30 Days Gen AI Risk Trial -Start Now
Book a demo
Free AI Policy Template · Australian Edition

AI Acceptable Use PolicyTemplate for Australia

A free AI acceptable use policy template localised for Australian organisations: Privacy Act 1988 data rules, the OAIC's guidance on AI and privacy, the Voluntary AI Safety Standard's guardrails, and APRA expectations for regulated entities.

Last updated 3 July 2026

A generic AI policy tells your people to be careful. An Australian AI policy tells them what the Privacy Act 1988 actually requires, what the OAIC has said about putting personal information into generative AI tools, and what happens under the Notifiable Data Breaches scheme when it goes wrong. This page gives you that policy: the same six-section backbone as our global template, with the Australian obligations written into each clause.

It reflects the Privacy Act penalty regime and the 2024 reform tranche, the 10 guardrails of the Voluntary AI Safety Standard, the OAIC's October 2024 guidance on commercially available AI products, and APRA's April 2026 letter to regulated entities. Customise the bracketed placeholders and it is ready to publish.

Looking for the global version? See the global AI acceptable use policy template, which keeps the same backbone without the Australia-specific clauses.
AUD 50m
top Privacy Act penalty tier
13
Australian Privacy Principles
10
Voluntary AI Safety Standard guardrails
10 Dec 2026
ADM transparency rules commence

What an Australian AI policy has to answer to

Four regulatory drivers shape AI use in Australian organisations. Each one lands somewhere specific in the template below.

Privacy Act 1988

The Privacy Act 1988 and its reform programme

The Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles govern how organisations handle personal information, including information typed into or generated by AI tools. Since the December 2022 penalty amendments, a serious or repeated interference with privacy can attract a civil penalty of up to the greater of AUD 50 million, three times the benefit obtained, or 30 per cent of adjusted turnover. The Privacy and Other Legislation Amendment Act 2024, the first tranche of the wider reform programme, added a statutory tort for serious invasions of privacy (from 10 June 2025), new mid-tier and lower-tier civil penalties, and a requirement to disclose substantially automated decisions that significantly affect individuals in privacy policies, which commences on 10 December 2026.

What it means for your policy: Your data rules must treat personal information, as the Privacy Act defines it, as a named prohibited category for unapproved AI tools, and your review schedule needs to track the reform tranches.

Voluntary AI Safety Standard

The Voluntary AI Safety Standard's 10 guardrails

Published by the Australian Government in September 2024, the Voluntary AI Safety Standard sets out 10 guardrails for organisations deploying AI. It is voluntary and creates no legal obligations, but it is the clearest statement of what good AI governance looks like to Australian regulators and buyers. The guardrails most relevant to an acceptable use policy are guardrail 1 (accountability processes, ownership and training), guardrail 3 (data governance and protection), guardrail 5 (meaningful human oversight), guardrail 6 (informing people about AI-enabled decisions, AI interactions and AI-generated content) and guardrail 9 (keeping records that let others assess your practices).

What it means for your policy: Name a policy owner, require human review of consequential AI-assisted work, require disclosure of AI-generated content where it matters, and keep an inventory of the AI tools in use.

OAIC guidance

OAIC guidance on AI and privacy

In October 2024 the Office of the Australian Information Commissioner published guidance on privacy and the use of commercially available AI products. The OAIC's position is that Privacy Act obligations apply to personal information entered into AI systems and to personal information in AI output, and that as a matter of best practice organisations should not enter personal information, particularly sensitive information, into publicly available generative AI tools. The guidance also expects organisations to update their privacy policies to reflect AI use (APP 1) and to make sure any use or disclosure of personal information through AI is permitted under APP 6.

What it means for your policy: The OAIC has effectively written your headline data rule for you: no personal information into public generative AI tools. Your policy should say so in exactly those terms.

APRA

APRA expectations for regulated entities

APRA's 30 April 2026 letter to industry told banks, insurers and superannuation trustees that existing prudential standards already apply to AI risk, and criticised entities that treat AI as just another technology without operationalising governance. The letter names data leakage and the misuse of AI agents among the changing cyber threats, and APRA has flagged an active supervisory programme with stronger action where AI risks are not adequately managed. Law firm analyses map the expectations to CPS 234, CPS 230, CPS 220 and CPS 510.

What it means for your policy: If you are APRA-regulated, an enforced AI acceptable use policy with evidence behind it is table stakes. Add a sector annex and work through the dedicated checklist below.

APRA-regulated? The letter deserves its own work programme. Our APRA AI governance checklist for CISOs translates each of APRA's four observations into concrete controls, with this policy as the enforcement anchor.

The policy template, localised for Australia

Six sections, ready to customise. Expand each one to read the Australian-edition clauses. Bracketed [placeholders] are yours to fill in.

This policy sets out how [Organisation Name] permits and restricts the use of artificial intelligence tools at work. It applies to all employees, contractors and third parties who access company systems or handle company information, and it covers standalone AI tools (such as chatbots and coding assistants) as well as AI features embedded in approved software. It is designed to keep our use of AI consistent with the Privacy Act 1988 (Cth), the Australian Privacy Principles, guidance from the Office of the Australian Information Commissioner, and, where applicable, the expectations of sector regulators such as APRA.

Download the editable template (.docx)

The download is the same editable backbone as our global template. Use the Australian clauses on this page to localise each section as you customise it.

Every clause, traced to its Australian driver

Auditors, boards and customers ask why each rule exists. This mapping gives you the answer, clause by clause.

Approved tools list and vetting
OAIC guidance on commercially available AI products; Voluntary AI Safety Standard guardrail 1 (accountability) and guardrail 3 (data governance).
No personal information in unapproved AI tools
Privacy Act 1988 APPs 6, 8 and 11; OAIC best-practice recommendation against entering personal information into public generative AI tools.
Human review of consequential AI-assisted decisions
Voluntary AI Safety Standard guardrail 5 (human oversight); Privacy Act automated decision-making transparency requirement from 10 December 2026.
Disclosure of AI-generated content and AI interactions
Voluntary AI Safety Standard guardrail 6 (inform end users); APP 1 transparency expectations in the OAIC's AI guidance.
AI tool inventory and usage records
Voluntary AI Safety Standard guardrail 9 (records); APRA's expectation of evidence rather than intentions for regulated entities.
Incident reporting for AI data exposure
Notifiable Data Breaches scheme, Part IIIC of the Privacy Act; penalties up to the greater of AUD 50m, 3x benefit or 30% of adjusted turnover for serious or repeated interference with privacy.

How to customise it for your organisation

Six steps from template to published policy. Most Australian organisations complete them inside a fortnight.

1
Name your organisation, policy owner and privacy officer
Replace every [bracketed] placeholder. The Privacy Officer contact matters most: the Notifiable Data Breaches scheme rewards fast internal escalation.
2
Build the approved tools appendix with data residency noted
For each approved tool, record the tier in use, whether a no-training commitment applies, and where data is stored. If your customer contracts or risk appetite require it, prefer vendors offering an Australian (Sydney) region.
3
Map your data classes to Privacy Act categories
Make sure your internal labels (public, internal, confidential, restricted) explicitly say where personal information and sensitive information sit, so the AI data rules inherit them cleanly.
4
Add a sector annex if you are APRA-regulated
Banks, insurers and superannuation trustees should tie the policy into their CPS 234 and CPS 230 programmes and board reporting. Use the APRA AI governance checklist as the work programme.
5
Brief staff and collect acknowledgments
The policy only protects you if staff have seen it. Run a short briefing, collect signed acknowledgments, and keep the records with your training evidence.
6
Diarise the review against the reform timeline
Put the automated decision-making transparency commencement (10 December 2026) and any further Privacy Act reform tranches on the review calendar now.

A policy is only as good as its enforcement

The OAIC's guidance and APRA's letter share one theme: written rules are not enough. You need to see actual AI usage and stop the data flows the policy prohibits.

See actual usage

  • Discover sanctioned and shadow AI tools in use across the workforce
  • Keep the live AI inventory that guardrail 9 and APRA evidence expectations point to
Shadow AI Discovery →

Enforce the data rules

  • Stop personal information and confidential data reaching unapproved AI tools in real time
  • Coach employees at the moment of a risky prompt instead of after the breach
Workforce AI Security →

Keep the data in Australia

  • Aona offers Australian data residency in its Sydney region, alongside six other regions
  • Prompts, uploads and audit logs stay in the region you select at deployment
AI Data Residency →
FAQ

Australian AI acceptable use policy: common questions

Yes. The Privacy Act does not name AI, but its 13 Australian Privacy Principles apply to personal information wherever it goes, including into prompts and file uploads. The OAIC's October 2024 guidance confirms that entering personal information into an AI tool engages APP 6 (use and disclosure) and that privacy obligations also apply to personal information in AI output. The OAIC recommends, as best practice, that organisations do not enter personal information into publicly available generative AI tools at all. An unauthorised disclosure through an AI tool can also be an eligible data breach under the Notifiable Data Breaches scheme, and serious or repeated interference with privacy carries civil penalties up to the greater of AUD 50 million, three times the benefit obtained, or 30 per cent of adjusted turnover.
Enforce Your AI Policy

Publish the Policy, Then Prove It Works

Aona gives Australian organisations visibility of every AI tool in use, enforces your acceptable use policy at the point of use, and keeps the evidence, with data resident in Sydney.