Guidance on privacy and the use of commercially available AI products
This guidance explores the privacy implications of organisations using commercially available AI products, focusing on the Privacy Act 1988 and the Australian Privacy Principles (APPs). Overall, it is recommended that organisations do not enter personal information into publicly available generative AI tools due to the significant and complex privacy risks involved.
This guidance is targeted at organisations that are deploying AI systems that were built with, collect, store, use or disclose personal information. This guidance is intended to assist organisations to comply with their privacy obligations when using commercially available AI products, and to assist with selection of an appropriate product. It also addresses the use of AI products which are freely available and is particularly relevant for generative AI and general-purpose AI tools due to their potential for significant adverse impacts.
Key takeaways
- Privacy obligations will apply to any personal information input into an AI system, as well as the output data generated by AI (where it contains personal information). Organisations should conduct due diligence to ensure the product is suitable to its intended uses.
- Businesses should update their privacy policies and notifications with clear and transparent information about their use of AI, including ensuring that any public facing AI tools (such as chatbots) are clearly identified as such to external users such as customers.
- If AI systems are used to generate or infer personal information, including images, this is a collection of personal information and must comply with APP 3.
- If personal information is being input into an AI system, APP 6 requires entities to only use or disclose the information for the primary purpose for which it was collected.
- As a matter of best practice, the OAIC recommends that organisations do not enter personal information, and particularly sensitive information, into publicly available generative AI tools, due to the significant and complex privacy risks involved.
