A free AI acceptable use policy template localised for Australian organisations: Privacy Act 1988 data rules, the OAIC's guidance on AI and privacy, the Voluntary AI Safety Standard's guardrails, and APRA expectations for regulated entities.
Last updated 3 July 2026
A generic AI policy tells your people to be careful. An Australian AI policy tells them what the Privacy Act 1988 actually requires, what the OAIC has said about putting personal information into generative AI tools, and what happens under the Notifiable Data Breaches scheme when it goes wrong. This page gives you that policy: the same six-section backbone as our global template, with the Australian obligations written into each clause.
It reflects the Privacy Act penalty regime and the 2024 reform tranche, the 10 guardrails of the Voluntary AI Safety Standard, the OAIC's October 2024 guidance on commercially available AI products, and APRA's April 2026 letter to regulated entities. Customise the bracketed placeholders and it is ready to publish.
Four regulatory drivers shape AI use in Australian organisations. Each one lands somewhere specific in the template below.
The Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles govern how organisations handle personal information, including information typed into or generated by AI tools. Since the December 2022 penalty amendments, a serious or repeated interference with privacy can attract a civil penalty of up to the greater of AUD 50 million, three times the benefit obtained, or 30 per cent of adjusted turnover. The Privacy and Other Legislation Amendment Act 2024, the first tranche of the wider reform programme, added a statutory tort for serious invasions of privacy (from 10 June 2025), new mid-tier and lower-tier civil penalties, and a requirement to disclose substantially automated decisions that significantly affect individuals in privacy policies, which commences on 10 December 2026.
What it means for your policy: Your data rules must treat personal information, as the Privacy Act defines it, as a named prohibited category for unapproved AI tools, and your review schedule needs to track the reform tranches.
Published by the Australian Government in September 2024, the Voluntary AI Safety Standard sets out 10 guardrails for organisations deploying AI. It is voluntary and creates no legal obligations, but it is the clearest statement of what good AI governance looks like to Australian regulators and buyers. The guardrails most relevant to an acceptable use policy are guardrail 1 (accountability processes, ownership and training), guardrail 3 (data governance and protection), guardrail 5 (meaningful human oversight), guardrail 6 (informing people about AI-enabled decisions, AI interactions and AI-generated content) and guardrail 9 (keeping records that let others assess your practices).
What it means for your policy: Name a policy owner, require human review of consequential AI-assisted work, require disclosure of AI-generated content where it matters, and keep an inventory of the AI tools in use.
In October 2024 the Office of the Australian Information Commissioner published guidance on privacy and the use of commercially available AI products. The OAIC's position is that Privacy Act obligations apply to personal information entered into AI systems and to personal information in AI output, and that as a matter of best practice organisations should not enter personal information, particularly sensitive information, into publicly available generative AI tools. The guidance also expects organisations to update their privacy policies to reflect AI use (APP 1) and to make sure any use or disclosure of personal information through AI is permitted under APP 6.
What it means for your policy: The OAIC has effectively written your headline data rule for you: no personal information into public generative AI tools. Your policy should say so in exactly those terms.
APRA's 30 April 2026 letter to industry told banks, insurers and superannuation trustees that existing prudential standards already apply to AI risk, and criticised entities that treat AI as just another technology without operationalising governance. The letter names data leakage and the misuse of AI agents among the changing cyber threats, and APRA has flagged an active supervisory programme with stronger action where AI risks are not adequately managed. Law firm analyses map the expectations to CPS 234, CPS 230, CPS 220 and CPS 510.
What it means for your policy: If you are APRA-regulated, an enforced AI acceptable use policy with evidence behind it is table stakes. Add a sector annex and work through the dedicated checklist below.
APRA-regulated? The letter deserves its own work programme. Our APRA AI governance checklist for CISOs translates each of APRA's four observations into concrete controls, with this policy as the enforcement anchor.
Six sections, ready to customise. Expand each one to read the Australian-edition clauses. Bracketed [placeholders] are yours to fill in.
This policy sets out how [Organisation Name] permits and restricts the use of artificial intelligence tools at work. It applies to all employees, contractors and third parties who access company systems or handle company information, and it covers standalone AI tools (such as chatbots and coding assistants) as well as AI features embedded in approved software. It is designed to keep our use of AI consistent with the Privacy Act 1988 (Cth), the Australian Privacy Principles, guidance from the Office of the Australian Information Commissioner, and, where applicable, the expectations of sector regulators such as APRA.
The download is the same editable backbone as our global template. Use the Australian clauses on this page to localise each section as you customise it.
Auditors, boards and customers ask why each rule exists. This mapping gives you the answer, clause by clause.
Six steps from template to published policy. Most Australian organisations complete them inside a fortnight.
The OAIC's guidance and APRA's letter share one theme: written rules are not enough. You need to see actual AI usage and stop the data flows the policy prohibits.
Aona gives Australian organisations visibility of every AI tool in use, enforces your acceptable use policy at the point of use, and keeps the evidence, with data resident in Sydney.