12. Use case review and next steps

12.1 Alignment with relevant legal frameworks

This question looks to confirm that you have identified and documented any agency specific legislation, regulations, or binding policy instruments that are relevant to your AI use case.

When completing this section:

  • review your agency's legislative and regulatory frameworks. Identify any provisions that may be affected by, or place restrictions on, the design, operation, or outputs of the AI system
  • if there is any uncertainty, engage your agency's legal area early, and maintain legal professional privilege where appropriate.

12.2 Legal advice

This section asks whether your agency has sought or obtained legal advice in relation to the AI use case. If you answer 'yes', you should summarise the nature of the legal issue without including the content of the advice. This information should not be disclosed to anyone other than those who need to know or access the information within the agency.

Note that including the actual content of legal advice in this tool may result in waiver of legal professional privilege, meaning the advice could be legally required to be disclosed to others. To avoid unintended waiver, only summarise the subject matter of the advice (for example, 'privacy compliance' or 'intellectual property risks') rather than reproducing or paraphrasing the advice itself.

12.3 Risk summary table

To complete the risk summary table:

  • list any risks assessed as medium or high at the inherent risk assessment stage in section 3
  • summarise any mitigations or controls that have been or will be applied
  • explain how these mitigations have influenced the residual risk rating

12.4 Record of overall residual risk rating

To complete this section, choose an overall residual risk rating for the AI use case. Refer to your response to section 12.3.

12.5 Internal governance body review

If your use case's inherent risk is rated as high at section 3, you are required under the AI policy to apply specific actions, including creating or reusing a governance body for the purpose of governing high-risk AI. You may document the outcome of the governance body review here, including any recommendations and next steps.

Next page

Appendix: Risk consequence guidance table

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession