AI Data Use Requires Explicit Owner Consent
AI applications must not use organisational data without getting explicit consent from the data owners first.
Plain language
This rule means that before you let AI use your business data to make itself smarter, you need to clearly ask for and get permission from the people who own that data. This matters because if you don't, you could accidentally misuse someone's data, leading to legal trouble or loss of trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Mar 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Organisational data generated, collected or processed by AI applications is not used for training, fine-tuning or improving AI models unless informed and explicit consent has been obtained from data owners in advance.
Why it matters
Failing to get consent can lead to misuse of data, legal penalties, and damage to your business reputation.
Operational notes
Regularly review and update consent procedures to stay aligned with legal requirements and business practices.
Implementation tips
- Managers should create a clear process to get permission from data owners whenever AI tools are to be used. They can set up a standard consent form that explains how the data will be used and what benefits or risks are involved.
- IT teams should ensure that AI systems log which data they use and confirm consent has been recorded. They can build an automatic check-in process where the system asks for consent details before using the data.
- Data protection officers should regularly review data use policies with AI applications. They can organise bi-annual meetings to discuss AI data use policies with department heads to ensure they remain compliant.
- Legal teams should verify that consent needs align with privacy laws. They should keep updated on changes to legislation and adjust consenting processes as needed.
- HR should train employees about the importance of data consent in AI projects. They can develop an online course or workshop to ensure that everyone understands the processes and implications.
Audit / evidence tips
- Askthe consent records: Request documents or logs that show data owner consent was obtained for AI data use Look atclear records with owner names and dates Goodis a well-organised log that shows who gave consent and when
- Askdata use policy documents: Check the business's policy on using data with AI tools Look atclear guidelines on when and how to get consent Goodincludes policies that specify explicit consent requirements
- Aska report on AI data usage: Request a report detailing which data sets have been used for AI training or improvement Look atcross-reference with consent records Gooddata sets match the consent records
- Askto see the training materials: Request access to the materials or courses employees attend about data consent Look atcomprehensive modules on handling consent Goodincludes materials that teach why and how consent is critical
- Askcompliance review documents: Request records of periodic reviews ensuring compliance with consent rules Look atrecent and thorough reviews with clear findings Gooddocuments a process for identifying and addressing gaps
Cross-framework mappings
How ISM-2103 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.34 | ISM-2103 requires that organisational data handled by AI applications is not used to train, fine-tune, or improve AI models unless the da... | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 7.5 | ISM-2103 requires informed and explicit consent from data owners before organisational data from AI applications is used for training, fi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.