Privacy and GenAI
Make sure your privacy approach to generative artificial intelligence (GenAI) meets data-protection rules and legislation, respecting people’s information.
This guidance is aligned with the following OECD AI principle.
Privacy by design is vital when using GenAI
The Privacy Act applies to GenAI as it does to any other technology. However, there are additional issues for GenAI that you need to consider.
GenAI can process personal data at all stages and can generate outputs that contain personal data, including sensitive personal data. Using privacy impact assessments (PIAs) for any testing or use of GenAI. This helps you identify and manage privacy risks. Undertake robust risk assessment at all stages when considering using personal information in public GenAI systems.
What to cover in your privacy approach to GenAI
Building by design is a key guardrail. Apply privacy-by-design principles to help build trust in GenAI systems — make sure they respect:
- compliance with data-protection rules and legislation
- transparency about why and how they’re being used
- people’s privacy
- limiting the risks of privacy breaches.
Actively govern and manage for the identified risks and seek support from your privacy and legal teams at all stages.
Commit to best-practice for privacy with GenAI
Some AI systems allow you to apply sensitivity labels based on the data included in outputs. These can control what content is pasted.
Other points to follow for privacy and GenAI
Make sure the people in your organisation are trained to:
- classify information properly
- know what can and cannot be used with GenAI systems.
Check the information you’re using can be made public or if it already is
When submitting government information into a public GenAI system, the information must either already be public or it would be acceptable to be made public.
Do risk assessments at all stages when using personal information
Undertake a robust risk assessment at all stages when considering using personal information in public GenAI systems.
The privacy impacts of using these systems may not be obvious, including whether information is used for training models, unintended sharing of information, or enabling a person to be re-identified when data points are combined. Refer to the Privacy Commissioner’s guidance on using personal information in GenAI systems.
You’re creating a report and think using a GenAI system could save some time.
Before using the system, you first check if the use aligns with your agency’s GenAI policy and check with your agency’s responsible official as you’re not sure.
You learn you must not upload or input any personal information into the public GenAI system. However, you can enter publicly available information or ask for a report template. You’re able to use GenAI to suggest a framework for your report, which saves you some time.
You also record your use in the appropriate publicly published register to maintain transparency.
More information — GenAI privacy
Data.govt.nz has guidance for anyone who works directly with service users or communities.
Data Protection and Use Policy — Data.govt.nz
The Office of the Privacy Commissioner explains how privacy is a starting point for responsibly using AI systems.
Artificial intelligence that the Information Privacy Principles — Privacy Commissioner
Related guidance
Utility links and page information
Last updated
