The OAIC has published 2 new privacy guides on artificial intelligence (AI) for organisations:
- Guidance on privacy and the use of commercially available AI products: The aim of this guide is to assist organisations to comply with privacy obligations when using commercially available AI products and contains checklists to help them to select an appropriate product. It also addresses the use of AI products that are freely available, such as publicly accessible AI chatbots.
- Guidance on privacy and developing and training generative AI models: This guide is for developers of generative AI models or systems that use personal information.
OAIC’s top five privacy takeaways for organisations
- Privacy obligations will apply to any personal information input into an AI system, as well as the output data generated by AI (where it contains personal information).
- Businesses should update their privacy policies and notifications with clear and transparent information about their use of AI, including ensuring that any public facing AI tools (such as chatbots) are clearly identified as such to external users such as customers.
- If AI systems are used to generate or infer personal information, including images, this is a collection of personal information and must comply with APP 3. Entities must ensure that the generation of personal information by AI is reasonably necessary for their functions or activities and is only done by lawful and fair means.
- If personal information is being input into an AI system, APP 6 requires entities to only use or disclose the information for the primary purpose for which it was collected, unless they have consent or can establish the secondary use would be reasonably expected by the individual, and is related (or directly related, for sensitive information) to the primary purpose.
- As a matter of best practice, the OAIC recommends that organisations do not enter personal information, and particularly sensitive information, into publicly available generative AI tools, due to the significant and complex privacy risks involved.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.