Answer — AI Governance
What are a municipality’s obligations when using AI?
A municipality using AI remains subject to Law 25 in full: governance policies, a designated person in charge, privacy impact assessments for projects touching personal information, transparency for fully automated decisions (s. 65.2) — and the ability to demonstrate all of it with records kept as things happen.
Where do these obligations come from?
From Law 25 — not from an “AI directive.” Québec’s generative-AI framework covers provincial bodies and the health and education networks; municipalities are excluded from it. What applies to a municipality, an MRC, or a régie is the personal-information regime, in force for the most part since September 2023, overseen by the Commission d’accès à l’information.
Which obligations does AI use trigger?
Law 25 does not name “ChatGPT”; it governs what tools do. Four families of obligations attach directly to AI:
- Governance. Published policies and practices for personal information, and a designated person in charge of protecting it — the person AI usage puts under pressure.
- Prior assessment. A privacy impact assessment (ÉFVP) for any project acquiring, developing, or overhauling a system that touches personal information — most AI projects qualify — with particular care for data leaving Québec.
- Automated-decision transparency. When a decision is based exclusively on automated processing, s. 65.2 requires informing the person, explaining the principal factors on request, and receiving their observations.
- Incidents. A confidentiality-incident register and, above a severity threshold, notification — which presupposes knowing which tools touch which information.
What must you be able to show, when asked?
Each obligation carries a proof question. Knowing a policy exists is not enough; you must be able to show which AI tools are actually in use — including the ones a vendor switched on — what they touch, and how gaps were addressed. That is demonstrable reasonable diligence: contemporaneous records, not documents assembled the night before a review.
Agentica keeps that record continuously: every AI agent in your business environment, mapped and recorded in a tamper-proof history — read-only, metadata and signals only — from which the reports for the council, the auditor, or the Commission are generated.