Business Note - Artificial Intelligence and Privacy

Busineses strive for greater efficiency accross operations, and artificial intelligence (AI) is fast becoming a tool to assist in achieving that objective.

However, when AI interacts with individuals engaging with the business, it is important to ensure privacy obligations owed to those individuals are met.

The Office of the Australian Information Commissioner (OAIC) has issued guidance on privacy and the use of commercially available AI products.

Outlined below are some Australian Privacy Principle (APP) considerations that businesses should consider when developing plans to introduce AI or are using AI and an individuals personal infomation is involved.

1. Lack of Transparency (APP 1)

Businesses that don't adequately understand or communicate the risks associated with AI

may unintentionally violate APP 1, which requires that personal information be handled in an open and transparent way. This principle is essential because it builds trust between the organisation and individuals and ensures that people are fully informed about how their personal data is being used, processed, and possibly shared. Without clear communication, individuals might remain unaware of the implications of AI decision-making processes that impact their lives, such as automated hiring systems, credit scoring algorithms, or personalised advertising. Additionally, the lack of transparency can cause misunderstandings about the extent of data collection, the purposes for which data is used, and the potential risks of data breaches or misuse. To comply with APP 1, businesses must not only disclose their data practices but engage in meaningful dialogue with others, providing detailed explanations of how AI systems function and the safeguards in place to protect personal information. This proactive approach not only meets regulatory requirements but also improves the ethical use of AI. It promotes accountability and nurtures a culture of respect for individual privacy rights.

2. Improper Collection of Personal Information (APP 3)

AI systems that generate or infer personal information often do so without obtaining it directly from individuals, raising significant privacy and legal compliance concerns. APP 3 mandates that personal information should be collected directly from individuals unless doing so is unreasonable or impracticable. This requires business to have strong justifications for any indirect collection methods. For example, if an AI system infers personal information from publicly available data or third-party sources, businesses must ensure this indirect collection is essential for their functions or activities. Additionally, businesses should implement measures to mitigate potential risks associated with indirect personal information collection, such as ensuring data accuracy, currency, and relevance to the intended purpose.

3. Unanticipated Use of Data (APP 6) Using personal information to train AI models can breach APP 6 if individuals did not reasonably expect their data to be used this way. APP 6 emphasises that personal information should only be used in ways consistent with the original collection purpose. Businessses must ensure any secondary data use, particularly for AI training, aligns with the initial purpose or that explicit consent has been obtained. This highlights the importance of clear communication and informed consent in data practices. For instance, if an individual provides information for a specific service, they should be informed if the data will train an AI model, and they should have the option to agree or decline. Moreover, businesses should implement robust data governance frameworks, including regular assessments of personal information use, ensuring APP 6 compliance.

4. Inadequate Notification and Understanding (APPs 5 & 6) AI systems can be complex and opaque, making it difficult for individuals to understand how their data is used or where it may be transferred. This lack of transparency can breach APP 5, which requires individuals to be notified about the collection of their personal information, and APP 6, which governs its use and disclosure. To comply, businesses must provide clear, accessible, and comprehensive notifications explaining the purpose of data collection and potential uses, including any transfers to third parties or AI training. These notifications should be easy to understand, avoiding technical jargon that may confuse meaning. Businesses should also adopt user-friendly interfaces and educational resources to enhance individuals' understanding of their data rights and management.

Takeaways

Prioritise transparency and clarity to help individuals feel more informed and empowered about their personal information. This will foster greater trust and compliance.

Review your business's current Privacy Policy and update or implement all relevant systems and documents to reflect the use of AI.

If you need assistance by all means let me know.

KJ

You can obtain more information from the OIAC .