Australian Privacy Principle 11 is short, but it carries a lot of weight. Under the Privacy Act 1988 (Cth), an APP entity must take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Office of the Australian Information Commissioner, the OAIC, is the regulator, and it reads "reasonable steps" against the technology you actually use, not the technology you used ten years ago.

AI has quietly changed the exposure surface. Personal information no longer leaves your control only through a hacked database or a mislaid laptop. It leaves when a well-meaning staff member pastes a client email, a customer complaint, or a spreadsheet of names into a public AI tool to draft a reply or summarise a file. That paste is the event APP 11 is about, and by the time you notice it, the information is already gone.

What APP 11 requires

APP 11 sets a standard of reasonable steps, not perfection. The steps that are reasonable scale with the sensitivity of the information, the harm that would flow from a breach, and the practicality of the safeguard. For a risk or compliance operator, three features of the principle matter.

It applies to information you hold, however you handle it

The obligation attaches to personal information the entity holds, regardless of the tool used to process it. There is no carve-out for "we only used a chatbot". If staff feed personal information into a system, that handling is within scope, and the security expectation travels with it.

Unauthorised disclosure is the trigger, and it is irreversible

APP 11 names unauthorised disclosure explicitly. Disclosure to an external AI provider that was never authorised to receive that information is exactly the harm the principle guards against. Unlike a misdirected email you can recall, you cannot retrieve data once it has entered a third party's systems.

Reasonable steps are judged after the fact

If an incident occurs, the OAIC will ask what steps you had in place beforehand. Governance you can evidence, a written directive, an inventory, access controls, is what distinguishes a defensible position from an indefensible one.

Where AI trips APP 11

The failure modes are concrete, and most involve everyday convenience rather than malice.

Pasting personal information into ungoverned public tools. A staff member copies client or customer personal information into a consumer-grade AI tool to summarise, translate, or draft. That is an unauthorised disclosure to an external party, and you cannot claw it back.

Consumer tools that train on inputs. Consumer-grade AI tools may use what users type as training data. Enterprise-grade tools with data-processing terms and a training opt-out do not. The difference is not cosmetic: with a consumer tool, your client's personal information may be absorbed into a model you do not control, while an enterprise arrangement keeps that information contractually contained.

Shadow AI you cannot see. If you do not know which AI tools staff use, you cannot claim to have taken reasonable steps to secure the information flowing through them. Unmanaged, undocumented AI use is the modern equivalent of an unlocked filing cabinet.

AI systems outside your access and logging controls. Your existing controls on who can see personal information, and the logs that record it, often stop at the edge of your sanctioned systems. An AI integration that reads from a customer database but sits outside those controls widens the gap between what you permit and what you can prove.

What reasonable steps look like for AI

Translating APP 11 into AI practice comes down to four moves, each of which is defensible and evidenceable.

Build an AI inventory. You cannot secure what you have not catalogued. List the AI tools in use across the organisation, sanctioned and unsanctioned, and note what personal information each can reach. The inventory is the foundation every other control rests on.

Issue an acceptable-use directive. Put in writing that personal information must not go into ungoverned tools. Make it specific about what "ungoverned" means, name the sanctioned alternatives, and make clear the directive is a control the organisation will enforce, not a suggestion.

Route sanctioned use through enterprise tooling. Give staff an approved path. Enterprise-grade tools with data-processing terms and a training opt-out let people get the productivity benefit without the disclosure risk. A directive without a sanctioned tool just pushes people back to the public option.

Extend access and logging controls to AI systems. The controls that govern who can access personal information, and the logs that record that access, should reach your AI systems too. If an AI tool can read personal information, the same access discipline and audit trail should apply.

Why the stakes justify the work

The consequences of getting this wrong are not theoretical. Serious or repeated interference with the privacy of individuals carries substantial civil penalties: for a body corporate, the penalty can reach the greater of 50 million dollars, three times the benefit obtained from the conduct, or 30 per cent of adjusted turnover during the breach period. These are figures that reframe AI governance from a nice-to-have into a board-level exposure.

The OAIC has also shown it will scrutinise technology deployments directly. Its 2024 determination on Bunnings' use of facial recognition technology confirms that how an organisation deploys new technology against personal information is squarely within the regulator's remit. The lesson for AI is straightforward: a novel or convenient tool does not sit outside the Privacy Act, and "the software did it" is not a defence.

What to have in place before an incident

Before an incident, not after, you want the following ready and documented.

A current AI inventory that maps each tool to the personal information it can reach. A written acceptable-use directive keeping personal information out of ungoverned tools, with named sanctioned alternatives. Enterprise tooling with data-processing terms and a training opt-out for approved use. Access and logging controls extended to your AI systems so you can show who touched what. And evidence that these controls existed and were maintained, because APP 11 is judged on the steps you took beforehand.

If you are not sure which of these obligations your current AI use already triggers, running the free AIRA Health Check is a practical first step. It walks through how your organisation uses AI and surfaces the obligations, including APP 11, that apply to you, so you can close the gaps before an incident forces the question.