Data privacy and AI: what every operator needs to know

If you're deploying AI in a $1M–$50M business in Australia, you have privacy obligations under the Privacy Act, plus industry-specific rules if you're in health, finance, or education. Most of this is manageable. None of it is optional.

The basics

When you put data into an AI model, that data goes somewhere — usually to a third-party provider, sometimes to a sub-processor, occasionally to a model that gets retrained on it. You need to know exactly where it goes, what is done with it, and how long it is kept.

Six questions to ask any AI vendor

1. Where is the data physically stored? Australia, US, EU?
2. Who else can see it? List every sub-processor.
3. Is my data used to train your models, or anyone else's?
4. How long is data retained, and is there a deletion path on request?
5. Do you have a Data Processing Agreement compliant with Australian Privacy Principles?
6. What happens if there's a breach — what's your notification SLA?

If a vendor can't answer all six clearly, walk away. We can answer all six in writing.

Industry-specific rules

• Allied health: Privacy Act + your professional body's code (psychology, physio, etc). Audio of clinical sessions is sensitive.
• Real estate: Privacy Act + relevant state property law. Vendor and buyer details are sensitive.
• Finance / mortgage broking: Privacy Act + Credit Reporting Code + AFSL obligations.
• Education: Privacy Act + state-level education-data rules + child-safety obligations.

AI privacy isn't optional. It's a standard cost of doing this properly.

How we handle it

Default Australian or your-region data residency. No data ever used to train public models. Audit logs of every model call kept for the duration of your engagement plus 7 years. DPA in plain English. We document it all in your SOW. We've never had a breach. If we did, you'd know inside 4 hours.