This webpage details some key privacy considerations to be observed in relation to Artificial Intelligence (AI).
It is not intended to outline how to implement or use AI in your agency comprehensively.
In this webpage, ‘AI’ describes the use of techniques and technologies, including machine learning, natural language processing and robotics, to perform tasks and produce outputs that would normally require human involvement.
Information Privacy Principles Instructions
South Australian Government agencies are governed by the Information Privacy Principles Instructions (IPPI).
Under the IPPI, Personal information is defined as ‘information or an opinion, whether true or not, relating to a natural person or the affairs of a natural person whose identity is apparent, or can reasonably be ascertained, from that information or opinion’.
Agencies who are considering using AI techniques or technologies which collect and/or process personal information should conduct a privacy impact assessment to manage privacy risks and ensure compliance with the IPPI.
Privacy risks and challenges of AI
AI poses privacy risks in relation to the collection, use and disclosure of personal information. Agencies should take the following actions to mitigate these risks:
- Update your agency’s privacy policies and notifications with clear and transparent information about the collection, use and disclosure of personal information in AI.
- Only collect personal information which is necessary and relevant to your agency’s purpose in exercising its functions.
- Never input personal information into AI products unless:
- it is in accordance with your agency’s AI policies and procedures
- the use or disclosure of personal information is relevant to your agency’s functions and the purposes for which the personal information was collected
- the record-subject has consented to or would reasonably expect your agency to use or disclose their personal information for this purpose
- it is stored securely with limited access to individuals requiring the information for legitimate purposes.
Privacy obligations
Privacy policies and terms of use of publicly available technologies are unlikely to meet the requirements of the South Australian government to sufficiently protect personal or government information (Guideline-13.1-Use-of-Large-Language-Model-AI-Tools-Utilities (external site) (PDF)). Practice caution if using publicly available AI tools by:
- treating inputs into publicly available AI tools as publicly accessible
- never inputting personal or work information into public AI tools.
Any inferred, or artificially generated outputs from an AI product, such as deep fakes or hallucinations about an individual, are personal information and must be handled in the same way as voluntarily provided personal information.
Proper information management of the inputs and outputs of AI provides the foundations for safeguarding privacy. See Artificial Intelligence and Information Management.
Develop AI policies
Develop policies governing the safe selection and use of generative AI and Large Language Model (LLM) tools that are regularly reviewed and updated, as required by the South Australian Cyber Security Framework (external site) (SACSF) and Guideline 13.1 Use of Large Language Model AI Tools and Utilities (external site) (PDF).
This should consider privacy and security risks, privacy impact assessments, AI product testing and ongoing review, staff training, and human oversight of the AI product’s operation to ensure it remains fit for purpose.
Consider specific policies to ensure human oversight of AI. For example, Microsoft Teams transcripts automatically use Copilot to generate a summary of the meeting outputs and agreed actions which is made available in the Teams chat. This transcript and summary might contain personal, unrelated or otherwise sensitive information, and could be inaccurate. Agencies can reduce risks of a privacy breach by developing a policy on the recording of meetings and by checking AI-generated meeting summaries.
Work within ethical frameworks
The design, development, deployment and operation of AI must be in accordance with the State Government’s AI Ethics Policy (external site) (PDF) to avoid harm to individuals, groups or the environment.
For example, AI products have the potential for bias resulting in discrimination towards groups or individuals, perpetuating existing societal prejudices found in training or source data.
An example of this is the use of CCTV cameras combined with the use of facial recognition technology (FRT), which can be intrusive and discriminatory. If agencies are contemplating using FRT, as with other AI, they should conduct a privacy impact assessment. Agencies must also adhere to the principles outlined in the AI Ethics Policy (external site) (PDF) and should consider the principles in the Global Privacy Assembly, which sets expectations for the appropriate management of personal information in FRT.
Further guidance for agencies on AI can be found at:
- Artificial Intelligence and Information Management | State Records of South Australia
- Facial Recognition Technology | State Records of South Australia
- Information Privacy Principles Instruction | State Records of South Australia
- Information Privacy Strategy and Fundamentals | State Records of South Australia
- LGITSA AI Adoption Toolkit (external site)
- Policy for the Responsible use of AI in Government (Australian Government Digital Transformation Agency 2024 (external site))
- Privacy Impact Assessment Guideline | State Records of South Australia
- South Australian Office for Artificial Intelligence (external site)