On 21 October 2024, the Office of the Australian Information Commissioner (OAIC) published two (2) new guides on artificial intelligence (AI), purportedly in effort to make privacy compliance easier for business.[1]
What does the OAIC AI guidance provide?
The first guide is claimed to ‘make it easier for businesses to comply with their privacy obligations when using commercially available AI products and help them select an appropriate product‘.
The second guide claims to provide ‘guidance to developers using personal information to train generative AI models‘. Both guides include checklists for readers, and together they aim to provide comprehensive coverage of the entire AI process, from development in the second guide to deployment in the first guide.[2]

Guidance on privacy and the use of commercially available AI products
The first guide claims to set itself apart from the main regulatory legislation for privacy, that being the Privacy Act 1988 (Cth), by instead of targeting all uses of AI which involve the handling of personal information as the Privacy Act does, the guide focuses particularly on the use of generative AI tools and general-purpose AI tools.
The key points from the first guide state:
- “Privacy obligations will apply to any personal information input into an AI system, as well as the output data generated by AI (where it contains personal information);
- businesses should update their privacy policies and notifications with clear and transparent information about their use of AI;
- if AI systems are used to generate or infer personal information, including images, this is a collection of personal information and must comply with APP 3;
- if personal information is being input into an AI system, APP 6 requires entities to only use or disclose the information for the primary purpose for which it was collected; and
- as a matter of best practice, the OAIC recommends that organisations do not enter personal information, and particularly sensitive information, into publicly available generative AI tools.”
The checklists provided by the first guide include a:
- checklist for privacy considerations when selecting an AI product; and
- checklist for privacy and use of commercial AI products.[3]
Guidance on privacy and developing and training generative AI models
The second guide aims to assist in compliance with the Privacy Act, along with assisting Australian Privacy Principle (APP) entities in complying with specifically with APPs 1, 3, 5, 6 and 10.
The key points of the second guide state that:
- “Developers must take reasonable steps to ensure accuracy in generative AI models;
- just because data is publicly available or otherwise accessible does not mean it can legally be used to train or fine-tune generative AI models or systems;
- developers must take particular care with sensitive information, which generally requires consent to be collected;
- where developers are seeking to use personal information that they already hold for the purpose of training an AI model, and this was not a primary purpose of collection, they need to carefully consider their privacy obligations; and
- where a developer cannot clearly establish that a secondary use for an AI-related purpose was within reasonable expectations and related to a primary purpose, to avoid regulatory risk they should seek consent for that use and/or offer individuals a meaningful and informed ability to opt-out of such a use.”
The second guide provides a checklist for privacy considerations when training AI models.[4]
Conclusion
In conclusion, the new guidance from the OAIC can be used as a resource to assist businesses and developers navigating privacy compliance in artificial intelligence. By providing practical checklists for selecting AI products and training generative AI models, these guides can help organisations meet their obligations under the Privacy Act. Emphasising responsible use and transparency, the OAIC’s recommendations aim to foster trust and accountability as AI technology continues to evolve.
Links and further references
Legislation
Further information about artificial intelligence
If you need advice on the existing guidance about artificial intelligence, contact us for a confidential and obligation-free and discussion:

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au

Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] OAIC (21 Oct 2024) New AI guidance makes privacy compliance easier for business, https://www.oaic.gov.au/news/media-centre/new-ai-guidance-makes-privacy-compliance-easier-for-business.
[2] Ibid.
[3] OAIC (21 Oct 2024) Guidance on privacy and the use of commercially available ai products, https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products.
[4] OAIC (21 Oct 2024) Guidance on privacy and developing and training generative ai models, https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models.

