If you run a business with a customer database, the question of whether to use AI to process that data is no longer theoretical. It is already happening across industries, from retail to professional services to fintech. The real question is whether you have thought through the privacy implications before the data goes in. For most Australian businesses, the honest answer is no. This article walks you through a practical, legally grounded approach so you can use AI confidently without exposing your customers or your business to unnecessary risk.
Why a Blanket "Keep It Out" Policy Doesn't Work
When businesses first confront this problem, the instinct is to restrict everything. If you are unsure whether a piece of customer data should go into an AI tool, the safe move seems to be to keep it out entirely.
The trouble is that this approach doesn't hold up in practice. Customer records, transaction histories, account details, behavioural patterns: all of this data is increasingly being processed through AI tools, whether deliberately or by default through software your business already uses. A blanket restriction isn't a compliance strategy. It just delays the moment when you have to actually think it through.
A better approach is to build a system that lets you use AI on your data in a way that is genuinely compliant, repeatable, and documented.
The Legal Foundation: De-identification Under the Privacy Act
Australian privacy law gives businesses a practical pathway here. Under the Privacy Act 1988 (Cth), information that has been appropriately de-identified is no longer considered personal information. That means it falls outside the Australian Privacy Principles (APPs) entirely.
The OAIC and CSIRO's Data61 have published a De-identification Decision-Making Framework that confirms this position and explains how to apply it. De-identification involves two steps: removing direct identifiers, and then taking additional steps to address the risk of re-identification.
This framework is not just theoretical. In August 2025, the OAIC concluded its investigation into I-MED Radiology Network following the disclosure of de-identified patient data to an AI company without patient consent. The OAIC found the data was sufficiently de-identified and took no regulatory action. However, it also made clear that organisations must use recognised de-identification standards, document their methodology, and impose contractual obligations on data recipients to prevent re-identification. The process matters as much as the outcome.
A Practical De-identification Framework for Your Business
Here is how to apply this to a real customer dataset. The goal is to give your AI tools the data they need to do useful work, while keeping personal information out of the AI environment entirely.
Step 1: Audit your data fields
Go through every column in your customer database and classify each one. Is it identifying on its own? Could it identify someone in combination with other fields? Or is it genuinely non-identifying? Names, addresses, dates of birth, contact details, and account numbers linked to identifiable records all need to come out. Transaction patterns, usage behaviour, preferences, and aggregated operational data are usually fine to keep in.
Step 2: Strip out the identifying fields
Before any data goes into an AI tool, remove everything that falls into the identifying or potentially identifying categories. This is not just about obvious fields like names and email addresses. You also need to think about combinations: a postcode plus a date of birth plus a job title might be enough to identify someone, even if none of those fields is identifying on its own.
Step 3: Assign a synthetic unique key
Replace each customer record with a synthetic identifier that has no meaning outside your own systems. This key lets your business reconnect the AI's output back to the full customer record after the fact, without ever exposing that personal information to the AI. The AI processes de-identified data. Your systems handle the reconnection internally.
Step 4: Document your methodology
Write down what you did and why. Which fields did you classify as identifying, and on what basis? What re-identification risks did you assess? What methodology did you follow? This documentation is your evidence of compliance if a regulator ever asks. It is also useful internally when a new AI use case comes up and you need to assess it against your existing framework.
Step 5: Impose contractual safeguards on your AI providers
Even when you are feeding only de-identified data into a third-party AI tool, your contracts with that provider should prohibit re-identification and restrict how the data can be used. This is one of the conditions the OAIC flagged as important in the I-MED investigation. A well-drafted confidentiality agreement can help here. Mode.law's Confidentiality Agreement (Mutual) is a useful starting point for formalising those obligations with technology vendors and AI providers.
What's Coming in December 2026
There is a deadline Australian businesses should have on their radar. From 10 December 2026, new automated decision-making (ADM) transparency obligations under the Privacy Act will come into effect. If your business uses personal information in an automated or semi-automated process that could reasonably affect an individual's rights or interests, you will need to disclose that in your privacy policy. The disclosure needs to cover the kinds of personal information used and the kinds of decisions being made.
Processing only de-identified data through your AI tools is one of the clearest ways to stay on the right side of these obligations. If personal information never enters the AI environment, the ADM provisions may not apply at all.
Either way, now is a good time to review your privacy policy to make sure it accurately reflects how your business uses data, including any AI processing. Mode.law's Privacy Policy template is designed for Australian businesses and can be tailored to cover your specific data handling practices.
Building a System, Not Just Solving a One-Off Problem
What makes this approach genuinely useful is that you only have to do the hard thinking once. Classify your data fields. Document your de-identification methodology. Put your contractual safeguards in place. From that point on, every time a new AI use case comes up, you have a framework to assess it against rather than starting from scratch.
Most businesses are currently at one of two extremes: either avoiding AI entirely because the privacy questions feel too hard, or feeding customer data in without thinking through the implications. Neither is a good long-term position. The businesses that get ahead of this are the ones that treat it as a system to build, not a problem to avoid.
The practical steps are straightforward. Audit your data fields and classify them. Apply the OAIC de-identification framework. Create a synthetic key. Document your process. Lock down your vendor contracts. And review your privacy policy before December 2026.
If you are working through your data governance and privacy documents, Mode.law's document library at /documents has templates built for Australian founders and business owners, including a Privacy Policy and Confidentiality Agreement to help you get the foundations in place.