Skip to content
LegalVision

What are My Business’ Privacy and Data Obligations if I Use AI Tools?

By Elise Willett
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • Using AI tools in business creates significant data privacy risks, including exposure of confidential information, identity theft, and financial loss, with AI providers typically placing responsibility on users to implement their own data protection measures.
  • Inputting confidential information into an AI model may constitute a breach of confidentiality obligations under NDAs or contracts with confidentiality clauses, and businesses should review existing agreements before using AI tools in their operations.
  • Businesses must comply with the Australian Privacy Principles when deploying AI, including using personal information only for its primary purpose (APP 6), ensuring overseas data storage complies with the APPs (APP 8), and taking reasonable steps to protect information from misuse or unauthorised access (APP 11).
  • This article is a plain-English guide to privacy and data obligations when using AI tools for business owners operating in Australia, produced by LegalVision, a commercial law firm.
  • LegalVision specialises in advising clients on privacy law and AI-related compliance.

Tips for Businesses

Opt out of allowing your data to train AI models when setting up accounts. Avoid inputting confidential or personal information into AI systems. Review existing NDAs and confidentiality agreements for AI-related restrictions, and update your privacy policy to reflect how AI tools interact with customer data.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

The integration of artificial intelligence (AI) tools can profoundly transform businesses, paving the way for enhanced customer experiences, elevated productivity, and innovative breakthroughs. As the capabilities of AI continue to expand, using these sophisticated tools in the everyday operations of your business will provide countless benefits. However, you must be conscious of your privacy and data obligations as a business owner using AI tools.

You must balance the pursuit of technological advancement against your ethical and legal obligations of data protection and privacy. This article will explore best practices to implement for the secure and responsible management of information within your business. 

Data Privacy Risks with AI Tools

Deploying AI tools in your business can raise cybersecurity issues. This is particularly because AI models generally process extensive amounts of data, including confidential or sensitive information. These AI programs can become prime targets for cyber-attacks. A data breach within AI frameworks can involve:

  • exposure of confidential or sensitive information; 
  • posing risks of identity theft;
  • substantial financial repercussions; and 
  • brand damage.

AI models typically do not make assurances or guarantees to their customers in their terms of use document regarding safe customer data processing and storage. As a user, this places the responsibility on you to implement precautionary measures to mitigate data breach risk. 

As best practice, avoid inputting confidential or sensitive information into AI systems. If you must, you should use data protection measures. For instance, ensure you have de-identified the data to conceal personal information or have obtained written consent from any persons whose data you are disclosing.

Remember that AI models are trained on any data fed to them. Accordingly, this could expose confidential or sensitive information logged into the system and may inadvertently disclose this information in its output. To minimise your risk when setting up an account, we recommend that you opt out of allowing your data to be used to train the AI model.

Confidentiality Obligations

When engaging in contracts with third parties, be mindful of your contractual confidentiality obligations. This is especially relevant when it comes to your use of and interaction with AI models. Inputting confidential information into an AI model can be considered a breach of confidentiality if you have signed a non-disclosure agreement (NDA) or an agreement with confidentiality clauses. As the use of AI gains traction, the terms of confidentiality agreements are evolving to include the use of AI models as prohibited channels for disclosure.

Front page of publication
AI Art: Your Legal Considerations Factsheet

This fact sheet outlines your rights and obligations as an AI artist regarding intellectual property and copyright.

Download Now
Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

Australian Privacy Principles (APPs)

You should adopt best practices in your business when handling personal information. Importantly, be aware of the APPs (even if your business is not required to comply with the Privacy Act 1988 (Cth)). The APPs provide rigorous guidelines for handling and managing personal information, which you must consider when deploying AI tools in your business.

APP 6

This principle focuses on ‘Use and Disclosure’, requiring businesses to only use and disclose personal information for the reason it was collected, that is, the ‘primary purpose’. The APPs prohibit using or disclosing personal information for a secondary purpose unless a specific exception applies. These exceptions can involve obtaining individual consent or the use or disclosure required by law or a court order. Using or disclosing information to train an AI model is typically considered a secondary purpose. Accordingly, unless an exception applies, you cannot use or disclose information for this purpose.

APP 8

This principle focuses on ‘Overseas Disclosure’. It means that you must take reasonable steps to ensure the AI model complies with the APPs even when it predominantly stores data overseas. Again, there are some exceptions to this, including if required by law or if an individual has granted consent.

APP 11

APP 11, themed ‘Security’, mandates businesses to safeguard collected information by taking reasonable steps to protect it from any: 

  • misuse;
  • interference; 
  • loss; 
  • unauthorised access; 
  • modification; or 
  • disclosure. 

You must be careful when choosing AI tools for your business and perform your due diligence to ensure the AI tools have policies and procedures to safeguard any data they store.

Be sure to regularly review your privacy policy to clearly articulate your business’ position on privacy, as well as your use of AI and its interaction with the personal information of your customers.

Key Statistics

  1. $80,850: average self-reported cost of cybercrime per Australian business, a 50 per cent increase from the previous year.
  2. 68%: of notifiable data breaches resulted from malicious or criminal attacks in July to December 2024.
  3. 37%: of data breach notifications caused by human error in January to June 2025, an increase from the prior period.

Sources

  1. ACSC Annual Cyber Threat Report 2024-2025
  2. OAIC Notifiable Data Breaches Report: July to December 2024
  3. OAIC Notifiable Data Breach Statistics: January to June 2025

Key Takeaways

When leveraging the capabilities of AI tools within your business, ensure you are upholding your privacy, data and cybersecurity obligations. The vast benefits of AI use also come with an increased risk of data breaches and cyber-attacks. Be sure to avoid or minimise the input of confidential or sensitive information into AI systems; comply with confidentiality obligations in all binding agreements; adhere to the APPs if you are an APP entity (or as best practice for non-APP entities); and maintain comprehensive privacy policies.

If you need help understanding your obligations when using AI tools, our experienced AI lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What are the data privacy risks with AI in business?

AI tools process large amounts of sensitive data, making them vulnerable to cyber-attacks. These breaches can expose confidential information, lead to identity theft, cause financial losses, and harm brand reputation. Businesses should mitigate these risks by opting out of data being used for AI training.

How should businesses comply with the Australian Privacy Principles (APPs) when using AI?

Businesses should adhere to APPs by using personal data only for its intended purpose (APP 6) unless exceptions apply. They must ensure AI data handling, including overseas storage, complies with APPs (APP 8) and take steps to protect data from misuse (APP 11). Regularly updating privacy policies helps ensure compliance.

Register for our free webinars

Global Disruption And Rising Costs: What Your Contracts Should Cover

Online
Manage global disruption and rising costs with clearer contract terms. Register for our webinar today.
Register Now

Avoiding ACCC Scrutiny: Five Traps in NDIS and Aged Care

Online
Avoid common compliance traps in NDIS and aged care. Register for our free webinar.
Register Now

You’ve Been Hacked! Legal Steps and Duties After a Data Breach

Online
Learn breach reporting requirements, act within 30 days, notify correctly, and establish a clear response plan. Register now.
Register Now

Buying a Business: The Roadmap From Offer to Settlement

Online
Learn the roadmap to buying a business, from due diligence and deal structure to risk management and settlement. Register today.
Register Now
See more webinars >

Elise Willett

Lawyer | View profile

Elise is a Lawyer in LegalVision’s Commercial team. She also has experience in the Wealth Management and Finance sector. Elise provides expert advice to commercial clients, particularly startups and SMEs, on a range of commercial matters.

Qualifications: Bachelor of Laws, Bachelor of Arts, University of Sydney, University of Wollongong, Master of Laws, College of Law.

Read all articles by Elise

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Do I Comply With the Artificial Intelligence (AI) Ethics Framework?

How the Emergence of Artificial Intelligence Impacts the Law

Intellectual Property and Artificial Intelligence: Who Owns What?

3 Employment Agreement Considerations for a Tech Business

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards