artificial intelligence law

New OAIC guidance on Artificial Intelligence

by

reviewed by

Malcolm Burrows

On 21 October 2024, the Office of the Australian Information Commissioner (OAIC) published two (2) new guides on artificial intelligence (AI), purportedly in effort to make privacy compliance easier for business.[1]

What does the OAIC AI guidance provide?

The first guide is claimed to ‘make it easier for businesses to comply with their privacy obligations when using commercially available AI products and help them select an appropriate product‘.

The second guide claims to provide ‘guidance to developers using personal information to train generative AI models‘.  Both guides include checklists for readers, and together they aim to provide comprehensive coverage of the entire AI process, from development in the second guide to deployment in the first guide.[2]

2024-11-04-ai-development-to-deployment

Image Source: Department of Industry, Science and Resources, Safe and responsible AI in Australia: Proposals paper for introducing mandatory guardrails for AI in high-risk settings, September 2024.

Guidance on privacy and the use of commercially available AI products

The first guide claims to set itself apart from the main regulatory legislation for privacy, that being the Privacy Act 1988 (Cth), by instead of targeting all uses of AI which involve the handling of personal information as the Privacy Act does, the guide focuses particularly on the use of generative AI tools and general-purpose AI tools.

The key points from the first guide state:

  • “Privacy obligations will apply to any personal information input into an AI system, as well as the output data generated by AI (where it contains personal information);
  • businesses should update their privacy policies and notifications with clear and transparent information about their use of AI;
  • if AI systems are used to generate or infer personal information, including images, this is a collection of personal information and must comply with APP 3;
  • if personal information is being input into an AI system, APP 6 requires entities to only use or disclose the information for the primary purpose for which it was collected; and
  • as a matter of best practice, the OAIC recommends that organisations do not enter personal information, and particularly sensitive information, into publicly available generative AI tools.”

The checklists provided by the first guide include a:

Guidance on privacy and developing and training generative AI models

The second guide aims to assist in compliance with the Privacy Act, along with assisting Australian Privacy Principle (APP) entities in complying with specifically with APPs 1, 3, 5, 6 and 10.

The key points of the second guide state that:

  • “Developers must take reasonable steps to ensure accuracy in generative AI models;
  • just because data is publicly available or otherwise accessible does not mean it can legally be used to train or fine-tune generative AI models or systems;
  • developers must take particular care with sensitive information, which generally requires consent to be collected;
  • where developers are seeking to use personal information that they already hold for the purpose of training an AI model, and this was not a primary purpose of collection, they need to carefully consider their privacy obligations; and
  • where a developer cannot clearly establish that a secondary use for an AI-related purpose was within reasonable expectations and related to a primary purpose, to avoid regulatory risk they should seek consent for that use and/or offer individuals a meaningful and informed ability to opt-out of such a use.”

The second guide provides a checklist for privacy considerations when training AI models.[4]

Conclusion

In conclusion, the new guidance from the OAIC can be used as a resource to assist businesses and developers navigating privacy compliance in artificial intelligence.  By providing practical checklists for selecting AI products and training generative AI models, these guides can help organisations meet their obligations under the Privacy Act.  Emphasising responsible use and transparency, the OAIC’s recommendations aim to foster trust and accountability as AI technology continues to evolve.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Further information about artificial intelligence

If you need advice on the existing guidance about artificial intelligence, contact us for a confidential and obligation-free and discussion:

[1] OAIC (21 Oct 2024) New AI guidance makes privacy compliance easier for business, https://www.oaic.gov.au/news/media-centre/new-ai-guidance-makes-privacy-compliance-easier-for-business.
[2] Ibid.
[3] OAIC (21 Oct 2024) Guidance on privacy and the use of commercially available ai products, https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products.

[4] OAIC (21 Oct 2024) Guidance on privacy and developing and training generative ai models, https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models.


Related insights about artificial intelligence

Send this to a friend