How to Write an AI Use Policy for Your Australian Workplace
Your team is using ChatGPT. You might not have approved it formally, but they are. The question isn’t whether your workplace needs an AI use policy—it’s whether you’re going to get ahead of the issue or clean up a mess later. Here’s how to write one that keeps you compliant and your team focused.
Why Your Workplace Needs an AI Policy (Legally and Practically)
Australia’s Fair Work Act doesn’t explicitly mention AI, but it applies directly to AI use. Employers must provide a safe workplace—which includes protecting employees from unfair surveillance via AI monitoring tools. You’re also bound by the Privacy Act, which limits how you collect and use personal information, even from publicly available sources. Add intellectual property risk (who owns output created by AI?), reputational risk (what if your AI produces biased hiring recommendations?), and regulatory risk (ASIC scrutiny of algorithmic decision-making), and the case for a clear policy becomes urgent.
An AI policy isn’t bureaucracy—it’s protection. It clarifies expectations, reduces legal exposure, and helps your team use these tools responsibly.
The Eight-Section AI Policy Structure
1. Purpose and Scope
Start with why the policy exists. Example: “This policy provides guidance to all employees, contractors, and third parties who design, procure, operate, or interact with AI systems, ensuring responsible use aligned with the company’s values and legal obligations.” Then clarify who it applies to—all staff, certain roles, contractors, clients using your tools.
2. Approved AI Tools and Platforms
List the AI tools your organisation has approved for business use. Be specific: ChatGPT (3.5 and 4), GitHub Copilot, Midjourney, etc. Specify any use restrictions (e.g., “ChatGPT allowed for drafting internal emails, not for client communication without review”). If a tool isn’t on the approved list, employees shouldn’t use it for work.
The approved list should be maintained by your IT or compliance team and updated quarterly as new tools are assessed. This prevents the chaos of random tools proliferating across the business.
3. Prohibited Uses
Be explicit about what staff cannot do. Common prohibitions: Uploading confidential company information, client data, or personal information to public AI systems. Using AI to make unilateral decisions on hiring, firing, or performance (AI can assist, not decide). Using AI tools to monitor or track employee activity without consent. Generating outputs for client deliverables without disclosing AI use (if required by contract or regulation). Training company-owned AI models on data without privacy compliance review.
The more specific, the better. “Don’t misuse AI” is vague. “Don’t upload client financial data to ChatGPT” is clear.
4. Data Handling and Privacy
This is where the Privacy Act intersects with AI. Set a clear rule: no personal information (names, emails, phone numbers, financial details, health information, or any data that could identify someone) should be input into public AI systems unless privacy compliance has been confirmed.
For internal-only or commercial AI tools where you have a contract, the rules can be looser. But for free or public tools (ChatGPT, DALL-E), data protection must be tight.
5. Output Accountability
Here’s the critical part: who’s responsible for what the AI produces? Your policy should say: “Employees are accountable for any content generated with AI, even if AI created it. You must review AI output for accuracy, bias, and appropriateness before it’s used or shared. You cannot delegate accountability to the AI.”
This protects the company by making clear that AI is a tool, not a decision-maker. The human using it is responsible.
6. Intellectual Property and Copyright
This is contentious. Currently, AI-generated output may not be protected by copyright (though courts are still deciding). Your policy should clarify: “Content generated using approved AI tools is the company’s intellectual property, owned and governed by the same rules as employee-generated work.” For contractor work, be explicit about who owns AI-assisted output.
For code generated by GitHub Copilot, your policy might state: “Developers are responsible for ensuring generated code doesn’t violate open-source licenses. Use Copilot for acceleration, not wholesale copying.”
7. Training and Oversight
Announce the policy—don’t slip it out. Hold a team briefing explaining why it exists, what tools are approved, and what the risks are. Provide training on responsible use. Make it clear: this isn’t about preventing innovation, it’s about protecting the company and respecting privacy and IP.
Include oversight mechanisms: random spot-checks of AI use (if you use monitoring tools, disclose them under the policy, not as a surprise), incident reporting for policy breaches, and annual policy review.
8. Breach Consequences
What happens if someone uploads confidential data to ChatGPT? Make it clear: first breach might be a warning and retraining; repeated breaches could lead to disciplinary action up to and including termination. Proportionality matters—a minor error is different from reckless data exposure—but clear consequences encourage compliance.
How to Roll Out Your Policy Without Resistance
The teams using AI already will see a new policy as constraint. Here’s how to frame it as enablement:
Consult first. Before finalizing, ask a cross-section of staff: What AI tools are you using? What would make it easier to use AI responsibly? What are your concerns? This gives you better policy and buys buy-in.
Show the business case. Frame it as permission, not restriction. “Here are the tools we’ve cleared for you. Use these with confidence. Here’s why we can’t approve others.” People respond better to clarity than to vague prohibition.
Make it easy to comply. If you’re banning ChatGPT for confidential data, offer an alternative: a private AI tool or a process for getting approval to use it securely. Compliance without alternatives fails.
Lead by example. Senior management should visibly follow the policy. If the CFO is uploading sensitive files to ChatGPT while telling staff not to, the policy is dead on arrival.
Keeping Your Policy Current
AI tools evolve fast. Your policy shouldn’t be a static document. Review it quarterly and update it when: New approved tools are added. Regulatory guidance changes (ASIC, APRA, OAIC publishing new expectations). Your company’s AI use expands significantly. Incidents occur that reveal policy gaps.
Schedule a formal annual review with legal, compliance, and a sample of staff. Ask: does this policy still make sense? What’s changed? What new risks have emerged?
FAQ
Is an AI use policy legally required in Australia?
Not explicitly by statute, but requirements under the Fair Work Act (safe workplace), Privacy Act (data protection), and potential liability under consumer protection and discrimination law make a clear policy essential risk management.
Can we ban ChatGPT entirely?
Technically yes, but it’s impractical and likely to be circumvented. A better approach is to approve it with clear guardrails: use it for brainstorming, drafting, internal communication—but not for confidential data, client deliverables without disclosure, or decision-making without human review.
What if employees ignore the policy?
Address breaches consistently and progressively: first breach is coaching and retraining; repeated breaches warrant formal discipline. Document everything. The policy only works if enforced.
Your AI Policy Matters More Than You Think
A clear, reasonable AI use policy protects your company, clarifies expectations for your team, and demonstrates to regulators that you’re governing AI responsibly. It’s not about preventing innovation—it’s about channelling it safely.
Ready to develop or refine your AI use policy? Contact us to discuss a policy tailored to your workplace.