AI Security Part 3: Why PII and the Privacy Act Are the AI Foundation Most Leaders Skip
カートのアイテムが多すぎます
カートに追加できませんでした。
ウィッシュリストに追加できませんでした。
ほしい物リストの削除に失敗しました。
ポッドキャストのフォローに失敗しました
ポッドキャストのフォロー解除に失敗しました
-
ナレーター:
-
著者:
You can have the most secure AI stack in the country and still be in breach of the Privacy Act before lunch.
Sarah and James close the series with the foundation underneath the foundation: personal information. James, now grounded on the security side, opens with a healthy push-back — surely if we own the data, we can use it however we want? Sarah, with the OAIC determinations in hand, takes that apart.
What we cover
APP 6 and purpose-binding: under Australia’s Privacy Act 1988, personal information collected for one purpose generally cannot be used for another. AI training, inference, and agent actions are all “uses,” yet most organisations haven’t mapped AI use cases to APP 6.
The 2024 amendments: the Privacy and Other Legislation Amendment Act introduced a statutory tort for serious privacy invasions, a children’s privacy code, and stronger OAIC enforcement, including AUD $66,000 infringement notices.
OAIC determinations: cases like Clearview AI, Bunnings/Kmart (facial recognition), and I-MED (patient data shared for AI training). I-MED’s de-identification was accepted, but it became a key APP 6 risk example.
The bank scenario: three walkthroughs — inference drift, indirect prompt injection, and multi-agent purpose laundering — showing how compliant data becomes non-compliant AI use.
Recommended controls: purpose registers, consent provenance, retrieval scoping, agent identity, and Meta’s “Agents Rule of Two.”
Sources
Privacy Act 1988: https://www.legislation.gov.au/C2004A03712/latest/text
Privacy and Other Legislation Amendment Act 2024: https://www.legislation.gov.au/C2024A00128/asmade
Australian Privacy Principles (OAIC): https://www.oaic.gov.au/privacy/australian-privacy-principles
OAIC — Clearview AI determination (PDF): https://www.oaic.gov.au/__data/assets/pdf_file/0016/11284/Commissioner-initiated-investigation-into-Clearview-AI,-Inc.-Privacy-2021-AICmr-54-14-October-2021.pdf
OAIC — Bunnings determination: https://www.oaic.gov.au/news/media-centre/bunnings-breached-australians-privacy-with-facial-recognition-tool
OAIC — Kmart determination: https://www.oaic.gov.au/news/media-centre/18-kmarts-use-of-facial-recognition-to-tackle-refund-fraud-unlawful,-privacy-commissioner-finds
OAIC — I-MED preliminary inquiries report: https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/Investigation-inquiry-reports/report-into-preliminary-inquiries-of-i-med
EU AI Act overview: https://artificialintelligenceact.eu/
California ADMT — CPPA announcement: https://cppa.ca.gov/announcements/2025/20250923.html
Meta — Agents Rule of Two: https://ai.meta.com/blog/practical-ai-agent-security/
NIST AI RMF: https://www.nist.gov/itl/ai-risk-management-framework
Send us Feedback