AI Policies for Small Business: What Staff Should Never Paste Into AI Tools

AI tools can be incredibly useful for small businesses. They can help staff draft emails, summarise notes, create marketing copy, analyse information and speed up routine tasks. Australian government guidance also recognises that AI adoption is growing quickly among small businesses because cloud-based tools make advanced capabilities more affordable and accessible. Source

But there is one problem many small businesses have not fully addressed yet:

staff are often using AI before the business has set any rules around it.

That creates risk.

If your team is pasting customer information, internal documents, pricing details or confidential conversations into AI tools without clear boundaries, your business may already be exposing itself to privacy, security and reputational issues.

Why every small business needs a simple AI policy

An AI policy does not need to be long or legalistic to be useful.

It simply needs to answer questions like:

• which tools staff are allowed to use
• what information can be entered
• what information must never be entered
• when human review is required
• who is responsible for oversight

This matters because official small business guidance warns of risks including data leaks, privacy breaches, unreliable outputs and vulnerabilities linked to third-party AI providers. It specifically recommends that businesses review what data is being shared, establish internal AI use rules, train staff, and define what information cannot be uploaded into AI systems. Source

If you do nothing else, having a clear “never paste this into AI” list is a strong place to start.

What staff should never paste into AI tools

Here is a practical list that most small businesses can adopt immediately.

1. Customer personal information

Never paste in:

• full names with identifiable details
• phone numbers
• home addresses
• email addresses
• dates of birth
• identification documents
• payment details

If a task genuinely requires customer context, anonymise the information first.

2. Employee and HR information

This includes:

• salaries and payroll data
• employment contracts
• performance issues
• disciplinary matters
• medical or leave information
• recruitment notes

Staff information should be treated with the same care as customer information.

3. Financial records and banking details

Never enter:

• bank account details
• BAS information
• tax file numbers
• profit margins
• unreleased financial reports
• debtor or creditor information
• credit card details

Sensitive financial material should stay inside approved business systems, not open-ended AI prompts.

4. Confidential client documents

This includes:

• proposals
• contracts
• legal correspondence
• strategic plans
• unpublished campaigns
• client reports
• internal presentations prepared for clients

Even if the AI tool seems secure, staff should not assume that uploading confidential material is risk-free.

5. Passwords, login credentials or access information

This should go without saying, but it needs to be said anyway.

Never paste:

• passwords
• one-time codes
• API keys
• software licences
• server credentials
• security answers

No legitimate AI workflow should require this information.

6. Health or highly sensitive personal information

For businesses in wellness, health or allied services, this is especially important.

The Australian Cyber Security Centre warns that uploading personal and health information into AI systems can create serious privacy risks if not properly handled. It also recommends removing or anonymising personal details wherever possible and ensuring staff understand responsible AI use.

If the information could harm someone if exposed, do not paste it into a general AI tool.

7. Internal strategy, pricing or competitive information

This includes:

• future pricing changes
• margins
• acquisition plans
• marketing strategy
• partnership negotiations
• supplier issues
• internal risk discussions

This sort of information may not look “private” in the same way as personal data, but it can still be commercially damaging if mishandled.

8. Anything you would not want forwarded outside the business

This is the simplest rule of all.

If you would not email it to an unknown third party, do not paste it into an AI prompt.

That one line alone can prevent a lot of poor judgement.

What your AI policy should say instead

A good small business AI policy can be short, clear and practical.

Here is a plain-English starting point:

Sample policy statement
Our business supports the responsible use of approved AI tools to improve productivity and service quality. Staff must not enter personal, confidential, financial, legal, medical or commercially sensitive information into AI systems unless explicitly authorised and properly anonymised. All AI-generated outputs must be reviewed by a human before being used externally, shared with customers or relied upon for business decisions.

That is not a full legal policy, but it is a solid operational starting point.

Five rules worth adding to your policy

Use approved tools only

Do not let staff use random free AI apps without oversight. Decide which platforms are acceptable.

Anonymise information before use

If you are using AI to summarise a case, rewrite the prompt so real people and businesses cannot be identified.

Human review is mandatory

Government guidance warns that AI outputs can be inaccurate, manipulated or fabricated. Businesses should verify outputs and keep a human involved in decision-making, especially in higher-stakes scenarios. Source

Do not rely on AI for regulated or sensitive advice without review

This is especially important in legal, financial, health and HR contexts.

Train staff, don’t just warn them

People make better decisions when they understand the reason behind the rule.

Responsible AI is becoming a business capability

Australian policy settings are moving toward safer, more responsible SME adoption of AI, with programs designed to help small and medium enterprises build capability, improve workforce skills and adopt AI more effectively. The Australian Government’s AI Adopt Program is part of that broader push toward responsible, practical business use.

That is a useful reminder: the goal is not to ban AI.

The goal is to use it well.

Businesses that put clear guardrails in place now will be in a much stronger position than businesses that let staff improvise their way into avoidable risks.

Final thought

AI can absolutely help small businesses move faster.

But speed without policy is risky.

A simple AI policy protects your customers, your staff, your reputation and your data. More importantly, it helps your team use these tools confidently and responsibly instead of guessing what is okay.

That is what mature adoption looks like.

Looking to grow your business in a way that is practical, ethical and future-focused? Join Local Business Networking to connect with local business owners who share ideas, referrals and smarter ways to do business.

• Home

• About

• Business networking guide