Search

Personal information in correspondence

Hannah needs to write a response letter to a member of the public regarding a sensitive case. The response will draw on complex case file notes which contain personal details including the client’s name, date of birth, client reference number, address, financial information and sensitive case history such as interactions with the justice system. Hannah considers using public generative AI platforms to help draft a professional and empathetic response based on the case information.

What should Hannah do?

Hannah should not use public generative AI for this task. Inputting personal information into public AI tools would breach privacy obligations and government information handling rules.
Hannah understands that personal information including names, dates of birth, reference numbers, financial details, and case-specific information must never be shared with public AI platforms.
Hannah acknowledges that using such sensitive information in public AI tools could result in data breaches, identity theft risks, and serious privacy violations.
Instead, Hannah uses approved government systems and templates to draft the response, consulting with team members and agency experts as needed for complex cases.
Hannah ensures all personal information remains secure and is handled in accordance with government privacy and information security policies.

Off

Security classified government information

Wei is preparing a Cabinet submission on proposed legislative changes. The task involves security classified information, inter-agency consultation feedback, and sensitive policy recommendations. Facing a tight deadline, Wei is considering using public generative AI platforms to help structure and refine the submission.

What should Wei do?

Wei should not use public generative AI platforms for this task. Instead, Wei should rely on established internal processes, consulting with colleagues and using approved government systems.
If Wei has access to an enterprise generative AI tool, cleared by the agency to process security classified information, they could consider using this. If Wei is unsure which generative AI tool can handle security classified information, they should consult relevant internal guidance and the IT security team if needed.
Wei recognises that security classified information must never be entered into public AI tools. This includes information classified OFFICIAL: Sensitive or above, including PROTECTED: CABINET information.
Wei understands that using public generative AI platforms for this task could compromise security and breach the Protective Security Policy Framework (PSPF).
Wei ensures the appropriate security classification markings are applied to all documents and follows proper information handling protocols.

Off

Cultural sensitivity and intellectual property

River is organising activities for an important First Nations cultural awareness week and wants to include visual elements in internal campaign materials that reflect Indigenous culture. River has access to artwork commissioned by their agency from Indigenous artists for similar purposes in the past. River considers uploading these images – along with other images of Indigenous art found online – to a public generative AI platform to produce new visual content.

What should River do?

River should not use generative AI tools for this purpose.
River recognises that generating AI images based on First Nations artwork would be culturally inappropriate. River realises that authentic cultural representation requires genuine engagement with First Nations communities and cannot be replicated through public AI tools.
River notes that public generative AI platforms may retain uploaded content, which could result in the artwork being reused or incorporated into AI training datasets without the artists’ consent – breaching intellectual property rights, Indigenous data sovereignty and cultural protocols.
River acknowledges that using AI-generated cultural content could cause harm to First Nations communities by perpetuating stereotypes, misrepresenting sacred or sensitive cultural elements, and contributing to cultural appropriation.
Instead of using generative AI, River explores commissioning new artwork from First Nations artists or using existing approved materials developed in consultation with community representatives.
River ensures any cultural materials are developed through proper consultation with First Nations artists, cultural advisors and community representatives, and that intellectual property rights are respected and appropriately acknowledged.

Off

Assessing applications

Jamie is reviewing applications for a government grant program. With multiple complex applications to assess against program criteria, Jamie considers inputting application details into a public generative AI tool to help assess which applications meet the funding requirements to recommend for approval.

What should Jamie do?

Jamie should not use public generative AI tools for this purpose.
Jamie recognises that grant applications can contain personal details and confidential business information that must not be shared with public AI platforms.
Jamie acknowledges that government decision-making requires human judgement, accountability, and transparency that cannot be delegated to public AI tools.
Jamie understands that using public AI tools to make funding decisions could introduce bias, produce inaccurate results, compromise the integrity of the assessment process, and breach privacy obligations.
Instead, Jamie uses established assessment frameworks and internal IT systems, asks colleagues for peer review, and ensures all decisions are properly documented.
Jamie maintains the confidentiality of all application information and ensures fair and consistent assessment processes are followed.

Off

Listen to and understand diverse user needs
Consider diverse user needs from the outset to make sure your service caters to as many users as possible. Consider the different identities, characteristics, and perspectives of users to make your digital service
welcoming and inclusive for all.
Conduct usability testing with diverse user groups
Do usability testing with individuals from diverse backgrounds, including those with different abilities, ages, and cultural
contexts. Adopt inclusive prototyping techniques, to simulate the experiences of users with different abilities and identify potential challenges. Recognise that various aspects of a person’s identity, such as race, gender, and age all intersect to shape their digital experience.

Procurement processes

Omar is developing technical specifications for a major tender. To ensure the specifications are comprehensive, Omar wants to input the detailed requirements into a public generative AI tool to help identify potential gaps and improve the technical language.

What should Omar do?

Omar should not use public generative AI tools for this task.
Omar recognises that tender specifications may contain commercially sensitive information that could provide unfair market advantage if disclosed prematurely through public AI platforms.
Omar understands that inputting procurement details into public AI platforms could breach the Commonwealth Procurement Rules and compromise the integrity of the tender process.
Omar avoids using any public AI tools that could inadvertently signal government intentions to potential suppliers or create conflicts of interest.
Instead, Omar consults internal technical experts and relevant industry standards, and uses approved government procurement resources to develop specifications.
Omar ensures all procurement activities maintain appropriate confidentiality.

Off

Hannah needs to write a response letter to a member of the public regarding a sensitive case. The response will draw on complex case file notes which contain personal details including the client’s name, date of birth, client reference number, address, financial information and sensitive case history such as interactions with the justice system. Hannah considers using public generative AI platforms to help draft a professional and empathetic response based on the case information.
What should Hannah do?
- Hannah should not use public generative AI for this task. Inputting personal information into public AI tools would breach privacy obligations and government information handling rules.
- Hannah understands that personal information including names, dates of birth, reference numbers, financial details, and case-specific information must never be shared with public AI platforms.
- Hannah acknowledges that using such sensitive information in public AI tools could result in data breaches, identity theft risks, and serious privacy violations.
- Instead, Hannah uses approved government systems and templates to draft the response, consulting with team members and agency experts as needed for complex cases.
- Hannah ensures all personal information remains secure and is handled in accordance with government privacy and information security policies.
Wei is preparing a Cabinet submission on proposed legislative changes. The task involves security classified information, inter-agency consultation feedback, and sensitive policy recommendations. Facing a tight deadline, Wei is considering using public generative AI platforms to help structure and refine the submission.
What should Wei do?
- Wei should not use public generative AI platforms for this task. Instead, Wei should rely on established internal processes, consulting with colleagues and using approved government systems.
- If Wei has access to an enterprise generative AI tool, cleared by the agency to process security classified information, they could consider using this. If Wei is unsure which generative AI tool can handle security classified information, they should consult relevant internal guidance and the IT security team if needed.
- Wei recognises that security classified information must never be entered into public AI tools. This includes information classified OFFICIAL: Sensitive or above, including PROTECTED: CABINET information.
- Wei understands that using public generative AI platforms for this task could compromise security and breach the Protective Security Policy Framework (PSPF).
- Wei ensures the appropriate security classification markings are applied to all documents and follows proper information handling protocols.
River is organising activities for an important First Nations cultural awareness week and wants to include visual elements in internal campaign materials that reflect Indigenous culture. River has access to artwork commissioned by their agency from Indigenous artists for similar purposes in the past. River considers uploading these images – along with other images of Indigenous art found online – to a public generative AI platform to produce new visual content.
What should River do?
- River should not use generative AI tools for this purpose.
- River recognises that generating AI images based on First Nations artwork would be culturally inappropriate. River realises that authentic cultural representation requires genuine engagement with First Nations communities and cannot be replicated through public AI tools.
- River notes that public generative AI platforms may retain uploaded content, which could result in the artwork being reused or incorporated into AI training datasets without the artists’ consent – breaching intellectual property rights, Indigenous data sovereignty and cultural protocols.
- River acknowledges that using AI-generated cultural content could cause harm to First Nations communities by perpetuating stereotypes, misrepresenting sacred or sensitive cultural elements, and contributing to cultural appropriation.
- Instead of using generative AI, River explores commissioning new artwork from First Nations artists or using existing approved materials developed in consultation with community representatives.
- River ensures any cultural materials are developed through proper consultation with First Nations artists, cultural advisors and community representatives, and that intellectual property rights are respected and appropriately acknowledged.
Jamie is reviewing applications for a government grant program. With multiple complex applications to assess against program criteria, Jamie considers inputting application details into a public generative AI tool to help assess which applications meet the funding requirements to recommend for approval.
What should Jamie do?
- Jamie should not use public generative AI tools for this purpose.
- Jamie recognises that grant applications can contain personal details and confidential business information that must not be shared with public AI platforms.
- Jamie acknowledges that government decision-making requires human judgement, accountability, and transparency that cannot be delegated to public AI tools.
- Jamie understands that using public AI tools to make funding decisions could introduce bias, produce inaccurate results, compromise the integrity of the assessment process, and breach privacy obligations.
- Instead, Jamie uses established assessment frameworks and internal IT systems, asks colleagues for peer review, and ensures all decisions are properly documented.
- Jamie maintains the confidentiality of all application information and ensures fair and consistent assessment processes are followed.
Omar is developing technical specifications for a major tender. To ensure the specifications are comprehensive, Omar wants to input the detailed requirements into a public generative AI tool to help identify potential gaps and improve the technical language.
What should Omar do?
- Omar should not use public generative AI tools for this task.
- Omar recognises that tender specifications may contain commercially sensitive information that could provide unfair market advantage if disclosed prematurely through public AI platforms.
- Omar understands that inputting procurement details into public AI platforms could breach the Commonwealth Procurement Rules and compromise the integrity of the tender process.
- Omar avoids using any public AI tools that could inadvertently signal government intentions to potential suppliers or create conflicts of interest.
- Instead, Omar consults internal technical experts and relevant industry standards, and uses approved government procurement resources to develop specifications.
- Omar ensures all procurement activities maintain appropriate confidentiality.

“Ownership of decisions are attributed to governance forums rather than individuals or roles. The lack of clear decision-making powers and accountabilities across all levels of the program is impacting the effectiveness of timely decision-making”

Review of the Modernising Business Registers Programme

Layers of governance and separation of duties

The levels of governance should generally be minimised, while ensuring there is sufficient separation to avoid conflicts of interest between those doing the work and those governing, and to facilitate escalation paths. Too many layers of governance dilute accountability and can slow down decision-making ^[¹^-^SRO^{], (}¹⁾.

“The very many people on a large number of Committees and Boards across CorpTech and QH charged with the responsibility for managing the project…there was plenty of active oversight of the program however successful governance is not just about having processes…The terms of reference of these bodies…were unclear. Responsibility was spread too widely. There was no single point of accountability”⁽¹⁾

Queensland Health Payroll Inquiry

Ownership

In general, membership of the board should be limited to those who have ongoing ownership for the solution and those that will be most impacted by the operation, maintenance, benefits and risk. Similarly, risk and benefit ownership should be assigned to the individuals whose roles are best placed to control risk, and with ongoing ownership of benefits. For example, ownership of benefits should not reside with the delivery manager ^[³^-^DTA^].

“CorpTech [had] the contractual relationship with the contractor despite the Project being delivered to QH which had the direct and primary interest” ⁽¹⁾

Co-design the digital service and its accompanying artifacts

Co-design with users

Involve users throughout the Service Design and Delivery Process to make sure their perspectives, needs and feedback are incorporated into the final service. Encourage shared ownership by co-designing accompanying artifacts, such as tutorials and guides, using language that is meaningful for all.

Consider cohort specific digital inclusion requirements (outlined below)

Tailor your digital service to meet the specific needs of users to promote inclusion and make sure support is provided at the appropriate level. Consider how you will apply the following cohort specific requirements when designing and delivering digital services.

Off

needs alt text — Figure 1. Board membership (lower figure) from multiple organisation units (top figure) 19.

It is important that members of the board are not conflicted in decision-making, for example, an external vendor on a board that makes decisions on the vendor’s scope or payment. To avoid a conflict of interest, external supplier interests could be represented in a separate advisory committee, or represented by internal procurement management, as appropriate to the needs of the project.

People: Core Literacy, Experience and Culture

Corporate boards have moved away from an emphasis on stakeholder representation to skills-based composition. Project boards should also look past stakeholder representation to consider the skills and capabilities that members contribute. Board members should include external members, and be chosen for their authority, expertise, experience, status and connection ⁽¹¹⁾, focusing on people who:

Are authorised to represent the interests of the area they represent;
Can provide necessary resources; and
Are committed to the project outcomes ⁽¹⁰^,²⁸⁾.

Project boards rarely have the time or luxury to be able to develop complete knowledge of all aspects of any project. Some literacies can readily be taught, helping board members know what to look for and the questions to ask. Project board training can help rapidly develop core literacies ⁽¹¹^,²¹⁾. Other board member capabilities are developed through years of experience. We differentiate between SROs’ and board members’ digital project literacies (Table 4), the collective experience the board should contain (Table 5), and the culture, attitude and behaviours that needs to be established for a digital project board to be effective (Table 6).

Core Literacy

Table 4: Foundational literacy all project board members should have
Capability	Description
Benefits and outcomes	Understanding of benefits management processes, and the relationship between outputs and outcomes, benefits and value ⁽²³^,⁴⁰⁾
Communication in the context of change	Understanding the importance of a project narrative, creating a culture of transparency, stakeholder identification, constructive conflict and feedback loops ⁽²⁰⁾
Project management foundations	Understanding of key project management concepts, giving the board the ability to question aspects of the project lifecycle, critical path, earned value, burn rate and baselines ⁽⁵^,¹⁵^,²³⁾

Core Experience

The expertise needed on the Board should be guided by key areas of risk, both enterprise and project delivery.

Table 5: Common expertise requirements for Digital Project Boards
Skills	Description
Business expertise	Understanding of the business, impacts and change required for end users, allowing the board to maintain sight of the business logic of the project ⁽⁵^,¹⁵^,²³⁾
Operations expertise	Understanding of the operational environment to ensure the solution is integrated, maintainable and sustainable within the existing IT applications portfolio ⁽²⁹⁾
Digital project management expertise	Understanding of digital projects, their lifecycle, risks, ideally with experience in a similar type of project (e.g. AI, SAAS, risk tier)
Interpersonal skills and social capital	Strong networks and relationships that support negotiation, decision-making, issue resolution, stakeholder management, effective communication and resourcing ⁽⁵^,²⁸⁾
Digital, data and cyber expertise	Depending on the project type and stage, deep technical expertise may be required
Legal and policy	Depending on the project type and stage, regulatory and policy expertise may be required
Procurement and contract management	Depending on the project type and stage, expertise in procurement and contract management may be necessary
Independence	Balancing the need for vested interests, ensuring there is someone who can view the project and its progress objectively and independently
Supplier expertise	Depending on the project, experience and knowledge of the product, implementation approach and supply chain
Interdependencies	Knowledge of areas the project has interdependencies with, for example, resourcing, systems integration
Employee/customer experience	Expertise in ensuring a solution is well suited to the needs of the users of project deliverables
Change management expertise	Experts in communicating and designing organisational change, reducing resistance and increasing uptake of change
Financial expertise	Depending on the complexity, size, risk and procurement strategy of the project

Culture, Attitude and Behaviours

Table 6: Attitudes and behaviours required on project boards
Culture	Description
Skin in the game	Members should have a genuine interest, commitment and ownership of the project's success ⁽²⁸⁾
Psychological safety	Boards need to foster a no-blame environment where people feel safe with constructive conflict, raising ideas and escalating issues ⁽²³^,⁴¹⁾
"Can do" agency	Board membership is not a passive role. Members should take action to ensure they have the right information to support decisions and proactively identify strategies that enhance project success ⁽²³⁾
Time commitment	Board members often underestimate the time involved. Members must ensure they are suitably informed, attending meetings and prepared to support decision-making ⁽¹¹^,²³^,⁴²⁾
Courage	Courage to stop a project, escalate risks or reset the project if the project does not have sufficient business justification and/or delivery confidence is low ⁽¹^,²⁵⁾
Attendance	Continuity in core board membership facilitates historically informed decision-making. Use of deputies or proxies should be avoided as it signals a lack of commitment, dilutes accountability and can delay decision-making ⁽¹¹⁾. Members should not attend just to report to others ⁽²⁸⁾
Decision expediency	Boards need to make decisions escalated to them in a timely manner, possibly despite incomplete information. Decisions should be clear and prioritise action⁽²³^,⁴³⁾
Value-focused	Boards should suspend self-interest and operate from a position of what is best for the organisation and project, optimising value from the project investment
Empowering	The project board can make the decisions it needs to so that the project is empowered to deliver
Humility	Openness to learning and adaptation – seeking robust advice from independent advisors and project assurance, seeking out lessons learned from similar projects, listening to user and reference groups, acting on recommendations ⁽¹^,⁴⁴⁾

Everyone has a stake but no one wants to be responsible

Interviewed governance professional, DTA

“SPER conducted at least 20 reviews (gateway reviews, program health checks and various other reviews)… SPER did not address warning signs raised through some of these reviews—including concerns with the lack of an operating model, the vendor’s product, and SPER’s relationship with the vendor” ⁽³⁾.

Audit office inquiry

Information flow: Reporting and Communications

Project reporting

Project Board meetings should be regular, scheduled and aligned as much as practical to the organisation’s financial reporting cycles, so that the project manager can give timely information on project progress and costs, and to escalate issues beyond their delegation. Most digital project boards meet on a monthly basis and at key decision points, but the frequency of meetings should be adapted to project pace and risk ⁽¹¹⁾, with the possibility of a higher meeting frequency, for example, when the project is close to go-live or release.

The content of board meetings is often influenced by the project manager, supported by key topics in project reports. To keep the board focused on decision-making, reports should focus on exceptions to planned progress, changes to scope, risks and relationships ⁽¹¹⁾. The agenda and supporting project reports will need to adapt to maintain a focus on the critical decisions needed to progress the project ⁽²³^,⁴³⁾.

Project reporting should be “a single source of truth” to reduce reporting burden and to share with internal and external stakeholders, and contain the following ⁽²⁾:
Key project milestones
Spend to data and forecast spend to complete
Earned value (or equivalent) to enable clear monitoring of work completed compared to plan
Key workforce metrics
Material risks
Governance effectiveness metrics – feedback loops on quality of materials, engagement, debate and decision-making (e.g. short survey at end of each meeting)
Change readiness indicators
Go-live date

From the Review of the Modernising Business Registers Program

Production of reports for the board divert resources from other project activities. The SRO needs to balance information requests from the board to the project team, with the effort needed to produce them. There is also a tension in the timeliness of information for project reporting. Where possible, board meetings should be scheduled to minimise the lag between report data and the meeting. The board should regularly reflect on whether all sections of project reports play a role in the decisions the board makes. Removing redundant sections of reports can make it easier to focus on key information and reduce a project reporting burden. Focus for reports should be on exceptions, earned value, and differences between planned and actual progress.