The Office of the Privacy Commissioner (OPC) has released updated guidance for organisations using, or considering using, artificial intelligence (AI) tools in New Zealand. It includes guidance on the application of the 13 Information Privacy Principles (IPPs) in the Privacy Act 2020 (Privacy Act) to AI tools.
You can access the guidance here.
The OPC's latest guidance builds on its guidance on generative AI tools, which it published in May 2023. You can read our article on that guidance here.
OPC guidance on the IPPs
Generally, organisations using AI tools must comply with their statutory obligations under the Privacy Act, including the 13 IPPs. The OPC recommends that organisations looking to use AI tools consider the privacy impacts early and take meaningful steps to ensure AI tools are used in compliance with the Privacy Act.
The IPPs set out how organisations must handle personal information and apply to the development and use of AI tools in New Zealand. They also apply where overseas organisations provide AI tools for use in New Zealand. The OPC sets out some key questions for organisations to consider in relation to the use of AI tools and gives practical guidance to help organisations comply with the IPPs.
For example, organisations should:
-
think carefully about why they are collecting personal information, and how it will be used in relation to the AI tool;
-
be careful about relying on the exception for "publicly available" information in relation to the data used to train an AI tool, as this may have been obtained illegally;
-
if information will be used to train an AI tool, explain this clearly and consider offering a chance to opt out from this use of information;
-
proactively consider how to manage data leakage and other security risks;
-
consider investigating the training process behind an AI tool to understand whether the data will be accurate, reliable and appropriate for use in New Zealand; and
-
develop processes for human review of automated decisions that have direct impacts on outcomes for people.
A full set of questions and guidance for organisations to consider in respect of the IPPs is set out in the guidance.
Te Ao Māori perspectives
In addition to ensuring compliance with the IPPs, the OPC recommends that organisations consider Māori perspectives on privacy and engage proactively with Māori to address concerns such as:
-
bias in systems that mean they do not work accurately for Māori;
-
collection of Māori information without first establishing trust; and
-
exclusion from processes and decisions in relation to the development and adoption of AI tools that affect Māori.
Next steps
The OPC will be continuing to monitor developments in the use of AI tools and their privacy impacts, and plans to update the guidance over time. The OPC has invited discussion about AI and privacy generally, and particular use-cases in New Zealand, at [email protected].
If you have any questions on the use of AI tools in your business, please contact one of our experts below.