AI tools are now embedded in everyday business across Australia. People use them to draft emails, prepare content, summarise meetings and generate ideas, support marketing, administration and client work.

The real legal risk with AI is not who owns the output. Copyright in work produced by employees is owned by the employer under relevant laws. Under a properly drafted contractor agreement ownership of work is already assigned to the business  or intellectual property clause.

The bigger issue is protecting the privacy and integrity of information that goes into the AI tool being used.

When confidential, personal or sensitive business information is entered into AI platforms without safeguards, businesses can expose themselves to serious confidentiality and privacy risk under Australian law. 

If your team is using AI, your employment contracts, policies, procedures and contractor agreements should each clearly address the rules around using AI within your business.

1. The real risk: confidential and sensitive information

AI systems generate responses based on the data they are trained on and the prompts they receive. Free access systems like ChatGPT will automatically “consume” every piece of information input into the system and use that information and your responses to output as part of its learning processes. What this means for your business is that any information input to the AI is now potentially output for someone else’s query.  

If staff or contractors input client information, financial records, personal data or commercially sensitive details, that information may be retained or processed in ways that creates legal risk.

For professional service firms and other businesses collecting personal information, this could breach Australian privacy law requirements and any contractual confidentiality or fiduciary obligations.

The issue is not that AI exists. The issue is using AI without boundaries.

Businesses should clearly define in their contracts and internal policies:

• What AI platforms can be used – some firms are developing their own
• What settings must be activated for the approved AI platform so that information is not used for machine learning and not accessible outside your organisation
• What functions can be carried out using AI tools
• What information can and cannot be entered into AI tools
• When anonymisation is required
• The importance of verifying AI output 

These boundaries should not be informal. They should be documented in employment contracts, contractor agreements and internal AI policies.

2. Employment contracts and workplace policies

For employers, aligning AI usage standards with existing employment law and privacy compliance frameworks is critical.

From an employment law perspective, AI use should be addressed in:

• Employment contracts
• Confidentiality agreements
• Workplace policies and procedures

Employees should understand:

• Whether AI tools are permitted in performing their duties
• What AI tools they are permitted to use for their work
• What client or internal information cannot be entered
• The consequences of misuse of AI tools
• The consequences of breaching confidentiality or privacy obligations

Clear policies reduce risk and protect both the business and the employee. Having the policy without also educating your team about those policies is not enough. You must be able to demonstrate that your workforce knows the policies exist, and understand their obligations.

3. Contractor and subcontractor agreements

While ownership of work is usually already covered through intellectual property clauses or copyright assignment provisions, confidentiality and privacy protections must also reflect modern AI use.

If you engage contractors or subcontractors, your contractor agreement should include:

• A requirement to disclose AI use and the AI platform or tools used
• Warranties that any AI output has been verified for correctness
• Confidentiality obligations that expressly apply to AI use
• Requirements to anonymise information before using AI
• Restrictions on entering client or business data into AI tools without express authority
• Data handling and security standards

This is especially important where contractors are handling client data or commercial sensitive information about your business.

4. Client-facing service agreements and privacy policies

Do your clients know you use AI in your business? Depending on your industry, you may assume that your clients expect that there is some use of AI in your business. However, it is unlikely that your clients have turned their minds to how that might impact them – yet. The more AI is discussed, the more aware people become, and suddenly you have questions about how client data is used. 

If your business provides services and uses AI internally, you should also consider:

• Whether your service agreement needs to include a disclosure about AI use within your business
• How your business is protecting confidentiality when AI tools are involved
• Whether your business is using  AI-assisted processing of personal information
• What additional disclosures should be included in your privacy policy

5. A practical AI governance framework

You do not need complex documentation to start.

A simple three-layer approach works well:

1. An internal AI usage policy for staff and contractors
2. Updated clauses in employment contracts and contractor agreements covering privacy, confidentiality and AI use
3. A review process for work involving client information that may be considered high risk, such as in health services and financial services.

AI is here to stay. Businesses do not need to avoid it. You simply need to control and monitor how it is used through clear contracts and policies.

If your staff or contractors are using AI in client or internal work, it may be time to review your employment contracts, contractor agreements, service agreements, privacy policies and confidentiality clauses to ensure the each reflect the way your business uses AI, the impact that may have on client data and what you are doing to protect client data. .

If you would like to review your agreements or update your AI governance framework, please get started by booking a Short Advice Session with one of our team.

Related Articles