ntworld.ink
Digital Literacy: Workplace Skills

Responsible Use, Privacy & Policy

What you should and shouldn't put into AI tools, how to align with NT Government and organisational policies, how culturally held information fits in, shadow AI, attribution, and the takeaways to carry back to the office.

STRAND · Working with AI LEVEL · Beginner-friendly FORMAT · Hands-on session
// why this matters

Why This Matters

This session is the one that decides whether your organisation is glad you took this course or regrets it. Everything else we've covered is "how do I use AI well". This is "how do I use AI without causing a problem".

The risks are real but not mystical. They come down to four things: what data you feed in, who has rights over that data, whether your output is accurate, and whether you can show what you did if someone asks.

Responsible AI use is not a separate skill. It's the discipline that makes the rest of the skill worth having.

Nothing in this session is legal advice. Your organisation will have specific policies that override anything here. Check them. When you're unsure, ask. The baseline is: if you can't confidently say what you put into AI and where it went, slow down until you can.

// what goes where

What You Can and Can't Put Into AI

The core rule from the AI Foundations session, rephrased for decision-making. The tool matters. Microsoft 365 Copilot (paid, inside Word, Excel, Outlook, Teams) keeps content inside your organisation's tenant. Free ChatGPT, Claude, Gemini, Perplexity do not.

// Generally fine to use
  • Microsoft 365 Copilot with your work files and emails, if your organisation has turned it on.
  • Free consumer AI tools for your own writing, general research, learning, personal drafts.
  • Free consumer tools with work content that's already public (media releases, published reports, public policy).
  • Free consumer tools with anonymised or fictional data.
// Don't use for this
  • Free consumer AI with confidential documents, internal drafts, or sensitive correspondence.
  • Any AI tool with personal information about individuals who haven't agreed.
  • Any AI tool with culturally-held community information unless you have clear permission.
  • Any AI tool with classified or security-marked material (this is never OK).
  • Any AI tool for the final decision on something that requires human judgement or statutory authority.
A working test before you paste

Ask yourself: "Would I be comfortable if this content were read by a stranger working for the tool's parent company?" If yes, paste away. If no, either use Copilot inside your tenant, or rework the content (anonymise, remove specifics) before you share it with a consumer tool.

// privacy

Personal and Sensitive Information

Australian privacy law is built around the idea that personal information belongs to the person it's about, and using it without their consent is a problem. The Privacy Act, the Australian Privacy Principles, and NT Government information management standards all point in the same direction: handle personal information with care, and don't pipe it into systems the person hasn't agreed to.

What counts as personal information, in the AI context:

The simplest rule

Don't paste other people's personal information into free AI tools. Ever. Even if the task is innocent (summarise these case notes, translate this letter), the data leaves your tenant. There's no taking it back.

What to do instead

Use Microsoft 365 Copilot, which is covered by your organisation's Microsoft agreement and stays inside the tenant. Or anonymise before pasting: replace names with "[Client A]", addresses with "[suburb]", dates with "[recent]". The AI can still do the task, you haven't shipped the individual's details anywhere.

A breach is a notifiable event

If personal information about identifiable individuals ends up in an AI tool where it shouldn't be, that may be a data breach under the Notifiable Data Breaches scheme. Your organisation has a process for this. Tell your manager or privacy officer immediately. Trying to quietly fix it on your own makes the problem worse.

// cultural care

Culturally Held and Community Information

In the NT, working with Aboriginal and Torres Strait Islander communities is part of many government and community roles. Some information held by communities is culturally significant, restricted by gender, age, or relationship, or governed by Indigenous Cultural and Intellectual Property (ICIP) protocols. Feeding that information into an AI tool is not a neutral act.

Default to "ask, don't assume"

If you're unsure whether a document, story, photo, or piece of language is something that belongs to a community rather than to your organisation, ask before putting it into any AI tool. This is true of consumer tools and Copilot both. The question is about rights in the content, not the technology.

ICIP in plain terms

Indigenous Cultural and Intellectual Property refers to the heritage, knowledge, stories, language, and cultural expressions of Aboriginal and Torres Strait Islander peoples. Unlike Western copyright, ICIP can be held by communities rather than individuals, and doesn't expire. "I got this from a publicly-available PDF" is not the same as "I have permission to use it".

Data sovereignty

A related principle: Indigenous data sovereignty, the idea that Indigenous peoples have the right to govern how data about their communities is collected, stored, and used. Putting such data into AI tools hosted overseas, with unclear retention and use, undermines that principle even if no specific policy is breached.

When in doubt, don't paste

If there's any chance the material is culturally held, the right move is to ask the community or the relevant cultural authority before using it. This is slower than pasting, and it's the only way to work respectfully. No AI workflow is worth getting this wrong.

// policy

NT Government and Organisational Policies

The final word on what's OK at your desk comes from your employer, not this course. Most NT organisations have (or are actively writing) policies covering AI use, information security, acceptable use, privacy, and records management.

Find these this week

If you can't find a policy, don't invent one

"I couldn't find the policy so I assumed X" is a weak position. If your organisation hasn't yet written clear AI guidance, ask your manager or IT team for a steer on the specific use case you have in mind. Get the answer in writing (email or Teams). That's your cover.

// ethics principles

Australia's AI Ethics Principles

The Australian Government published eight voluntary AI Ethics Principles in 2019, and a Voluntary AI Safety Standard in 2024. They aren't laws, but they're the frame NT Government and federal agencies are increasingly aligning to. Worth knowing, if only so you recognise the language when it appears in policy documents.

The eight principles, in brief

As a user rather than a developer, you're mostly interacting with principles 4 (privacy), 6 (transparency, don't hide the fact that you used AI), 7 (contestability, the final decisions should be human), and 8 (accountability, your signature, your responsibility).

// shadow ai

Shadow AI

"Shadow AI" is the term for AI use that happens outside organisational sanction, staff using personal ChatGPT accounts on their phones for work tasks, signing up to free tools with their work email, or pasting documents into whatever tool's been trending on social media. It's common. It's understandable. It's also risky.

Shadow AI isn't bad people doing bad things. It's good people trying to get work done with tools that arrived faster than policy.

Why it matters:

The reasonable stance

Use sanctioned tools for work. Advocate for better tools if the sanctioned ones don't cover what you need. Don't run a private AI practice at work and hope nobody notices. If there's a genuine gap between what policy allows and what the job requires, raise it, don't work around it.

// attribution

Attribution and Record-Keeping

The question of whether to say "I used AI" on a piece of work is context-dependent. Policy is still catching up. The principles that do seem to hold:

Disclosure builds trust

If the audience would reasonably want to know an AI was involved in the drafting, say so. A short line in a report ("generative AI was used for initial drafting; final content is the author's responsibility") is low-cost and protects against the "why didn't you tell me" conversation later.

Some outputs don't need disclosure

Using AI to proofread your email doesn't need a disclosure line, any more than using spellcheck does. Using AI to draft a policy recommendation probably does. The line is somewhere around "did the AI meaningfully shape the content or just help with expression".

Record what you did, for yourself

A small habit: for any significant piece of AI-assisted work, keep a short note of what tool you used, what you asked for, and what you verified. A two-line note in the document's metadata or a project journal is enough. You'll thank yourself if anyone ever asks.

Outputs may be records

If AI helps draft a final document, briefing, or decision, the output may itself be a record under your organisation's records management policy. It follows the same rules as any other document, storage, retention, destruction. Not a separate category.

// takeaways

Course Takeaways

The short version of this course, condensed to what to actually carry back to the office.

What to take back to the desk

This course doesn't make you an AI expert. It gives you a working foundation and the good habits to build on. That's enough.

// references

References and Further Reading

Canonical sources for anything policy-related in this session. When you need to quote something in a meeting, these are the pages to point at.

Nothing in this session is legal advice. Check your organisation's policies, and when a specific situation matters, ask the appropriate person inside your organisation (manager, privacy officer, IT security) before acting.