Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

An AI use policy tells staff what they can and cannot do with AI tools at work. Most Australian businesses do not have one. Without a policy, staff are making their own decisions about which tools to use, what data to input, and how to handle AI-generated output, often without understanding the Privacy Act implications or the cybersecurity risk. Getting a policy in place before something goes wrong is significantly easier than explaining a breach after the fact.

Why Most Businesses Already Need One

AI tools are already in use in most workplaces, whether IT knows about it or not. Staff are using personal accounts on consumer AI platforms for drafting emails, summarising documents, answering client questions, and generating reports. This is sometimes called shadow AI: AI tool use that happens outside IT governance.

The compliance problem is not the tools themselves. It is the data that goes into them. If a staff member inputs client information into an AI tool that processes data on overseas servers, the business may have disclosed personal information to an overseas third party under APP 8 of the Privacy Act 1988.

Without a policy, that happens with no visibility, no oversight, and no ability to respond if something goes wrong.

What an AI Use Policy Should Cover

1. Approved Tools

Specify which AI tools are approved for work use, which require IT review before use, and which are prohibited. The key distinction is whether the tool has an enterprise data processing agreement (DPA) in place. Consumer or free-tier AI tools typically process data offshore without a DPA and may retain inputs for model training. Enterprise versions often include contractual data protection obligations and do not use customer data for training.

2. Prohibited Inputs

Define clearly what must never be entered into any AI tool, regardless of which tool it is:

  • Client personal information, including names, contact details, financial data, and health information
  • Passwords, API keys, credentials, or authentication tokens
  • Confidential business information, including commercially sensitive contracts, pricing, and strategy documents
  • Legal advice, privileged communications, or information subject to confidentiality obligations
  • Any information the business could not share publicly
3. Privacy Act Obligations

Staff need to understand, in plain language, that inputting client information into an AI tool that processes data offshore may constitute a disclosure under APP 8 of the Privacy Act 1988. The business remains accountable for how that information is handled, even if it is the AI vendor that causes the harm. The policy should state this directly, not bury it in legal language.

4. Accuracy and Verification

AI tools make mistakes. The policy should require that any AI-generated content used externally, including client communications, proposals, marketing material, reports, and contracts, is reviewed and verified by a staff member before it is sent or published. The business is responsible for what it puts its name on, regardless of how it was generated.

5. Intellectual Property

AI-generated content can create IP ambiguity, particularly in client deliverables. The policy should address whether AI-generated outputs can be used in work product, and if so, under what conditions. Where clients have specific requirements about AI use in deliverables, those requirements take precedence.

6. Who Is Responsible

Designate clear accountability within the policy: who approves new AI tools for business use, who staff should contact when they are unsure whether something is permitted, and who handles incidents. Without a named contact, staff default to asking no one.

7. Breach Reporting

If a staff member believes they may have input restricted information into an AI tool, the policy must require them to report it immediately. Early detection is the difference between a manageable incident and a notifiable data breach under the Privacy Act. Staff should not wait to see if anything happens before raising it.

Before You Publish the Policy

A policy based on assumptions is less useful than one based on what is actually happening. Before finalising:

  • Audit which AI tools are currently in use. Ask IT and ask staff separately, as the lists are often different.
  • Identify which tools already have enterprise data processing agreements in place.
  • Review your existing privacy policy to confirm it reflects current data handling practices, including any AI tool use.
  • If your business operates in a regulated sector (APRA-regulated, AFSL holders, NDIS providers, health services), seek legal or privacy advice before publishing. Sector-specific obligations may require additional provisions.

Keeping the Policy Current

AI tools are evolving faster than most governance documents. Build in a review trigger from the start. The policy should be reviewed when:

  • A new AI tool is adopted or an existing one is updated in a way that changes how data is handled
  • A compliance framework the business operates under is updated
  • An AI-related incident occurs, even a minor one
  • The policy has not been reviewed in the past 12 months

How All IT Can Help

All IT helps businesses develop IT governance documentation, including AI use policies, acceptable use policies, and incident response procedures. We assess which AI tools in your environment have appropriate data processing agreements in place and flag tools that create compliance exposure before they become a problem.

If you want to start with a conversation about what AI tools your staff are currently using and what the gaps are, that is a practical first step. Talk to us about IT strategy and consulting, our cybersecurity services, or managed IT support.

Not sure what AI tools your staff are using?

All IT can audit your current AI tool usage, identify compliance gaps, and help you put the right policy in place. Monthly contracts, no lock-in.


Frequently Asked Questions

Yes, if staff are using AI tools for work tasks. The policy does not need to be lengthy, but it needs to address which tools are approved, what data must not be input, and what staff should do if something goes wrong. Without one, the business has no documented position if a breach or compliance issue arises.
Consumer-grade or free-tier AI tools that process data offshore without a data processing agreement should be restricted for any use involving client or business data. Enterprise versions of the same platforms often include data protection agreements and do not use customer inputs for model training. The distinction is in the contract, not the tool name.
Assess whether personal information was disclosed to an overseas recipient under APP 8 of the Privacy Act 1988. If the AI tool retains data and the input constitutes personal information, it may meet the threshold for a notifiable data breach. Report it to your IT provider and seek privacy advice promptly. Early reporting is critical.
At minimum annually, and whenever a new AI tool is adopted, an existing tool changes how it handles data, a compliance framework is updated, or an AI-related incident occurs. A policy that has not been reviewed in 12 months in this space is likely already out of date.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →