The biggest AI risk for a small business isn't robots taking over. It's a well-meaning staff member pasting a customer's private details into a public chatbot to "get help writing a reply". A short policy prevents that, and it's far simpler to write than most owners expect.
This guide gives you a real, copyable one-page template, a "never paste this" list that changes depending on your industry, and a plain-English look at how an AI policy fits Australia's existing privacy law. You don't need a lawyer or a long document. You need one clear page your team will actually read.
What is an AI policy (and why a one-pager is enough for most small businesses)
An AI policy is a short, written set of rules that tells staff which AI tools they can use for work, what information they must never put in, and that a human must check AI output before it reaches a customer. That's it. For most small businesses it fits comfortably on a single page.
It is not a legal contract, a technical standard, or a ban on AI. A good policy actively encourages staff to use AI for the safe, time-saving jobs, while drawing a clear line around the few things that could put a customer or the business at risk. The whole point is to remove the guesswork so people don't have to make a judgement call in the moment.
A written policy works best when it's paired with a short walk-through so the team understands the "why", not just the "what". If you want help embedding it, that's exactly what an AI workshop for your team is for.
Do you legally need an AI policy in Australia?
There is no single Australian law that says "you must have an AI policy". But that doesn't mean you're off the hook. If your business handles personal information about customers, staff or clients, the Privacy Act 1988 and the Australian Privacy Principles (APPs) already set rules for how you collect, use, store and disclose that information. Typing it into a public AI tool can quietly cut across those rules.
Many small businesses with an annual turnover of $3 million or less are exempt from the Privacy Act. But there are important exceptions. Notably, organisations that provide health services and hold health information, and businesses that trade in personal information, are covered regardless of turnover. That sweeps in a lot of care and NDIS providers, and others, who might assume the "small business" exemption applies to them.
Even where you're exempt, there's a stronger reason to bother: trust and reputation. A privacy slip with a customer's data rarely ends with a fine. It ends with a lost customer, a bad review, and an awkward conversation. A one-page policy reduces that risk and sets clear expectations. It doesn't certify you as compliant or provide legal protection, but it makes a careless mistake far less likely.
What a good small-business AI policy covers
You only need to answer a handful of questions clearly. A policy that covers these six points is enough for the vast majority of small businesses.
- Approved tools. The specific tools staff may use for work, named plainly. For most teams that's something like ChatGPT, Claude, Gemini or Copilot, plus any specialist tool you've signed off.
- Account settings. Which account or plan to use, logged into the right work account, with training on your data switched off where the tool allows it.
- What never goes in. The short "never paste this" list, kept visible so no one has to remember it.
- Human sign-off. That AI output is always read, checked and edited by a person before it's used or sent, especially anything customer-facing.
- Who to ask. A named person to go to when someone is unsure, so the safe answer is "ask", not "guess".
- What to do if it goes wrong. A no-blame step for reporting a mistake quickly, because catching a slip early is what limits the damage.
The "never paste this" list (and why it changes by industry)
This is the most important part of any AI policy, and the part staff are most likely to get wrong without clear guidance. Here is the general baseline that applies to almost every business.
The sharper version of that list depends on the kind of work you do. What's routine in one trade is sensitive in another. Here's how the baseline extends for the industries we work with most.
Trades & construction
- Add to the never-paste list: client site addresses tied to names, supplier pricing and margins, signed contracts and variations, tender or bid figures, and any document marked confidential by a builder or principal.
NDIS & care
- Add to the never-paste list: participant names and NDIS numbers, care and progress notes, health and medical details, incident reports, plan and funding information, and anything that could identify a vulnerable person. Health information carries specific obligations under the Privacy Act, so treat this list as firm.
Retail & services
- Add to the never-paste list: customer contact and order histories, loyalty or account data, payment and card details, supplier terms, and staff records like rosters tied to names or pay information.
Professional services
- Add to the never-paste list: client financials and tax file numbers, anything privileged or confidential, draft advice tied to a named client, deal or matter details, and information covered by a confidentiality agreement.
We've turned this into a free one-page download, "What Not to Put Into ChatGPT", that you can print and pin up for your team. Ask us for a copy and we'll send it over.
Encourage vs forbid: a quick reference for staff
A policy that only says "don't" makes people nervous and they stop using AI altogether, which wastes the benefit. Be just as clear about what you actively want staff to do.
Encourage
- Drafting and rewording with made-up or general details
- Summarising public or internal non-sensitive info
- Brainstorming, learning and getting unstuck on how to phrase something
- Always reading and editing before sending
Forbid
- Pasting real customer, health or NDIS data into public tools
- Sending AI text to a customer without reading it
- Trusting facts, figures or quotes without fact-checking them
- Using AI for final pricing or legal wording unchecked
If you want a clearer sense of which tasks belong in which column, our guide to where AI fits in your workflow sorts every job into three buckets: automate now, keep a human in the loop, or leave alone for now. It's the same thinking behind our Safe AI approach.
Your one-page AI policy template (copy and adapt)
Here's a real template you can copy straight into a document and adapt. Replace the [bracketed] parts with your own details. Keep it to a single page.
AI use policy: [Your business name]
- Why we have this. We use AI to save time, but we protect our customers' information and our reputation. These rules keep both safe.
- Tools you can use. For work, use only [list approved tools, e.g. ChatGPT, Claude]. Log in with your [work account], and turn off training on our data where the tool allows it.
- Never put in. Customer names with personal details, payment or bank details, health or [NDIS/medical] information, passwords, contracts, and anything confidential. [Add your industry specifics.] If in doubt, leave it out.
- Always do. Read, check and edit anything AI writes before it's used. A person signs off on anything customer-facing or money-related. Fact-check figures and claims.
- If you're not sure. Ask [name/role] before you paste. There are no silly questions here.
- If something goes wrong. Tell [name/role] straight away so we can fix it quickly. We don't blame people for honest mistakes; we fix the process.
Have everyone acknowledge it once, in writing or by signature, so there's a shared understanding. Then revisit it when something changes, like a new tool, a new type of work, or a near-miss. A policy that's reviewed once a year and after any incident stays useful.
That's genuinely enough for most small businesses. If you'd rather not write it from scratch, our AI Policy & Safety Pack gives you a plain-English AI use policy, a staff do's and don'ts one-pager, and a data-safety checklist, tailored to your business. The free template builds the habit; the Pack does the tailoring for you.
Is ChatGPT safe for business? (and do paid tiers change anything)
Yes, with rules and the right settings. The risk isn't ChatGPT, or Claude, or any other tool. The risk is the input. A public chatbot is safe for drafting an enquiry reply with placeholder details; it's not the place to paste a participant's care notes. Get the input right and the tool is genuinely useful.
Paid plans do matter for data handling. In plain English: free and personal accounts generally offer fewer controls, while business, Team and Enterprise plans usually offer stronger protections, including options not to train on your conversations and clearer data-handling commitments. The exact terms differ by vendor and change over time, so always check the tool's current terms rather than relying on what was true last year.
Getting the settings right is fiddly the first time, which is part of what we cover in an AI workshop, so your team starts on the safe footing rather than discovering the settings after a slip.
Getting staff to actually follow the policy
A policy nobody reads protects nobody. The most common failure isn't a bad policy, it's a good one sitting unread in a shared drive. A few simple things make it stick.
- Keep it to one page and keep it visible. Pin the never-paste list where people actually work, not buried three folders deep.
- Walk the team through it with their own examples. Use the real jobs they do, so the rules connect to their day rather than feeling abstract.
- Make it safe to ask and to report. If people fear blame, they hide mistakes. If asking is encouraged, problems surface early and stay small.
This is where a short, hands-on session pays off. Our AI Workshop for Teams walks your people through the policy with their own work, sets up the right account settings, and leaves them confident about the line, not just aware that one exists.
Frequently asked questions
Do I need an AI policy for my small business?
If your staff are already using AI tools like ChatGPT (and they probably are), yes. A simple one-page policy on what's safe to put in and what isn't protects your customers and your business, and it gives staff a clear line so they're not guessing. It doesn't need to be long or legal-sounding to do its job.
Do you legally need an AI policy in Australia?
There's no single Australian law that says "you must have an AI policy". But if your business handles personal information, the Privacy Act 1988 and the Australian Privacy Principles already set rules for how you collect, use and protect that information, and putting it into a public AI tool can put you offside. An AI policy is a practical way to meet those existing obligations. This is general information, not legal advice.
Is ChatGPT safe for business?
It can be, with rules and the right settings. The risk isn't the tool itself, it's the input: staff pasting customer data or sensitive details into a public chatbot. Set clear do's and don'ts, choose an appropriate plan, turn off training on your data where the tool allows it, and keep a human checking output before it reaches a customer.
What should staff never put into ChatGPT?
As a baseline: customer names paired with personal details, payment or bank details, health or NDIS information, passwords and logins, signed contracts, and anything confidential or commercially sensitive. A simple test for staff: if the customer would be upset to learn their details had been typed into a public AI tool, leave it out.
Do paid ChatGPT plans change what's safe to put in?
Business, Team and Enterprise plans generally offer stronger data-handling controls than free or personal accounts, including options not to train on your conversations. But the specifics change over time and vary by vendor, so always check the tool's current terms. Even on a business plan, keep following the never-paste list rather than assuming the plan removes all risk.
Can you help us write our AI policy?
Yes. You're welcome to copy and adapt the template on this page for free. If you'd rather not start from scratch, our AI Policy & Safety Pack gives you a plain-English AI use policy, a staff do's and don'ts one-pager and a data-safety checklist, tailored to your business. The best way to start is a free 30-minute fit call.