The Department of Finance has tied staff use of generative artificial intelligence to data classification and recordkeeping rules, in guidance released under Freedom of Information.
The department published two versions of the guidance, dated March and April 2026, through its disclosure log at finance.gov.au.
It directs that any information entered into AI tools must comply with the Protective Security Policy Framework, the Privacy Act 1988 and Finance’s privacy policy.
The classification of the data, not the task, decides which tool a staff member may use. The rules tighten as information becomes more sensitive.
Public generative AI tools such as ChatGPT, Claude and Gemini may be used only with unofficial and non-sensitive official information.
Staff must not enter personal, sensitive, classified or protected material into those tools. Microsoft 365 Copilot Chat carries the same restriction.
The Copilot full licence in “web mode” is also barred from personal, sensitive, classified or protected information.
Only the Copilot full licence in “work mode”, deployed inside Finance’s ICT environment, may handle sensitive and protected information. A registered use case is required.
The guidance points staff to the Protective Security Policy Framework for definitions, protective markings and secure handling of each classification.
Privacy controls on personal data
Staff seeking to use personal information with the full licence must first complete a Privacy Impact Threshold Assessment and consult the Privacy Team.
The guidance tells staff to understand what personal information sits in records accessed by AI before any use.
It also says staff must confirm individuals have received privacy notices explaining that Finance may use AI in relation to their information.
The April draft sharpened this area. Personal information used with Copilot now triggers Privacy Team consultation, rather than the broader use-case registration set out in March.
Recordkeeping and disclosure
For records, the guidance directs staff to the National Archives of Australia’s guidance on managing records created using AI.
It sets out when AI use must be disclosed. Disclosure is required when AI content significantly influences decisions on policy, advice or operations.
Staff must also disclose when content could be mistaken for human work, has not been checked by a subject-matter expert, or where law or ethics demand it.
Disclosure is not required for routine drafting or summarising that a staff member reviews and approves, or for low-risk internal content marked as draft.
Before using AI tools, staff must complete the APS Academy’s AI in Government Fundamentals course.
Finance oversees AI use through an AI Governance Committee, which sets strategy and advises on ethical, legal and social responsibilities.
The department says it has “limited our use of AI to low-risk use cases”, applying the Digital Transformation Agency’s responsible AI policy and the AI Ethics Principles.
The FOI release was first reported by the Digital Watch Observatory at dig.watch, run by DiploFoundation’s Geneva Internet Platform.