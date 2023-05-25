Just as social media was used to disrupt elections, we should expect the same and worse from AIs like ChatGPT, researcher says.

The Privacy Commissioner has warned companies using generative AI tools that they are bound by the Privacy Act, and has created a checklist of steps for any organisation or business planning to use them in conjunction with personal information.

The checklist, which was officially guidance, included ensuring a human reviewed AI outputs prior to use to make sure they were accurate, and ensuring personal information was not accidentally disclosed by the AI.

Commissioner Michael Webster said he would also expect all agencies using systems that could take Kiwis’ personal information to create new content to be thinking about the consequences of using AI before they started.

AI’s use of New Zealanders’ personal information was regulated under the Privacy Act 2020.

The move follows revelations that the National Party has already started using generative AI tools to create ads on social media.

Images included AI-generated images of hooded men committing a burglary, an anxious homeowner, and Pasifika healthcare workers.

Webster outlined seven points of advice to help businesses and organisations that might be considering using generative AI.

1. Have senior leadership approval

He said businesses and organisations must involve senior leaders and privacy officers in deciding whether or how to implement a generative AI system.

2. Review whether generative AI is necessary and proportionate

3. Conduct a privacy impact assessment

This included seeking feedback from impacted communities and groups including Māori.

4. Be transparent

This included telling customers and clients in plain language that the tools were being used, and how privacy risks were being managed.

This was essential to maintain trust and an organisation’s social licence to use AI, Webster said.

“Generative AI is a new technology, and many people will be uncomfortable with its use or don’t understand the risks for them,” Webster said.

5. Develop procedures about accuracy and access by individuals

This involved creating procedures for ensuring information generated by the AI was accurate, and for responding to requests from individuals to access and correct personal information.

ROBERT KITCHIN/Stuff Privacy Commissioner Michael Webster says his team will investigate any breach of the Privacy Act committed by the use of an AI.

6. Ensure human review prior to acting

This involved making sure a human reviewed AI outputs before the information was acted upon.

7 .Ensure that personal or confidential information is not retained or disclosed

“Do not input into a generative AI tool personal or confidential information, unless it has been explicitly confirmed that inputted information is not retained or disclosed by the provider,” Webster said.

“An alternative could be stripping input data of any information that enables re-identification. We would strongly caution against using sensitive or confidential data for training purposes.”

He said his office would investigate if it felt a party had broken the Privacy Act 2020 in its use of generative AI tools.

The commissioner had previously sent a letter to government agencies outlining his caution around prematurely using generative AI without a proper assessment and signalling the need for a whole-of-government response to the growing challenges posed by this tool.