Why This Matters
This session is the one that decides whether your organisation is glad you took this course or regrets it. Everything else we've covered is "how do I use AI well". This is "how do I use AI without causing a problem".
The risks are real but not mystical. They come down to four things: what data you feed in, who has rights over that data, whether your output is accurate, and whether you can show what you did if someone asks.
Responsible AI use is not a separate skill. It's the discipline that makes the rest of the skill worth having.
Nothing in this session is legal advice. Your organisation will have specific policies that override anything here. Check them. When you're unsure, ask. The baseline is: if you can't confidently say what you put into AI and where it went, slow down until you can.
What You Can and Can't Put Into AI
The core rule from the AI Foundations session, rephrased for decision-making. The tool matters. Microsoft 365 Copilot (paid, inside Word, Excel, Outlook, Teams) keeps content inside your organisation's tenant. Free ChatGPT, Claude, Gemini, Perplexity do not.
- Microsoft 365 Copilot with your work files and emails, if your organisation has turned it on.
- Free consumer AI tools for your own writing, general research, learning, personal drafts.
- Free consumer tools with work content that's already public (media releases, published reports, public policy).
- Free consumer tools with anonymised or fictional data.
- Free consumer AI with confidential documents, internal drafts, or sensitive correspondence.
- Any AI tool with personal information about individuals who haven't agreed.
- Any AI tool with culturally-held community information unless you have clear permission.
- Any AI tool with classified or security-marked material (this is never OK).
- Any AI tool for the final decision on something that requires human judgement or statutory authority.
Ask yourself: "Would I be comfortable if this content were read by a stranger working for the tool's parent company?" If yes, paste away. If no, either use Copilot inside your tenant, or rework the content (anonymise, remove specifics) before you share it with a consumer tool.
Personal and Sensitive Information
Australian privacy law is built around the idea that personal information belongs to the person it's about, and using it without their consent is a problem. The Privacy Act, the Australian Privacy Principles, and NT Government information management standards all point in the same direction: handle personal information with care, and don't pipe it into systems the person hasn't agreed to.
What counts as personal information, in the AI context:
- Names combined with enough other detail to identify someone (role, location, circumstances).
- Case notes, client records, service interactions.
- Health information, financial details, family details.
- Dates of birth, addresses, tax file numbers, Medicare numbers, any government identifier.
- Photos or voice recordings of identifiable people.
Don't paste other people's personal information into free AI tools. Ever. Even if the task is innocent (summarise these case notes, translate this letter), the data leaves your tenant. There's no taking it back.
Use Microsoft 365 Copilot, which is covered by your organisation's Microsoft agreement and stays inside the tenant. Or anonymise before pasting: replace names with "[Client A]", addresses with "[suburb]", dates with "[recent]". The AI can still do the task, you haven't shipped the individual's details anywhere.
If personal information about identifiable individuals ends up in an AI tool where it shouldn't be, that may be a data breach under the Notifiable Data Breaches scheme. Your organisation has a process for this. Tell your manager or privacy officer immediately. Trying to quietly fix it on your own makes the problem worse.
Culturally Held and Community Information
In the NT, working with Aboriginal and Torres Strait Islander communities is part of many government and community roles. Some information held by communities is culturally significant, restricted by gender, age, or relationship, or governed by Indigenous Cultural and Intellectual Property (ICIP) protocols. Feeding that information into an AI tool is not a neutral act.
If you're unsure whether a document, story, photo, or piece of language is something that belongs to a community rather than to your organisation, ask before putting it into any AI tool. This is true of consumer tools and Copilot both. The question is about rights in the content, not the technology.
ICIP in plain terms
Indigenous Cultural and Intellectual Property refers to the heritage, knowledge, stories, language, and cultural expressions of Aboriginal and Torres Strait Islander peoples. Unlike Western copyright, ICIP can be held by communities rather than individuals, and doesn't expire. "I got this from a publicly-available PDF" is not the same as "I have permission to use it".
Data sovereignty
A related principle: Indigenous data sovereignty, the idea that Indigenous peoples have the right to govern how data about their communities is collected, stored, and used. Putting such data into AI tools hosted overseas, with unclear retention and use, undermines that principle even if no specific policy is breached.
If there's any chance the material is culturally held, the right move is to ask the community or the relevant cultural authority before using it. This is slower than pasting, and it's the only way to work respectfully. No AI workflow is worth getting this wrong.
NT Government and Organisational Policies
The final word on what's OK at your desk comes from your employer, not this course. Most NT organisations have (or are actively writing) policies covering AI use, information security, acceptable use, privacy, and records management.
Find these this week
- Your organisation's AI or generative AI use policy, if one exists.
- The acceptable use policy for workplace IT systems.
- The information security and classification policy (does your org mark documents "For Official Use Only", "Sensitive", or with a classification? What are the rules around each?).
- The privacy policy and the process for notifying a suspected privacy breach.
- The records management policy (some AI outputs may themselves be records that need to be kept).
- Your org's current Microsoft 365 Copilot licensing, and whether it's been rolled out to you.
"I couldn't find the policy so I assumed X" is a weak position. If your organisation hasn't yet written clear AI guidance, ask your manager or IT team for a steer on the specific use case you have in mind. Get the answer in writing (email or Teams). That's your cover.
Australia's AI Ethics Principles
The Australian Government published eight voluntary AI Ethics Principles in 2019, and a Voluntary AI Safety Standard in 2024. They aren't laws, but they're the frame NT Government and federal agencies are increasingly aligning to. Worth knowing, if only so you recognise the language when it appears in policy documents.
The eight principles, in brief
- Human, societal and environmental wellbeing. AI should benefit people, society, and the environment.
- Human-centred values. AI should respect human rights, diversity, and the autonomy of individuals.
- Fairness. AI should be inclusive and accessible, and shouldn't discriminate unfairly.
- Privacy protection and security. AI should respect privacy and protect data.
- Reliability and safety. AI should operate reliably, as intended.
- Transparency and explainability. People should know when AI is being used and be able to understand outcomes.
- Contestability. People should be able to challenge the use or outcome of an AI system.
- Accountability. People responsible for AI systems should be identifiable and accountable.
As a user rather than a developer, you're mostly interacting with principles 4 (privacy), 6 (transparency, don't hide the fact that you used AI), 7 (contestability, the final decisions should be human), and 8 (accountability, your signature, your responsibility).
Shadow AI
"Shadow AI" is the term for AI use that happens outside organisational sanction, staff using personal ChatGPT accounts on their phones for work tasks, signing up to free tools with their work email, or pasting documents into whatever tool's been trending on social media. It's common. It's understandable. It's also risky.
Shadow AI isn't bad people doing bad things. It's good people trying to get work done with tools that arrived faster than policy.
Why it matters:
- Work data goes to systems your organisation has no agreement with.
- Nobody knows what's been shared, so nobody can respond if there's a breach or a subject access request.
- The "I didn't know that wasn't allowed" defence gets weaker the longer policies exist.
- Your organisation can't support what it can't see.
Use sanctioned tools for work. Advocate for better tools if the sanctioned ones don't cover what you need. Don't run a private AI practice at work and hope nobody notices. If there's a genuine gap between what policy allows and what the job requires, raise it, don't work around it.
Attribution and Record-Keeping
The question of whether to say "I used AI" on a piece of work is context-dependent. Policy is still catching up. The principles that do seem to hold:
Disclosure builds trust
If the audience would reasonably want to know an AI was involved in the drafting, say so. A short line in a report ("generative AI was used for initial drafting; final content is the author's responsibility") is low-cost and protects against the "why didn't you tell me" conversation later.
Some outputs don't need disclosure
Using AI to proofread your email doesn't need a disclosure line, any more than using spellcheck does. Using AI to draft a policy recommendation probably does. The line is somewhere around "did the AI meaningfully shape the content or just help with expression".
Record what you did, for yourself
A small habit: for any significant piece of AI-assisted work, keep a short note of what tool you used, what you asked for, and what you verified. A two-line note in the document's metadata or a project journal is enough. You'll thank yourself if anyone ever asks.
Outputs may be records
If AI helps draft a final document, briefing, or decision, the output may itself be a record under your organisation's records management policy. It follows the same rules as any other document, storage, retention, destruction. Not a separate category.
Course Takeaways
The short version of this course, condensed to what to actually carry back to the office.
What to take back to the desk
- Your M365 environment is a set of tools that work best together. Files belong in OneDrive and SharePoint, not attached to emails. Collaboration belongs in Teams channels, not private chats that disappear.
- Word, Excel and PowerPoint are more useful when you use styles, Tables, and structured data. That structure also makes Copilot dramatically more useful.
- Copilot is a tool that reads your work and helps with it. Free consumer AI tools are for everything outside your tenant. Know which is which.
- Prompting is writing clearly to a capable colleague. Context, tone, length, and iteration do more than clever phrases.
- The biggest AI wins are recurring workflows: email triage, meeting recap, research synthesis, report drafting, policy translation. Pick one, build the habit, then add the next.
- Responsible use is inseparable from skilled use. Know what's safe to paste where. Keep the human in the loop. Check your organisation's policies, not the internet's advice. When unsure, ask before you act.
This course doesn't make you an AI expert. It gives you a working foundation and the good habits to build on. That's enough.
References and Further Reading
Canonical sources for anything policy-related in this session. When you need to quote something in a meeting, these are the pages to point at.
- Australia's AI Ethics Principles (Department of Industry, Science and Resources): industry.gov.au/publications/australias-artificial-intelligence-ethics-principles
- Voluntary AI Safety Standard: industry.gov.au/publications/voluntary-ai-safety-standard
- Office of the Australian Information Commissioner (privacy guidance): oaic.gov.au
- Australian Privacy Principles: oaic.gov.au/privacy/australian-privacy-principles
- Notifiable Data Breaches scheme: oaic.gov.au/privacy/notifiable-data-breaches
- Australian Signals Directorate, Cyber Security Centre: cyber.gov.au
- NT Digital (NT Government digital policy hub): digital.nt.gov.au
- AIATSIS, ICIP and Indigenous data sovereignty resources: aiatsis.gov.au
- Microsoft 365 Copilot data protection: learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
Nothing in this session is legal advice. Check your organisation's policies, and when a specific situation matters, ask the appropriate person inside your organisation (manager, privacy officer, IT security) before acting.