ChatGPT can be useful for drafting emails, improving website copy, summarising public information, brainstorming ideas and turning messy notes into clearer documents. But it should not become the place where staff paste customer records, employee issues, payroll files, legal disputes, confidential contracts or business secrets.

For Australian SMEs, the safest starting point is simple: do not put anything into public ChatGPT that you would not be comfortable sending to an external software provider without a contract, security review and a clear business reason.

That does not mean businesses should avoid AI. It means they need rules.

The Office of the Australian Information Commissioner says organisations should not enter personal information, particularly sensitive information, into publicly available generative AI tools as a matter of best practice. The OAIC also warns that once personal information has been entered into AI systems, it can be difficult to track, control or remove.1

This guide explains what Australian SMEs should avoid putting into ChatGPT, why it matters, and how to use AI more safely.

First: not all ChatGPT use is the same

Before getting into the "do not paste" list, it is important to separate three different situations.

A staff member using a personal ChatGPT account is not the same as a business using ChatGPT Business, ChatGPT Enterprise or the OpenAI API under an approved company setup.

OpenAI says that for individual services such as ChatGPT, content may be used to train models unless the user opts out. OpenAI also says that business products such as ChatGPT Business, ChatGPT Enterprise and the API are not used for training by default.2

That difference matters, but it is not a free pass. Even with a business-grade AI tool, an Australian SME still needs to consider privacy obligations, customer expectations, contracts, access control, data retention, staff training and whether the AI tool is appropriate for that specific use case.

The practical rule is this:

  • Public or personal AI account: treat it as unsafe for personal, sensitive, confidential or regulated information.
  • Approved business AI environment: use only after proper privacy, cyber, legal and operational controls are in place.

Why this matters for Australian SMEs

The risk is not just that "ChatGPT might train on your data". That is only one part of the issue.

The bigger problem is that AI tools can create a new channel for data leakage. The Australian Cyber Security Centre's small-business AI guidance lists data leaks and privacy breaches, unreliable or manipulated AI outputs, and supply chain vulnerabilities as key cyber security risks for small businesses adopting cloud-based AI. It specifically recommends that small businesses define what data cannot be uploaded into AI systems, train staff, review vendor data handling, and remove or anonymise personal details before using AI applications.3

The National AI Centre's AI adoption guidance also recommends assigning accountability, creating an AI policy, maintaining records, managing risks, testing and monitoring AI systems, and keeping human oversight in place.4

In plain English: AI is not just a tool your staff use. It becomes part of your information-handling process. That means SMEs need to know what should never go into ChatGPT.

1. Customer personal information

Do not paste customer personal information into public ChatGPT. That includes:

  • names
  • addresses
  • phone numbers
  • email addresses
  • dates of birth
  • customer reference numbers
  • account notes
  • support tickets
  • order histories
  • complaint details
  • photos
  • call transcripts
  • screenshots containing identifying details

The OAIC gives examples of personal information including a person's name, signature, address, phone number, date of birth, photographs, IP addresses, biometric information and location information.5

Bad prompt: "Write a response to Jane Smith at 14 Example Street. Her order number is 88421 and she complained that our technician damaged her property."

Safer version: "Write a polite response to a customer who says a technician damaged property during a service visit. Do not admit liability. Ask for photos and say the matter will be reviewed."

The second version gives ChatGPT the situation without exposing the person.

2. Sensitive information

Sensitive information needs stricter treatment than ordinary personal information. The OAIC describes sensitive information as including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, criminal record, health or genetic information, and some biometric information.5

For SMEs, this can appear in everyday places:

  • medical certificates
  • workers compensation records
  • disability adjustments
  • counselling notes
  • injury claims
  • employee grievances
  • background checks
  • HR complaints
  • customer vulnerability notes
  • NDIS or aged-care records
  • child-related information
  • identity verification documents

Do not paste this information into public ChatGPT. Even if the task seems harmless, such as "summarise this complaint" or "make this medical certificate easier to understand", the data itself may be too sensitive to share.

3. Health, medical, allied health and care records

Health information is particularly risky. This matters for medical practices, allied health clinics, psychology practices, dental clinics, gyms, childcare providers, aged-care providers, disability service providers and any business that handles health information.

Ahpra's guidance for health practitioners warns that generative AI tools such as ChatGPT may store data outside Australia, and that entering personal information into an AI tool that stores data offshore could lead to unintentional breaches of Australian privacy laws.6

Do not paste patient or client records into public ChatGPT, including:

  • consultation notes
  • health summaries
  • referral letters
  • pathology results
  • appointment transcripts
  • therapy notes
  • medication information
  • injury details
  • mental health notes
  • disability support plans

If an AI scribe or healthcare AI tool is being considered, it needs a separate review covering consent, data storage, privacy policy updates, access control, accuracy checks and clinical responsibility.

4. Payroll, finance and tax information

Payroll and finance data should not go into public ChatGPT. This includes:

  • payslips
  • payroll exports
  • superannuation details
  • bank account numbers
  • credit card information
  • tax file numbers
  • invoices containing personal details
  • debt collection notes
  • financial hardship information
  • profit and loss reports that are not public
  • internal budgets
  • supplier payment details

Tax file numbers need special care. The OAIC says the Privacy (Tax File Number) Rule 2015 regulates the collection, storage, use, disclosure, security and disposal of individuals' TFN information, and that TFN recipients must not record, collect, use or disclose TFN information unless permitted under taxation, personal assistance or superannuation law.7

For SMEs, the safe rule is clear: never paste TFNs, payroll exports or bank details into public ChatGPT. If you want AI help with finance workflows, use fake or sample data when brainstorming. Use approved accounting, payroll or automation systems for real data.

5. Employee records and HR issues

Do not paste identifiable staff information into public ChatGPT. That includes:

  • employment contracts
  • performance reviews
  • disciplinary notes
  • salary information
  • medical certificates
  • workplace complaints
  • bullying or harassment allegations
  • candidate resumes
  • interview notes
  • redundancy plans
  • internal Slack, Teams or email threads about staff

This is not just a privacy issue. It is also a trust issue. A staff member may not reasonably expect their manager to copy a performance issue, medical note or complaint into a public AI chatbot. If AI is used in HR, the workflow should be approved, documented and subject to human review.

Bad prompt: "Summarise this performance issue with Sarah in accounts and draft a warning letter."

Safer prompt: "Draft a general performance improvement letter for an employee who has missed recurring reporting deadlines. Include a meeting invitation, support options and a request for measurable improvement."

6. Passwords, API keys and access credentials

Never put login details into ChatGPT. That includes:

  • passwords
  • API keys
  • private keys
  • authentication tokens
  • SSH keys
  • multi-factor recovery codes
  • admin credentials
  • database connection strings

There is no safe version of this. Never paste credentials into any AI tool.

7. Legal advice, contracts and disputes

Do not paste the following into public ChatGPT:

  • signed contracts
  • letters of demand
  • court documents
  • settlement offers
  • legal advice received
  • IP or patent applications
  • confidential commercial agreements
  • non-disclosure agreements
  • insurance claim details

ChatGPT is not a lawyer. It is not protected by legal professional privilege. Anything entered could be stored, processed overseas, and may not be retrievable or deletable.

How to use AI more safely

The safest approach for Australian SMEs is to treat AI tools as business systems, not personal helpers. That means:

  1. Create an AI acceptable-use policy. Define which tools are approved, what data is allowed, when human review is required, and what to do if something goes wrong. You can generate a free starter policy using the AiBorz AI Policy Generator.
  2. Use approved business AI accounts. Move staff off personal ChatGPT and onto approved business environments with proper controls.
  3. Train staff. Show staff examples of bad prompts and safer alternatives. Make the rules practical, not theoretical.
  4. Check your AI readiness. The free AI Readiness Scorecard checks whether your business has the governance, systems and ownership to use AI safely.
  5. Consider a formal audit. If AI is touching customer data, staff records or business systems, a structured AI Readiness & Risk Audit ($3,500 + GST) maps the risks, systems and workflows before anyone builds anything.

AI is not something to avoid. It is something to control. The difference between useful AI and risky AI is almost always the rules, training and governance around it.

References

  1. Office of the Australian Information Commissioner, "Guidance on privacy and generative AI," October 2023 and subsequent updates. oaic.gov.au
  2. OpenAI, "How your data is used to improve model performance," Help Centre, 2024-2026. help.openai.com
  3. Australian Cyber Security Centre, "Artificial Intelligence for Small Business," December 2024. cyber.gov.au
  4. National AI Centre, "AI Adoption Guidance for Australian Business," 2024-2026. csiro.au/national-ai-centre
  5. Office of the Australian Information Commissioner, "What is personal information?" and "What is sensitive information?" OAIC website. oaic.gov.au
  6. Australian Health Practitioner Regulation Agency (Ahpra), "Generative AI guidance for health practitioners," 2024-2026. ahpra.gov.au
  7. Office of the Australian Information Commissioner, "Tax File Numbers," OAIC website. oaic.gov.au