Legal Insights

What all Victorian Government personnel need to know about OVIC’s recent statement on ChatGPT

By Robert Gregory, Georgia Hunt, and Jack Curran

• 16 April 2024 • 4 min read
  • Share

Generative AI, including ChatGPT is becoming common in all facets of personal, professional and public life. While, used well, it can be a powerful tool to improve communication and efficiency, it also carries with it a range of risks, including risks to the collection and handling of personal and sensitive information. Public sector organisations in particular need to be conscious of these risks and bring a curious and informed mind to the way these tools are integrated into their operations.

To assist with this, the Office of the Victorian Information Commissioner (OVIC) has recently issued a public statement concerning the use of personal information with ChatGPT (Statement). The Statement sets out OVIC’s views and recommendations to Victorian Public Service (VPS) organisations and personnel regarding how they should be utilising and interacting with generative artificial intelligence (genAI).

The following aspects of the Statement may be of interest to VPS personnel who operate with some level of dependency on genAI, or those who are considering implementing processes which introduce a level of genAI.

Short Overview – ChatGPT and genAI

Chat Generative Pre-Trained Transformer, better known as ChatGPT, is a platform developed by OpenAI (a U.S. based artificial intelligence research organisation) which responds to inputs from the user and generates human-like text as it’s output.

With each input given to the platform, ChatGPT further trains its Large-Language Model (LLM) to detect patterns, context and meaning of text. The platform will then incorporate its learnings into any future output, securing a perpetual and ever increasingly accurate output. Such output is most likely to be related to the prompt, word by word.

OVIC Commentary on ChatGPT

OVIC have taken a strict approach to its recommendations within the Statement. The position that they have taken is to approach with caution, as the use of personal information with ChatGPT raises significant privacy concerns and could contravene several Information Privacy Principles (IPP) contained in Schedule 1 to the Privacy and Data Protection Act 2014 (Vic) (PDP Act). By way of example, OVIC have provided the following use cases which they believe pose a risk in this regard:

  • By using and disclosing personal information to ChatGPT (whether intentional or erroneous), there is no guarantee that this information may not be subsequently used or access for unauthorised purposes by individuals outside your organisation, outside of Victoria, or other third parties, in contravention of IPPs 2.1, 4.1 and 9;
  • Generating personal information with ChatGPT constitutes a new ‘collection’ of personal information. This collection may not be necessary, lawful, fair and may result in inaccurate information or opinions being generated, used or disclosed. OVIC consider such action to contravene IPPs 1.1, 1.2, 3.1 and 10; and
  • Personal information input into ChatGPT is retained for a period known only by the parent company of ChatGPT, OpenAI. This contravenes IPP 4.2 and further, an VPS organisations’ obligations under the Public Records Act 1973 (Vic).

VPS Specific Guidance

In the Statement, OVIC recommends the following;

  • VPS organisations must ensure staff and contracted service providers do not use personal information with ChatGPT;
    • Personal information is defined in section 3 of the Privacy and Data Protection Act 2014 (Vic) as information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can be reasonably be ascertained from the information or opinion.
    • ChatGPT must not be used to formulate decisions, undertake assessments, or used for other administrative actions that may have consequences for individuals (examples are provided as evaluations, assessments or reviews); and
    • If an organisation becomes aware that Personal Information has been used with ChatGPT it should treat the occurrence as an information security incident and notify OVIC immediately. OVIC have implemented policies and procedures for dealing with such incidents, and more information is available at the OVIC website.

    OVIC have otherwise recommended that VPS Personnel and contracted service providers limit their use of ChatGPT to public sector information that is already publicly known, or if disclosed would not cause any harm to an individual or damage to an organisation.

    Application for other Government and Non-Government Organisations

    The practicality of the response from OVIC in this statement has created a helpful guideline for employees and contractors of public and private clients alike. Prior to any submission to ChatGPT or other similar genAI platform, it is important to consider the sensitivity of the data and whether any document contains personal information. If there is any personal information included within their input, the employee should restrict any reliance on any genAI platform, and otherwise follow the recommendations of OVIC.

    Looking for assistance?

    Don’t hesitate to contact a member of Maddocks Victorian Privacy, Data and Information Law team with any queries or if you’d like to discuss any aspect of your organisations cyber or privacy governance or operations further.

    By Robert Gregory, Georgia Hunt, and Jack Curran

    • Share

    Recent articles

    Online Access