The Office of the Australian Information Commissioner (OAIC) has released new guidance clarifying how the Privacy Act 1988 (Cth) applies to organisations developing and using generative artificial intelligence (AI) systems. The move comes amid growing public concern about how personal information is being used to train AI models.
The guidance outlines clear boundaries for appropriate use of personal information in AI development, emphasising that privacy protection must remain a priority even as organisations embrace new technologies. It specifically addresses several key practices involved in developing and fine-tuning generative AI models, while also providing relevant principles for developers using personal information to train other forms of AI.
Privacy Commissioner Kind highlighted that organisations must take a cautious approach to AI implementation. She noted that “robust privacy governance and safeguards are essential for businesses to gain advantage from AI and build trust and confidence in the community.”
The OAIC’s guidelines align with international frameworks while addressing specific features of Australian privacy law, including stricter requirements around sensitive information handling and the absence of certain exceptions common in other jurisdictions. The guidance acknowledges the evolving nature of AI technology and provides high-level principles that can adapt to future developments.
Key messages for developers include carefully evaluating whether their AI models will involve personal information processing and considering the risks of data re-identification. The guidance complements recent government initiatives, including the Voluntary AI Safety Standard and proposed mandatory guardrails for high-risk AI systems, while emphasising that existing privacy obligations remain paramount.
Commissioner Kind highlighted the urgency of privacy reform in light of rapid technological advancement, calling for the introduction of a positive obligation on businesses to ensure fair and reasonable handling of personal information.
The OAIC’s guidance aims to facilitate privacy compliance while enabling responsible innovation in AI development, ultimately building greater trust between organisations and the Australian public.
For a full reading of the guidelines, see here.