Regulatory Update - OAIC guidance on privacy and developing and training generative AI models

On 21 October 2024, the OAIC released its guidance on privacy and developing and training generative AI models (GenAI Guidance). The GenAI Guidance is directed at developers and organisations such to the Privacy Act. It outlines how the APPs apply when designing, building, training, adapting or combining AI models and applications.

Generative AI refers to models capable of producing content such as text, images or audio, that resembles their training data.[1] Developing a generative AI model is a high privacy risk activity when it relies on large quantities of personal information.[2]

Privacy by Design (APP 1)

Developers must embed privacy protections from the outset. This includes:

• implementing systems and procedures to ensure compliance with the APPs.[3]
• conducting PIAs early and throughout the development lifecycle.[4]
• considering broader community expectations regarding the use of personal information.[5]
• treating privacy by design as an ongoing process.

Accuracy when training AI models (APP 10)

Developers must ensure personal information used in AI systems is accurate, up-to-date, and complete. The level of diligence depends on the intended use, with more rigorous safeguards for high-risk applications.

Key measures include:

• validating training data to ensure it is factual, current and appropriate for the model’s purpose
• documenting the impact of training data quality on model outputs
• communicating limitations clearly
• establishing update mechanisms to address inaccuracies
• implementing diverse testing protocols to detect and mitigate bias or inaccuracies
• tagging AI-generated content to ensure transparency
• providing user feedback channels, and
• applying technical safeguards.[6]

Privacy considerations when collecting and processing the training dataset

Developers must assess whether training datasets contain personal or sensitive information and apply robust governance measures.

Key considerations include:

• evaluating the dataset, to determine if personal information is present
• recognising that non-identifiable data may become personal information when combined with other data
• applying data minimisation by limiting collection sources, restricting categories and timeframes of data and removing or sanitising personal information before use, and
• using de-identified data responsibly in compliance with the Privacy Act.

Collection obligations (APP 3)

Developers must ensure that personal information is collected lawfully, fairly, and directly from individuals unless impracticable. This includes assessing data scraping and third-party datasets, seeking contractual assurances, applying data minimisation and updating privacy policies and collection notices accordingly.

Use & disclosure obligations (APP 6)

Under APP 6, personal information must be used or disclosed for the primary purpose for which it was collected, unless an exception applies. Developers should confirm the purpose,[7] assess reasonable expectations, seek consent when needed,[8] minimise data use, and review transparency obligations.

Notice and transparency obligations (APP 1 and APP 5)

Developers must ensure individuals are informed about how their personal information is collected and used. This includes maintaining a clear privacy policy, notifying individuals and using public notifications where necessary.[9]

Additional privacy considerations (APPs 8, 11, 12 and 13)

Beyond compliance with APPs 1, 3, 5, 6, and 10, developers should be aware of further privacy obligations, including management of overseas data transfer, securing datasets, and supporting individuals’ rights to access and correct their personal information.