§23 · Lane 7 — Australian Regulatory Primary Instruments
OAIC — Privacy and Commercial AI Products
OAIC (2024) · OAIC Guidance
Bibliographic data
- Title
- OAIC Guidance (October 2024) — Privacy and the use of commercially available AI products
- Authors / Issuing body
- Office of the Australian Information Commissioner (OAIC)
- Venue / Publisher
- Office of the Australian Information Commissioner
- Year
- 2024
- Designation
- Guidance
- Licence
- Stable URL — refer to publisher for full licence terms.
How to cite
OAIC (2024). OAIC Guidance (October 2024) — Privacy and the use of commercially available AI products. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products.
The OAIC's October 2024 position on how the Privacy Act 1988 (Cth) and the Australian Privacy Principles apply when entities adopt and use commercially-available AI products. Directs regulated entities to undertake due diligence on AI product suitability, refrain from entering personal information (particularly sensitive information) into publicly-available tools, and embed APP 1 governance into AI procurement.
Why it matters for NETEVO
This is the regulator's stated reading of how Australian privacy law applies to AI procurement and use — the privacy-side counterpart to the ASIC REP 798 and APRA CPS 230 entries on the AU regulator surface.
APP-anchored procurement controls. The guidance operationalises APP 1 (open and transparent management of personal information) and APP 6 (use and disclosure) against AI-product procurement. NETEVO's Law-to-Code Methodology encodes the OAIC's due-diligence expectations into procurement-stage controls — the guidance is the source of obligation, and the controls are the encoding.
The privacy limb of the one-template, five-hooks impact assessment. The guidance pairs with ISO/IEC 42005 for the AU Privacy Act 1988 (Cth) privacy-impact-assessment limb of the multi-anchor argument first surfaced in NETEVO's ISO/IEC 42001 work. Where 42005 specifies the impact-assessment workflow, the OAIC guidance specifies what that workflow must address on the privacy side.
Broad statutory reach. The guidance binds APP entities — all AU businesses with turnover above three million dollars plus all Commonwealth entities and a specified list of small businesses. The reach is materially broader than the AFS licensee population addressed by ASIC. For multi-sector NETEVO clients, this is the single most broadly binding AI-specific AU regulator output, and an accompanying procurement checklist exists as a board-paper artefact for early-stage privacy review.
Where NETEVO applies this
- AI Governance in ANZ Whitepaper — privacy section — pair with OAIC GenAI guidance