AI Compliance Checklist¶

Reference

Purpose: Ensure AI projects comply with Australian Government requirements, legislation, and frameworks. Use throughout the project lifecycle to verify compliance and document evidence.

Checklist Coverage

Ethics: All 8 AI Ethics Principles
Privacy: Privacy Act, APPs
Security: PSPF, ISM requirements
Accessibility: WCAG, DTA standards

Living Document

This checklist should be maintained throughout your project. Review at each phase gate and update as requirements change.

How to Use This Checklist¶

Complete relevant sections based on project phase
Document evidence for each item
Escalate any gaps to appropriate stakeholders
Review with governance bodies as required
Maintain as a living document

Compliance Status: - [ ] Not Started - [~] In Progress - [x] Complete - [N/A] Not Applicable

Section 1: Australian Government AI Ethics Framework¶

1.1 Human, Societal and Environmental Wellbeing¶

#	Requirement	Status
1.1.1	Benefits and risks to individuals assessed	[ ]
1.1.2	Societal impacts considered	[ ]
1.1.3	Environmental impact assessed	[ ]
1.1.4	Net benefit demonstrated	[ ]

1.2 Human-Centred Values¶

#	Requirement	Status
1.2.1	Respects human rights	[ ]
1.2.2	Respects diversity	[ ]
1.2.3	Supports individual autonomy	[ ]
1.2.4	User research conducted	[ ]

1.3 Fairness¶

#	Requirement	Status
1.3.1	Bias testing conducted	[ ]
1.3.2	Fairness metrics defined and met	[ ]
1.3.3	Inclusive design applied	[ ]
1.3.4	Discrimination risks mitigated	[ ]

1.4 Privacy Protection and Security¶

#	Requirement	Status
1.4.1	Privacy Impact Assessment completed	[ ]
1.4.2	Data minimization applied	[ ]
1.4.3	Security assessment completed	[ ]
1.4.4	Access controls implemented	[ ]

1.5 Reliability and Safety¶

#	Requirement	Status
1.5.1	Testing comprehensive	[ ]
1.5.2	Monitoring implemented	[ ]
1.5.3	Fallback mechanisms in place	[ ]
1.5.4	Safe failure modes defined	[ ]

1.6 Transparency and Explainability¶

#	Requirement	Status
1.6.1	AI use disclosed to affected people	[ ]
1.6.2	Explanations available	[ ]
1.6.3	Model card completed	[ ]
1.6.4	Limitations documented	[ ]

1.7 Contestability¶

#	Requirement	Status
1.7.1	Challenge mechanism exists	[ ]
1.7.2	Human review available	[ ]
1.7.3	Appeal process documented	[ ]
1.7.4	Contact point identified	[ ]

1.8 Accountability¶

#	Requirement	Status
1.8.1	Clear ownership assigned	[ ]
1.8.2	Governance structure in place	[ ]
1.8.3	Audit trail maintained	[ ]
1.8.4	Responsibility for outcomes clear	[ ]

Section 2: Privacy Act 1988 Compliance¶

2.1 Australian Privacy Principles (APPs)¶

APP	Requirement	Status
APP 1	Open and transparent management of personal information	[ ]
APP 2	Anonymity and pseudonymity options	[ ]
APP 3	Collection of solicited personal information	[ ]
APP 4	Dealing with unsolicited personal information	[ ]
APP 5	Notification of collection	[ ]
APP 6	Use or disclosure of personal information	[ ]
APP 7	Direct marketing restrictions	[ ]
APP 8	Cross-border disclosure of personal information	[ ]
APP 9	Adoption, use or disclosure of government identifiers	[ ]
APP 10	Quality of personal information	[ ]
APP 11	Security of personal information	[ ]
APP 12	Access to personal information	[ ]
APP 13	Correction of personal information	[ ]

2.2 Privacy Assessment¶

#	Requirement	Status
2.2.1	Privacy threshold assessment completed	[ ]
2.2.2	PIA completed (if required)	[ ]
2.2.3	Privacy risks documented	[ ]
2.2.4	Privacy controls implemented	[ ]
2.2.5	Privacy notice updated	[ ]

Section 3: Protective Security Policy Framework (PSPF)¶

3.1 Information Security¶

#	Requirement	Status
3.1.1	Information classified correctly	[ ]
3.1.2	Handling requirements met	[ ]
3.1.3	Access controls appropriate	[ ]
3.1.4	Transmission security adequate	[ ]

3.2 Personnel Security¶

#	Requirement	Status
3.2.1	Staff clearances appropriate	[ ]
3.2.2	Vendor personnel cleared	[ ]
3.2.3	Training completed	[ ]

3.3 Physical Security¶

#	Requirement	Status	Evidence	Notes
3.3.1	Physical access controlled	[ ]
3.3.2	Equipment secured	[ ]

Section 4: Information Security Manual (ISM)¶

4.1 General Controls¶

#	Requirement	Status
4.1.1	Risk assessment completed	[ ]
4.1.2	Security plan documented	[ ]
4.1.3	Incident response plan in place	[ ]

4.2 Access Control¶

#	Requirement	Status
4.2.1	Principle of least privilege applied	[ ]
4.2.2	Multi-factor authentication (where required)	[ ]
4.2.3	Access reviews scheduled	[ ]

4.3 Software Security¶

#	Requirement	Status
4.3.1	Secure development practices	[ ]
4.3.2	Code review completed	[ ]
4.3.3	Vulnerability assessment done	[ ]
4.3.4	Penetration testing (if required)	[ ]

4.4 Data Security¶

#	Requirement	Status
4.4.1	Data encrypted at rest	[ ]
4.4.2	Data encrypted in transit	[ ]
4.4.3	Key management in place	[ ]
4.4.4	Data backup and recovery	[ ]

4.5 Network Security¶

#	Requirement	Status
4.5.1	Network segmentation	[ ]
4.5.2	Firewall rules documented	[ ]
4.5.3	Intrusion detection/prevention	[ ]

Section 5: Digital Service Standard¶

5.1 User-Centred Design¶

#	Requirement	Status
5.1.1	User needs researched	[ ]
5.1.2	User testing conducted	[ ]
5.1.3	Iterative development	[ ]
5.1.4	Feedback mechanisms in place	[ ]

5.2 Accessibility (WCAG 2.1)¶

#	Requirement	Status
5.2.1	WCAG 2.1 AA compliance	[ ]
5.2.2	Accessibility testing completed	[ ]
5.2.3	Assistive technology compatible	[ ]

Section 6: Anti-Discrimination Legislation¶

6.1 Non-Discrimination¶

#	Requirement	Legislation	Status
6.1.1	Age discrimination prevented	Age Discrimination Act 2004	[ ]
6.1.2	Disability discrimination prevented	Disability Discrimination Act 1992	[ ]
6.1.3	Sex discrimination prevented	Sex Discrimination Act 1984	[ ]
6.1.4	Racial discrimination prevented	Racial Discrimination Act 1975	[ ]
6.1.5	Indirect discrimination considered	Various	[ ]

Section 7: Administrative Law¶

7.1 Decision-Making Requirements¶

#	Requirement	Status
7.1.1	Proper authority for decision	[ ]
7.1.2	Relevant considerations applied	[ ]
7.1.3	Irrelevant considerations excluded	[ ]
7.1.4	Procedural fairness observed	[ ]
7.1.5	Reasons for decision available	[ ]
7.1.6	Review rights communicated	[ ]

7.2 Automated Decision-Making¶

#	Requirement	Status
7.2.1	Legal authority for automation	[ ]
7.2.2	Human oversight appropriate	[ ]
7.2.3	Manual override possible	[ ]
7.2.4	Audit trail maintained	[ ]

Section 8: Data Governance¶

8.1 Data Management¶

#	Requirement	Status
8.1.1	Data ownership defined	[ ]
8.1.2	Data quality standards met	[ ]
8.1.3	Data catalogue entry created	[ ]
8.1.4	Retention schedule applied	[ ]
8.1.5	Disposal procedures in place	[ ]

#	Requirement	Status
8.2.1	Data sharing agreements	[ ]
8.2.2	Third-party access controlled	[ ]
8.2.3	Cross-agency sharing authorized	[ ]

Section 9: Cloud and Hosting¶

9.1 Cloud Security¶

#	Requirement	Status
9.1.1	Cloud provider on approved list	[ ]
9.1.2	Data sovereignty (Australian data centers)	[ ]
9.1.3	Cloud security assessment	[ ]
9.1.4	Shared responsibility understood	[ ]

Section 10: Procurement and Contracts¶

10.1 Vendor Requirements¶

#	Requirement	Status
10.1.1	Vendor security assessment	[ ]
10.1.2	Subprocessors documented	[ ]
10.1.3	AI-specific contract clauses	[ ]
10.1.4	Exit/transition provisions	[ ]
10.1.5	IP ownership clarified	[ ]

Summary Assessment¶

Compliance Status by Section¶

Section	Items	Complete	In Progress	Not Started	N/A
AI Ethics Framework
Privacy Act
PSPF
ISM
Digital Service Standard
Anti-Discrimination
Administrative Law
Data Governance
Cloud Security
Procurement
TOTAL

Outstanding Items¶

Item	Owner	Due Date	Priority
			High/Med/Low

Risk Assessment¶

Gap	Risk Level	Mitigation	Timeline
	High/Med/Low

Sign-Off¶

Role	Name	Date	Sign-Off
Project Manager			[ ]
Privacy Officer			[ ]
Security Officer			[ ]
Legal Counsel			[ ]
Ethics Lead			[ ]

Version History¶

Version	Date	Author	Changes
1.0			Initial checklist