JDCS
The quick summary Your AI policy, in one page.
Your team is already using AI, so the choice is rules or no rules. Australia gives you free, practical guidance through the National AI Centre and the ASD/ACSC, and your privacy and confidentiality duties already apply. A Privacy Act transparency obligation commences December 2026: disclose when automated decisions, AI included, materially affect people. A short policy beats a ban.
- Green, public: use freely in approved tools.
- Amber, internal: approved business tools only, strip identifiers.
- Red, confidential or personal: never in a public chatbot. Ever.
Gut-check: would you be fine if this text turned up outside the business? If not, it's red.
- Business tier for real work: typically contractually set not to train on your data, plus admin controls.
- Check the settings: training opt-out, data retention, account type, where data goes.
- Keep it short: two or three approved tools beats a dozen.
- Register them: tool, tier, approved data tier, owner, settings, last-reviewed date.
- A person reviews and signs off anything customer-facing, factual, legal or financial.
- Confidence from the tool is not correctness. Check the facts and figures.
- Lighter touch is fine for private drafts and rough internal notes.
- Tell people when AI materially shapes a decision or interaction about them.
- Clear cases: chatbots, automated assessments or scoring.
- Keep a person accountable, be able to explain it, offer a way to query it.
- What's approved (and that anything off the list isn't).
- The green / amber / red data line.
- The human-check and sign-off rule.
- How you disclose AI use.
- Who owns the policy and the next review date.
Frame it as permission to use AI well, not a crackdown. Explain the why, make the safe path easy, pair the policy with a staff one-pager, and set a review date.