of the system (for example, training data, model), the context of deployment, and the type of administrative decision being automated. Seeking legal advice on an automated decision system can enable project leads to:
- comply with the directive’s requirement to consult with legal services from the concept stage of a project (see subsection 6.3.8)
- identify potential impacts on individual rights and freedoms and develop plans to manage risks
- assess risks to procedural fairness based on factors including, but not limited to, the explainability of system outputs, relevance of system rules and input data to an administrative decision, and availability of recourse options (see subsections 6.2.3, 6.3.1, 6.3.2, and 6.4.1 of the directive)
- confirm whether the program has the requisite authorities to proceed with the proposed automation project, including any associated collection or creation of personal information (in coordination with the relevant ATIP office or other delegated authority for privacy).
- Consider licensing issues, including with respect to trade secrets, and any constraints they may impose on a department’s ability to access and test proprietary systems (see subsection 6.2.5 of the directive)
Contact TBS OCIO
The Office of the Chief Information Officer (OCIO) at the Treasury Board of Canada Secretariat (TBS) is responsible for maintaining the AIA tool and overseeing departmental compliance with the Directive on Automated Decision-Making. The team can support departments with interpreting and answering questions in the AIA, and guide them through the publication process.
Departments are encouraged to contact TBS OCIO at ai-ia@tbs-sct.gc.ca for any questions regarding the directive or AIA.
3.3 Releasing the results
Departments are responsible for releasing the final results of the AIA in an accessible format and in both official languages on the Open Government Portal. The results page of the AIA provides the option to provide translations for the text entered in the AIA. The results page also provides the option to download the results as an accessible PDF to meet this requirement.
Page details
- Date modified: