AI Policy for Australian Small Business: A One-Page Template and What the Law Requires

What the law actually requires for small Australian businesses

Small business in Australia sits in a complicated regulatory position on AI. Many AI obligations are currently voluntary — but that doesn't mean there are no obligations at all. Here's the real picture.

Privacy Act coverage: The Privacy Act 1988 applies to Australian businesses with annual turnover of more than $3 million, and to all businesses that handle health information, have government contracts, or are related to a larger covered entity. If you're covered, the Australian Privacy Principles apply to how you collect, use, and disclose personal information — including through AI tools.

What this means practically: If you use an AI tool to process customer data — names, email addresses, purchase history, any personal information — you need to ensure that use is consistent with what you told customers in your privacy policy. Most businesses' privacy policies say nothing about AI. Most AI tools used in small business involve sending data to overseas servers. Both of these are potential privacy compliance issues.

Consumer law: Regardless of Privacy Act coverage, Australian Consumer Law applies to all businesses. If you use AI to communicate with customers — chatbots, automated responses, AI-drafted emails — those communications must not be misleading or deceptive. AI-generated content that contains false statements is your business's legal responsibility.

What you should do this week

1. List every AI tool your team uses. Include tools people use from personal accounts for work purposes. ChatGPT, Claude, Grammarly, Canva AI, Copilot, customer service chatbots — anything that involves AI doing something with your business information.

2. Check what data each tool receives. For each tool, ask: does it ever receive customer names, email addresses, or other personal details? Does it receive confidential business information? If yes, what are the tool's data handling terms?

3. Update your privacy policy. Your privacy policy should describe, in plain English, that you use AI tools, what kinds of AI tools, and what data they may process. This doesn't need to be technical — it needs to be honest.

4. Write a one-page AI use policy. Cover: which tools are approved, what data rules apply (e.g. "don't put client names into free AI tools"), who approves new AI tools, and what happens if the rules aren't followed.

A template to adapt

AI Use Policy — [Business Name]

Approved tools: [List approved AI tools and their approved uses. E.g. "Microsoft Copilot for drafting internal documents. ChatGPT free version for general research only — not for client data."]

Data rules: Do not enter client names, contact details, financial information, or any confidential business information into AI tools that are not on the approved list. When in doubt, ask [responsible person].

Quality check: All AI-generated content used externally (client communications, published content, reports) must be reviewed by a team member before sending. Do not rely on AI output for accuracy without checking.

Responsible person: Questions about AI use go to [name]. Approval for new AI tools is required from [name].

Review: This policy will be reviewed every six months or when significant new AI tools are introduced.