§23 · Lane 7 — Australian Regulatory Primary Instruments
OAIC — Privacy and Commercial AI Products procurement checklist for regulated entities
OAIC (2024) · OAIC Guidance
Bibliographic data
- Title
- OAIC Guidance (October 2024) — Privacy and the use of commercially available AI products
- Authors / Issuing body
- Office of the Australian Information Commissioner (OAIC)
- Venue / Publisher
- Office of the Australian Information Commissioner
- Year
- 2024
- Designation
- Guidance
- Licence
- Stable URL — refer to publisher for full licence terms.
How to cite
OAIC (2024). OAIC Guidance (October 2024) — Privacy and the use of commercially available AI products. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products.
The OAIC's October 2024 position on how the Privacy Act 1988 (Cth) and the Australian Privacy Principles apply when entities adopt and use commercially-available AI products. Directs regulated entities to undertake due diligence on AI product suitability, refrain from entering personal information (particularly sensitive information) into publicly-available tools, and embed APP 1 governance into AI procurement.
Why it matters for NETEVO
This is the regulator's stated reading of how Australian privacy law applies to AI procurement and use — the privacy-side counterpart to ASIC REP 798 and APRA CPS 230 among Australian regulator instruments.
APP-anchored procurement controls. The guidance operationalises APP 1 (open and transparent management of personal information) and APP 6 (use and disclosure) against AI-product procurement, and directs entities to refrain from entering personal information (particularly sensitive information) into publicly-available tools. It is the source of obligation that NETEVO's Law-to-Code Methodology encodes into procurement-stage controls: the guidance states the due-diligence expectation, and the controls are its encoding.
The privacy limb of AI impact assessment. The guidance pairs with ISO/IEC 42005: where 42005 specifies the impact-assessment workflow, the OAIC guidance specifies what that workflow must address on the privacy side for entities subject to the Privacy Act 1988 (Cth). A single impact-assessment exercise can therefore serve both the standard's process requirements and the regulator's privacy expectations.
Broad statutory reach. The obligations the guidance addresses bind APP entities — all Australian businesses with annual turnover above three million dollars, plus all Commonwealth entities and a specified list of small businesses. That reach is materially broader than the AFS licensee population addressed by ASIC, making this the most broadly binding AI-specific output of an Australian regulator.
Where NETEVO applies this
- AI Governance in ANZ Whitepaper — privacy section — pair with OAIC GenAI guidance