§24 · Lane 7 — Australian Regulatory Primary Instruments
OAIC — Privacy and Generative AI Training practical implementation under the Privacy Act
OAIC (2024) · OAIC Guidance
Bibliographic data
- Title
- OAIC Guidance (October 2024) — Privacy and developing and training generative AI models
- Authors / Issuing body
- Office of the Australian Information Commissioner (OAIC)
- Venue / Publisher
- Office of the Australian Information Commissioner
- Year
- 2024
- Designation
- Guidance
- Licence
- Stable URL — refer to publisher for full licence terms.
How to cite
OAIC (2024). OAIC Guidance (October 2024) — Privacy and developing and training generative AI models. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models.
The OAIC's October 2024 position on the privacy obligations of entities developing or training generative AI models using personal information. Sets out OAIC expectations on data collection, training-data composition, lawfulness, and the application of APP 3 (collection) and APP 6 (use and disclosure) to model training.
Why it matters for NETEVO
The development-side counterpart to the OAIC's guidance on commercially available AI products — together, the two documents address the privacy obligations attaching to AI both as a procurement target and as a build target.
The guidance applies to entities that develop or train generative AI models on data containing personal information — typically large Australian enterprises with proprietary training datasets. It sets out the OAIC's expectations on data collection, training-data composition, and lawfulness, and addresses the application of APP 3 (collection) and APP 6 (use and disclosure) to model training. It is the Australian regulatory anchor for in-house model-development governance controls.
It is also the Australian privacy-law counterweight to global model-training-data critiques. Where the EU AI Act and United States scholarship address training-data lineage in part as a copyright matter and in part as a privacy matter, the OAIC guidance specifies the Australian privacy reading directly.
Across the development lifecycle, the guidance pairs with ISO/IEC 42005 (impact assessment), ISO/IEC 23894 (risk management), and the DISR Voluntary AI Safety Standard — design-stage controls anchored on Australian regulator expectations rather than on imported US or EU norms.
Where NETEVO applies this
- AI Governance in ANZ Whitepaper — AU answer to training-data lineage question
- Agent Infrastructure Whitepaper — agentic-AI training-data controls