Australia’s Privacy Watchdog Publishes Guidance on AI Products

Australian businesses now have a list of best practices to refer to when using commercial AI products.

The Office of the Australian Information Commissioner (OAIC) published on October 21 guidance on the use of commercially available AI products.

The document explains in detail organizations’ obligations when using personal information in the context of off-the-shelf AI products, from chatbots to productivity tools and image generators.

The document outlines best practices encompassing several critical considerations in the deployment lifecycle of AI products. These include:

• Selecting an AI product
• Privacy by design principles when using an AI product
• Transparency requirements when using an AI product
• Data privacy and accuracy risks when using AI

Five Primary Privacy Recommendations When Using AI

The five main takeaways of this new document include:

1. Privacy requirements will apply to any personal information input into an AI system, as well as any personal information output data generated by AI
2. Businesses should update their privacy policies and notifications with clear and transparent information about their use of AI, including ensuring that any public-facing AI tools are clearly identified as such to external users such as customers
3. AI systems used to generate or infer personal information are considered to perform a collection of personal information – and must comply with Chapter 3 of the Australian Privacy Principles guidelines
4. Organizations should minimize personal and sensitive information inputs in public-facing AI tools
5. If personal information is being input into an AI system, Chapter 6 of the Australian Privacy Principles guidelines requires entities to only use or disclose the information for the primary purpose for which it was collected, unless they have consent or can establish the secondary use would be reasonably expected by the individual, and is related (or directly related, for sensitive information) to the primary purpose

Although this guidance applies to all types of AI systems involving personal information, it will be particularly useful for generative AI and general-purpose AI tools, as well as other uses of AI with a high risk of adverse impacts.

The document does not cover all privacy issues and obligations in relation to the use of AI, but should be considered together with Australia’s Privacy Act and Privacy Principles guidelines, adopted in 1988 and last updated in 2022.