The Office of the Privacy Commissioner (OPC) has released practical guidance on the use of generative artificial intelligence (AI) by New Zealand organisations. While the guidance is limited to generative AI, it is also relevant to the use of other AI tools.
You can access the guidance here.
What is generative AI?
Generative AI is a type of AI that can produce text, images, videos, software and other forms of content, on request within seconds. These include tools such as ChatGPT and Google's Bard.
To access our further insights on generative AI tools, including opportunities arising from such technology, as well as risks (including privacy risks), and strategies to mitigate against those risks, please see our video series here: Digital Download: Generative AI.
Generally, organisations that collect and process personal information in New Zealand will have statutory obligations under the Privacy Act 2020 (Privacy Act). If personal information is uploaded to AI tools, that processing will be regulated by the Privacy Act.
As an overarching approach, the OPC recommends that organisations do not upload personal or confidential information to generative AI tools. This is because how an AI tool provider will treat this information will differ between tools and may not always reflect best practice when it comes to privacy protection.
However, if personal information is uploaded to an AI tool, the OPC expects organisations to take the following steps:
Obtain Senior Leadership approval: Organisations should be transparent with their senior leadership team on the types of AI tools being used in the business and how such tools process personal information. Senior leadership should consider all of the risks of adopting AI tools, the factors that may mitigate against some of the risk, and provide express approval of such use.
Review the use of the AI tool: Given the potential privacy risks, organisations should consider whether it is necessary to use an AI tool in its business, and whether the benefits of using such tools outweigh the risks.
Conduct a Privacy Impact Assessment: The OPC recommends conducting a Privacy Impact Assessment (PIA) before using AI tools to help identify and mitigate privacy risks. If relevant, this should include seeking feedback from impacted communities and groups, including Māori. We recommend reviewing the specific tools' terms and conditions as part of the PIA to assess how the particular provider will treat the information uploaded to its tool, and the privacy safeguards it has in place to mitigate against unauthorised use and/or disclosure of such information.
Be transparent: Organisations must comply with the Information Privacy Principles of the Privacy Act if uploading employees' or customers' personal information to AI tools. This means that individuals must be clearly informed about how their personal information will be used in the AI tool and for what purposes.
Have an access and correction procedure: The OPC recommends organisations ensure that the information it uploads to an AI tool is accurate and have procedures in place to respond to requests from individuals to access and correct their personal information.
Conduct a human review: Ensuring a human review of AI-generated output prior to taking any action based on that output may help mitigate the risk of acting on the basis of inaccurate or biased information.
Ensure that personal or confidential information is not retained or disclosed by the AI tool: The OPC recommends against uploading personal or confidential information to an AI tool, unless the tool provider has expressly confirmed that it does not retain or disclose such information. As an alternative, the OPC recommends stripping input data of any information that enables re-identification. The OPC also strongly cautions against using sensitive or confidential data to train AI tools.
The OPC provides a range of other guidance on Artificial Intelligence, including the AI Forum's Trustworthy AI in Aotearoa – the AI Principles. You can access these here.
If you have any questions on the use of AI tools in your business, please contact one of our experts below.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.