Protecting Privacy in AI:

Best Practices for Safe Generative AI Use

The adoption of artificial intelligence (AI), particularly generative AI, presents a dual challenge: balancing its innovative capabilities with the need to safeguard privacy. AI models, especially those generating content, often require large datasets that may include personal data, raising concerns about privacy and security. Following best practices is essential for organisations aiming to use AI responsibly while maintaining privacy standards. Below are key practices organisations should consider:

1. Privacy-Centric Selection of AI Tools

• Due Diligence: Before selecting an AI product, organisations should conduct rigorous due diligence. This includes verifying the AI tool’s adherence to privacy standards, testing its performance within the intended use case, and examining security features that protect data. This is critical as generative AI models like chatbots or content generators can handle vast amounts of personal data, amplifying the need for careful selection.
• Privacy Impact Assessments (PIAs): Conducting a PIA early in the decision-making process is advisable. PIAs help identify potential privacy risks and assess if the AI model’s design is in compliance with privacy laws, including the Australian Privacy Principles (APPs).

2. Privacy by Design

• Embedding Privacy Controls: Implement privacy measures at each stage of the AI lifecycle, including data collection, model training, and data output stages. Privacy by design ensures that AI tools are developed with privacy safeguards from inception, limiting data misuse or unintended leaks.
• Regular Updates: Privacy risks evolve as AI technology advances, making it essential to review and update privacy controls periodically. Regular assessments help identify new privacy challenges that arise over time, ensuring continued compliance.

3. Data Minimisation and Avoidance of Personal Data Input

• Limit Data Collection: Organisations should carefully consider what data is genuinely necessary for the AI’s function. Avoid inputting sensitive personal information into AI systems, especially public generative AI tools, to minimise privacy risks.
• Pseudonymisation and Anonymisation: Where data must be input, pseudonymisation and anonymisation techniques can be used to reduce the risk of identification. This practice allows for data utility without compromising individual privacy, which is particularly effective in training and testing stages.

4. Transparency and Accountability

• Clear User Notifications: Organisations should ensure transparency by notifying users when they interact with AI systems, especially in public-facing tools like customer service chatbots. Clear explanations about data use and AI decision-making processes help build trust and align with transparency obligations under the APPs.
• Policy Updates: Privacy policies should be regularly updated to reflect the organisation’s current AI practices. Providing accessible, detailed information about how AI tools use personal data enables users to make informed decisions about their data privacy.

5. Access Control and Security Measures

• Role-Based Access Controls: Restrict access to data within AI systems based on role requirements to protect personal data from unnecessary exposure. Effective access management is crucial, particularly in cases where multiple departments interact with the AI system.
• Data Encryption and Secure Storage: Implement robust data encryption for both in-transit and stored data. Secure storage solutions are essential to prevent data breaches, particularly for AI systems handling sensitive or personal data.

6. Obtaining Consent and Handling Sensitive Information

• Informed Consent: When processing personal or sensitive data through AI, ensure consent is both informed and specific to the context of use. Generative AI tools can create outputs based on personal data, which requires heightened vigilance to avoid misuse or unintended consequences.
• Sensitivity to Data Types: For AI systems using sensitive information, like biometric data or health records, compliance with privacy requirements is mandatory, often requiring explicit consent. Generative AI’s probabilistic nature may create unpredictable outputs, making consent and clear data boundaries essential.

7. Ongoing Monitoring and Evaluation

• Performance Monitoring: Routine evaluations of the AI system’s performance help to catch privacy risks that may arise after deployment, especially those linked to data handling and model accuracy.
• Feedback Mechanisms: Provide feedback channels for users, employees, or other stakeholders to report privacy concerns. These inputs are invaluable for continuous improvement and risk management, particularly as AI technologies evolve.

8. Avoid Secondary Use of Data Without Consent

• Primary Purpose Limitation: Under the APPs, any personal information collected should be used strictly for its original purpose unless additional consent is obtained. Secondary uses can compromise privacy, especially when handling sensitive or inferred data, so it is vital to limit AI to its primary function unless users explicitly consent to broader data usage.
• Secondary Use Justifications: In cases where secondary use is necessary, organisations should provide detailed explanations and ensure it aligns with reasonable user expectations.

9. Building Human Oversight and Addressing AI Limitations

• Human Oversight: Human involvement in AI-driven decisions can prevent unintended privacy risks and enhance accountability. This practice is particularly important in high-stakes applications, such as healthcare or finance, where AI outcomes may significantly impact individuals.
• Addressing Generative AI Limitations: Generative AI can produce inaccurate outputs, known as “hallucinations,” which may inadvertently contain personal or sensitive data. Organisations should use disclaimers or watermarks on AI outputs and have human review mechanisms in place to verify the accuracy of AI-generated content.

10. Commitment to Ongoing Privacy Education

• Staff Training: Regularly train staff on AI privacy practices and the unique privacy challenges posed by generative AI. Educating employees on responsible data handling and privacy principles ensures that privacy remains a priority throughout the AI lifecycle.
• Stakeholder Communication: Inform stakeholders, including users and customers, about the organisation’s commitment to responsible AI use. Demonstrating dedication to privacy is not only a regulatory requirement but also a way to build user confidence.

By following these best practices, organisations can mitigate privacy risks associated with AI, particularly generative models. Privacy, trust, and compliance with regulations are foundational to responsible AI deployment, and proactive measures can greatly reduce potential privacy harms. By incorporating these steps into their AI strategy, organisations are better positioned to leverage the advantages of AI while upholding strong privacy standards.

For enterprises navigating this complex landscape, aiUnlocked can assist with tailored guidance on integrating AI responsibly, ensuring both innovation and privacy are prioritised every step of the way. Reach out to aiUnlocked for support in achieving secure, privacy-compliant AI solutions.