• Learn how to ensure you understand your AI tools
  

  One of the simplest, but most important, things you can do to build trust and protect privacy in the age of AI is to understand how the AI tools that your agency uses work.  

This includes ensuring that users understand: 

• what data can (and must not) be included in inputs;
• where and how the tool processes that data;
• whether the tool ‘learns’ from your agency’s data or outputs;
• any biases, quality issues, or other limitations, of its outputs (an AI tool will only be as good as the quality of data that it uses, and that on which it was trained).

Explaining these things to users and to other stakeholders (including in your privacy policy, AI transparency statement, collection notices and other material) will not only improve the use of the tool, but will also help protect the privacy of your clients and staff, comply with your agency’s legal obligations, and protect you from the impacts of using unreliable outputs.

• Don’t hold more AI generated personal information  than you need
  

  Agencies must always assess whether the personal information they collect can be justified as genuinely and reasonably needed. 

This principle, known as data minimisation, helps to protect individual privacy, including by minimising the risk of data breaches – personal information can only be stolen or accidentally disclosed if you hold it!

When implementing a new AI tool, it is crucial to ask:

• Will your AI tool generate or result in your collecting new personal information (including about your clients or the users of the AI tool)? If so:
  • can collection of it be clearly linked to a function or activity of your agency?
  • if it might be new ‘sensitive information’ (e.g. about the health, disability, ethnic or racial orientation), how will the collection of that new information be authorised?
     
• How long do you need to keep any new personal information that is generated (including for fraud, auditing, legal defences, or other legitimate purposes)? Is there a records disposal authority or normal administrative policy under the Archives Act to allow deletion it when it is no longer needed? 
   
• Will outputs and other records of the AI use be stored so as to allow them to be reviewed and any personal information that is no longer needed for business functions deleted?

• Configuring AI tools
  

  AI tools are typically ‘one size fits all’, and it can be challenging to determine whether or how they can be configured and managed so they only do what you need them to, and are not taking unnecessary ‘bites’ out of your agency’s data, energy and resources.

But as AI tools evolve, there are increasing options for customisation so they operate in a way that fits your agency’s needs and risk appetite. When implementing a new AI tool, always ask:

• What contractual controls have been placed on the supplier of the tool? For example, can they use agency data for any secondary purposes (like training their AI models)? Are they limited to storing and processing data in the Australian region, including any transient or ephemeral storage?
   
• What configuration options are available? Can the tool be restricted from surfacing particularly sensitive data to produce an output, or be required to ground its outputs in specific databases?
   
• What guidance and instructions have been provided to users of the tool about any configured options (e.g. if your AI tool has been configured to allow different LLMs to answer prompts)? This should be in addition to other instructions such as to include personal information in any input prompts, or to take specific quality assurance steps when handling outputs). 

• Relationships with contractors using AI tools
  

  In order to build trust and protect privacy in the age of AI, it is important to understand how your contractors will use AI tools when supplying their services.

Use of AI by suppliers can result in faster or more cost-effective delivery of services, including through use of AI to perform simple, routine tasks. But without appropriate protections, there could be potential security or quality issues, particularly if they are providing complex written work.

The only way to assess the effect of a suppliers’ use of AI is to gain a holistic understanding of that use, ideally at the procurement stage. Agencies should now ask questions of all suppliers, including to obtain information about:

• the AI tools that will (or might) be used in provision of the services; 
• the overall level of AI and privacy maturity of the supplier;
• how the supplier would use the AI tools to benefit the agency, and how the supplier will ensure the quality of any AI generated outputs; and
• the security measures that will protect your data if the supplier uses the proposed AI tools.

This will allow you to evaluate AI risks and benefits, and also ensure that your contract with the selected supplier builds in appropriate AI protections.

• Seeking further advice about AI tools
  

  AI has rapidly become a fundamental element of the modern workplace, but Australian privacy law has not yet been reformed to address some often inherent privacy and legislative secrecy risks that can arise when AI tools are used to handle personal information held by an agency. 

With the new statutory tort for serious invasions of privacy now in force, it is more important than ever for agencies to have the governance and processes in place that will allow it to determine whether the benefits of using an AI tool outweigh any other legal risks.

Undertaking a comprehensive Privacy Impact Assessment (PIA) and AI Impact Assessment (AIIA) before implementation of an AI tool is probably no longer just best practice – it is essential to allow you to understand how an AI tool will intersect with your agency’s legal obligations, including under privacy, commercial and employment law, and your regulatory and security obligations. These are structured, end-to-end, evaluation processes, designed to assist you to avoid inadvertently breaching legislation, compromising data security, or deploying tools that lack transparency and accountability.

Using a proven AIIA methodology and tailored templates to conduct AIIAs that are thorough, compliant, and fit-for-purpose, aligns with government frameworks and emerging standards, and ensures agencies meet their legal obligations when harnessing the benefits of AI. At Maddocks, we conduct AIIAs using our integrated, multidisciplinary legal team which brings together experts in privacy, commercial law, regulatory compliance, employment law and technology.

Whether you are exploring a new AI procurement, piloting a tool, or scaling an existing system to include new AI functionalities, a PIA and AIIA can support your journey to deploy AI tools responsibly and effectively.