• Note: Australian policy based on the Australian Government’s AI Ethics Principles and laws, which does not include GDPR. Could definitely use this as a starting place and then amend, but it needs you to go away and do a lot of other work to implement (not very “plug and play”)
• Good stuff
  • Well formatted/structured, including starting with principles
  • The Management Guidelines are excellent
  • Good definitions at the end
• Limitations
  • No distinction between generative and predictive AI
  • Framed with “customers” and “business”
  • Assumes the organisation is large (e.g. would have IT staff, risk management procedures)
  • Principles
    • can be vague at times, and assume knowledge — meaning things could be bent
    • refer to other things that would need to be made, e.g. “Create a guideline for ethical decision-making”
    • are listed as action points more than principles, e.g. “Regularly assess the impact of AI on staff and external stakeholders, and adjust policies as needed.” could be reframed as “The impact of AI on staff and external stakeholders will be assessed every 6 months in line with new technologies and regulations, and policies will be adjusted accordingly.”