SecurityPolicy.com.au
Home/ Australia/ AI, Privilege and Method/ Using AI on client data without breaching privilege
Australia AI, Privilege and Method Law Reviewed 2026-07-12

Using AI on Client Data Without Breaching Privilege or Privacy

4
risk layers: privilege, confidentiality, privacy and regulation
23
AFS and credit licensees reviewed in ASIC's AI study
1 Jul 2026
AML/CTF start for newly regulated professional services
Why this guide exists

Australian professionals most often ask whether a paid AI account makes client-data use safe, whether any cloud upload waives privilege, and whether removing names is enough. A high-demand question missing from the fixed 10 is how to verify the actual tenant configuration, subprocessors, data locations, retention settings and human-access pathways rather than relying on a product label.

Can I safely put client data into ChatGPT or Copilot, and what's the risk?

Do not treat a familiar brand, paid account or provider promise as permission to upload client material. Public or consumer AI should be treated as unsuitable for identifiable, confidential, sensitive or privileged client data unless a documented legal, privacy, security and professional review has approved a tightly defined use. An enterprise product can reduce risks through contractual controls, tenant administration, retention settings and no-training defaults, but it does not remove APP 6, APP 8, APP 11, privilege, confidentiality, licensing or professional duties. The safest default is no client data in unapproved tools, with approved use limited to the minimum information required and supported by human review and evidence.

How this differs by situation
  • law firm — Confidentiality and privilege must be assessed before disclosure to any provider, connector, plugin, model host or human reviewer.
  • AFS licensee or authorised representative — Existing licensing, conduct, governance and risk-management obligations continue to apply to AI-assisted advice and operations.
  • mortgage or finance broker — AI does not displace the broker's best-interests, conflict, recordkeeping and responsible-lending responsibilities.
PUT THIS IN YOUR POLICY, EXACTLY

Client information must not be entered into a public, consumer, trial or otherwise unapproved AI service. Use of client information in an approved AI service requires a documented use-case approval covering confidentiality, privilege, privacy, cross-border handling, security, retention, human access, subprocessors, professional obligations and the minimum information necessary.

Does putting privileged material into cloud AI waive legal professional privilege?

It can create a serious waiver risk, but Australian law does not establish that every AI upload automatically waives privilege. Under the Evidence Act 1995, client legal privilege protects qualifying confidential lawyer-client and litigation communications, while section 122 can remove that protection where conduct is inconsistent with maintaining confidentiality, including some knowing and voluntary disclosures. Whether a particular upload is inconsistent conduct depends on facts such as the purpose, service terms, provider and contractor access, retention, reuse, security controls and the client's authorisation. Even if privilege is ultimately preserved, uploading material may still breach the solicitor's separate duty of confidentiality, privacy duties, court obligations or client instructions.

How this differs by situation
  • public or consumer cloud AI — Provider access, reuse, uncertain recipients and consumer terms make privilege and confidentiality risk difficult to justify.
  • approved enterprise cloud AI — Stronger terms and controls can reduce disclosure risk, but the firm must still analyse effective confidentiality and client authority.
  • de-identified privileged substance — Removing names may not remove privilege or confidentiality where facts, strategy, advice or context remain client material.
PUT THIS IN YOUR POLICY, EXACTLY

Privileged or potentially privileged material must not be submitted to any AI system unless the supervising lawyer has documented why confidentiality will be maintained, why the use is consistent with preserving privilege, which recipients can access the material, what the client has authorised, and what court, undertaking, discovery or retention restrictions apply.

What do the Privacy Act (APP 11 and APP 8 cross-border) require?

APP 11 requires a covered entity to take active, reasonable technical and organisational measures to protect personal information and to destroy or de-identify it when it is no longer needed, subject to lawful retention. APP 6 must first permit the AI-related use or disclosure; an existing client relationship or broad privacy-policy wording does not automatically make a new AI purpose permissible. APP 8 applies where personal information is disclosed to an overseas recipient, generally requiring reasonable steps to ensure APP-equivalent handling and potentially making the Australian entity accountable under section 16C. Overseas hosting is not automatically a disclosure if information remains within the Australian entity's effective control, but provider, contractor or subprocessor access can change the analysis.

How this differs by situation
  • APP entity using an overseas AI provider — Assess APP 6 purpose, whether access is a disclosure, APP 8 reasonable steps, section 16C accountability and all exceptions.
  • small business generally exempt from the APPs — Check health, credit, personal-information trading, Commonwealth contract, opt-in and AML/CTF exceptions before relying on the exemption.
  • controlled overseas storage — If the provider cannot access or modify the data and effective control is retained, the arrangement may be a use rather than an APP 8 disclosure.
PUT THIS IN YOUR POLICY, EXACTLY

Before personal information is processed by AI, the Privacy Officer must document the permitted APP 6 purpose, data minimisation, whether any overseas provider or subprocessor receives a disclosure, the APP 8 basis and reasonable steps, section 16C accountability, APP 11 controls, retention and deletion settings, and the evidence supporting those conclusions.

What do my professional and licensing obligations (law society, AFSL, APRA CPS 234, AML/CTF) add?

Professional and licensing duties add requirements that privacy compliance alone does not answer. Solicitors remain responsible for confidentiality, privilege, competence, supervision, independent judgement and accuracy, and professional guidance warns against entering client information into public AI tools. ASIC says existing regulatory obligations apply when AFS and credit licensees use AI; licensees must keep governance and risk management aligned with expanding use, while advisers and brokers remain responsible for the advice, best-interests analysis, conflicts and records. CPS 234 directly binds APRA-regulated entities, not every adviser or broker, but it requires those entities to maintain information-security capability and assess third-party security, which can flow down contractually to service providers. From 1 July 2026, lawyers, accountants and other newly regulated professionals providing designated services must also manage AML/CTF governance, customer due diligence, records, suspicious-matter secrecy and privilege issues.

How this differs by situation
  • solicitor or law practice — AI use remains subject to conduct rules, confidentiality, privilege, supervision, competence, court protocols and client authority.
  • AFS licensee, adviser or credit licensee — AI governance must keep pace with use, and the regulated person remains accountable for conduct, advice, records and consumer outcomes.
  • mortgage or finance broker — The broker's best-interests and conflict duties are not delegated to the model or software provider.
PUT THIS IN YOUR POLICY, EXACTLY

AI does not delegate professional responsibility. The regulated professional remains accountable for confidentiality, privilege, competence, independent judgement, advice, best-interests duties, conflicts, accuracy, recordkeeping, AML/CTF secrecy and all client outcomes. AI output must be independently reviewed by a person authorised and competent to perform the underlying work.

Consumer AI vs enterprise/business AI terms — what actually changes?

Enterprise and business offerings can materially improve the risk position by providing contractual no-training defaults, administrator controls, access restrictions, security commitments, retention options and enterprise support. Current provider statements say OpenAI business data is not used for model training by default, Microsoft does not use Microsoft 365 Copilot prompts, responses or Microsoft Graph data to train foundation models, Google does not use Workspace customer data to train generative AI outside Workspace without permission, and Anthropic does not train on commercial-product data by default. Those are provider statements about defined products and settings, not independent findings that a particular Australian use is lawful, privileged or compliant. Consumer accounts, optional feedback, connectors, custom GPTs or agents, third-party applications and misconfigured enterprise tenants can follow different data pathways, so the exact service, contract and configuration must be recorded.

How this differs by situation
  • consumer ChatGPT, Gemini or Claude account — Consumer terms, training choices, history, feedback and account controls can differ from the provider's enterprise commitments.
  • Microsoft 365 Copilot — Enterprise data protection and tenant permissions reduce risk, but Graph access, plugins, agents, oversharing and retention still require governance.
  • Google Workspace with Gemini — Workspace contractual protections differ from consumer Gemini; administrator settings and connected services remain relevant.
PUT THIS IN YOUR POLICY, EXACTLY

Approval applies to a named product, plan, tenant, region, contract and configuration—not to a brand. The AI Register must record training use, retention, human review, data location, subprocessors, administrator controls, connectors, plugins, agents, feedback settings, deletion rights, incident terms and the date each setting was verified.

How does local / on-device AI change the risk?

Local, on-device or genuinely private AI can reduce disclosure and cross-border risk because prompts and source material may remain within the firm's controlled environment. The OAIC says on-premises and private-cloud approaches may carry fewer privacy risks where they do not result in a secondary disclosure to another entity. The benefit depends on architecture, not marketing: remote telemetry, support access, hosted model calls, cloud embeddings, update services, logs and backups can reintroduce external recipients. Local processing also does not remove APP 11 security, retention, access, accuracy, professional supervision, discovery or privilege requirements. It is a risk-reduction control, not automatic legal clearance.

How this differs by situation
  • fully on-device model with no external calls — Can materially reduce third-party disclosure and cross-border exposure, subject to device security, logs, backups and access controls.
  • on-premises or private-cloud deployment — Assess operator access, tenancy, administration, support, telemetry, backups and whether effective control is genuinely retained.
  • externally operated private instance — Private branding or tenancy does not prevent the operator or subprocessors from being recipients with access.
PUT THIS IN YOUR POLICY, EXACTLY

A system may be classified as local or private only after architecture review confirms where inference, embeddings, storage, logs, telemetry, support, backups and administration occur. Local classification does not waive data-minimisation, access-control, retention, human-review, privilege, confidentiality, privacy or records obligations.

How do I de-identify data so the AI never sees who it belongs to?

De-identification is a contextual risk process, not simply deleting a client's name. The OAIC says information is de-identified only where there is no reasonable likelihood of re-identification in the context in which it will be made available. Remove direct identifiers, then assess indirect identifiers and distinctive combinations such as dates, locations, transaction amounts, employer, matter facts, family structure, rare events, document metadata and free text. Use aggregation, generalisation, masking, tokenisation, synthetic replacements, separation of the re-identification key and technical controls, then test against information the AI provider or a likely recipient could combine with the prompt. Reassess when the dataset, recipient, model connections or available external information changes.

How this differs by situation
  • synthetic drafting example — Replace names, dates, entities, amounts and distinctive facts with invented but structurally equivalent data.
  • financial advice or broking dataset — Account values, suburb, age, employer, property, transaction sequence and family details can identify a client in combination.
  • legal matter — Facts may remain confidential or privileged even when the individual is not reasonably identifiable under privacy law.
PUT THIS IN YOUR POLICY, EXACTLY

Removing names is not de-identification. Before AI use, direct identifiers, indirect identifiers, distinctive facts, metadata and free text must be assessed against the receiving environment and available auxiliary data. The de-identification record must document transformations, re-identification testing, residual confidentiality or privilege, key separation and the date for reassessment.

What must an AI-use policy for a regulated firm contain?

The policy should define approved tools, accounts, tenants, users and use cases, then prohibit client information in all other AI. It needs a data-classification rule covering privileged, confidential, personal, sensitive, AML/CTF, identity and commercially restricted material, plus approval pathways for any exception. It should require provider due diligence, privacy and privilege assessment, cross-border analysis, least-privilege access, retention and deletion controls, human review, source verification, records, incident response, client disclosure or consent where required, supplier governance and periodic reassessment. Technical enforcement matters: browser controls, data-loss prevention, managed identities, connector restrictions, logging and training should support the written rule. The policy should assign an accountable owner and make the supervising professional responsible for every client-facing output.

How this differs by situation
  • law practice — Include privilege, confidentiality, court protocols, client authority, supervision, independent judgement and discovery or record-retention requirements.
  • AFS or credit licensee — Include approved use cases, model risk, consumer harm, advice governance, conflicts, records, monitoring and incident escalation.
  • accounting or AML/CTF practice — Include CDD data, source-of-funds information, suspicious-matter secrecy, privilege and AML/CTF recordkeeping.
PUT THIS IN YOUR POLICY, EXACTLY

Only AI tools, tenants and use cases recorded as Approved in the AI Register may be used for firm work. Privileged, confidential, personal, sensitive, identity, AML/CTF or client-restricted information must not be entered unless the specific use is approved and all required controls are active. A qualified human must verify sources, reasoning, accuracy, completeness and professional suitability before any output is relied upon or provided externally.

The common mistakes and misconceptions?

Common errors are assuming that paid means private, no training means no access or retention, and removing a name means the material is de-identified. Another is treating privilege and privacy as the same test: information can be confidential or privileged without being personal information, and personal information can be unprivileged. Client consent is not a universal cure because professional duties, APP purpose and security requirements, court restrictions, AML/CTF secrecy and licensing duties can still limit the use. Firms also approve a brand rather than a specific product and configuration, overlook plugins and connectors, fail to test outputs, or let staff use AI without preserving records. Finally, a provider's compliance badge or overseas legal term does not establish that the firm's Australian use is appropriate.

How this differs by situation
  • paid or enterprise account — Reduces some risks only where the correct product, contract, settings and controls are verified.
  • provider says data is not used for training — Does not answer retention, human access, support, abuse monitoring, subprocessors, cross-border, privilege or APP 6.
  • client consent obtained — Consent must be informed and specific where relied upon and does not override every professional, court, licensing or security duty.
PUT THIS IN YOUR POLICY, EXACTLY

The following assumptions are prohibited: paid means approved; no training means no disclosure; deletion means no retention; removing names means de-identified; client consent removes every duty; AI output is verified; or approval of one product covers every account, connector, agent, plugin, API and configuration offered under the same brand.

What's my next step?

Common misconceptions

  • A paid or enterprise AI account is automatically approved for privileged and confidential client material. INFERRED
  • Every upload of privileged material to every AI system automatically waives legal professional privilege. INFERRED
  • If privilege is not waived, the upload cannot breach confidentiality, privacy, client instructions or professional duties. VERIFIED
  • A no-training promise means the provider cannot retain, access, review or disclose business data for any reason. VERIFIED
  • Any overseas hosting of personal information is automatically an APP 8 disclosure. VERIFIED
  • Deleting names and contact details is sufficient to de-identify client data. VERIFIED
  • Client consent guarantees that AI use complies with every privacy, privilege, court, licensing and professional obligation. INFERRED
  • CPS 234 directly applies to every financial adviser, mortgage broker, accountant and law firm. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Client legal privilege and duty of confidentiality Australian courts and legal-profession regulators A legal practitioner or client handles confidential communications or documents created for the dominant purpose of legal advice or litigation, or other client-confidential information. Ongoing; assess before disclosure to an AI provider and throughout storage, access, use, litigation and production. Potential loss of privilege, exclusion from protection, professional discipline, court orders, client claims and other consequences depending on the facts.
APP 6 permitted use and disclosure Office of the Australian Information Commissioner A Privacy Act-covered entity uses or discloses personal information through an AI system. Before and during each use or disclosure; the purpose and any exception must be established for the specific AI use. Privacy Act investigation, determinations, enforceable remedies and civil penalties can apply according to the contravention.
APP 8 cross-border disclosure Office of the Australian Information Commissioner An APP entity discloses personal information to an overseas AI provider, contractor, subprocessor or other overseas recipient. Take reasonable steps before disclosure and maintain oversight while the recipient handles the information. The Australian entity may be accountable under section 16C for conduct of the overseas recipient that would breach the APPs, subject to statutory exceptions.
APP 11 security and information lifecycle Office of the Australian Information Commissioner An APP entity holds personal information used by, stored in, accessible to or generated through an AI system. Ongoing; apply reasonable technical and organisational measures and destroy or de-identify information when no longer needed, subject to lawful retention. Privacy Act regulatory action, remedies and civil penalties can apply depending on the nature and seriousness of the interference with privacy.
Solicitor professional duties when using AI State and territory legal-profession regulators and courts A solicitor or law practice uses AI in connection with legal services, client material, advice, drafting, research or litigation. Ongoing; before data entry and before relying on, filing or communicating output. Professional discipline, adverse costs or court orders, negligence or confidentiality claims and other consequences can arise depending on the breach.
AFS and credit-licensee governance and conduct obligations Australian Securities and Investments Commission An AFS or credit licensee, representative, adviser or broker uses AI in regulated operations, advice, credit activity or customer decision-making. Ongoing; governance and risk arrangements must keep pace with adoption and every regulated output remains subject to existing obligations. ASIC supervisory, licensing, civil, administrative and enforcement consequences can apply under the relevant financial-services or credit laws.
CPS 234 information security and third-party capability Australian Prudential Regulation Authority An APRA-regulated entity uses AI itself or relies on a third party that manages information assets relevant to its regulated operations. Ongoing; maintain commensurate capability, evaluate controls and third parties, test effectiveness and meet incident or weakness notification duties. APRA supervisory and enforcement consequences can apply to the regulated entity; service providers can face contractual audit, remediation, notification and termination consequences.
AML/CTF program and client-information handling AUSTRAC and, for connected privacy handling, the Office of the Australian Information Commissioner From 1 July 2026, a lawyer, accountant or other newly regulated business provides a covered designated service. Have the AML/CTF program and compliance arrangements in place before providing the designated service; newly regulated businesses must apply to enrol by 29 July 2026. AML/CTF regulatory and civil consequences can apply; Privacy Act consequences can also apply to covered AML/CTF-connected personal-information handling.

Sources

  1. Guidance on privacy and the use of commercially available AI products primary
  2. GenAI tools in the workplace: balancing protection of personal information and business efficiency primary
  3. Chapter 8: APP 8 Cross-border disclosure of personal information primary
  4. Chapter 11: APP 11 Security of personal information primary
  5. De-identification and the Privacy Act primary
  6. National Health Information Management Conference 2025 keynote primary
  7. Part 4: Notifiable Data Breach scheme primary
  8. Privacy guidance for AML/CTF reporting entities primary
  9. Evidence Act 1995 primary
  10. Artificial intelligence use in the Federal Court of Australia primary
  11. Client legal privilege primary
  12. Statement on the use of artificial intelligence in Australian legal practice primary
  13. A solicitor's guide to responsible use of artificial intelligence primary
  14. REP 798 Beware the gap: Governance arrangements in the face of AI innovation primary
  15. Financial advice update — February 2025 primary
  16. RG 273 Mortgage brokers: Best interests duty primary
  17. CPS 234 Information Security primary
  18. Legal profession program starter kit: Getting started primary
  19. AUSTRAC AI transparency statement primary
  20. Enterprise privacy at OpenAI primary
  21. Enterprise data protection in Microsoft 365 Copilot and Microsoft 365 Copilot Chat primary
  22. Generative AI in Google Workspace privacy and data protection primary
  23. Is commercial product data used for model training? primary
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.