Artificial intelligence governance policy
Purpose
This policy ensures that agency strategic planning for artificial intelligence (AI) demonstrates a structured and consistent approach when evaluating AI solutions for transparency, accountability, and risk.
Policy statement
The Queensland Government plans the lifecycle of AI investments using structured and consistent methods to support agency, cross-agency, government, and cross-jurisdictional AI governance.
Policy benefits
The Queensland Government collects, stores, and manages significant collections of data and information about and on behalf of the community that can be processed with AI. To benefit from AI solutions, it is necessary for Queensland Government agencies to explain how an application of AI contributes to agency, government, or cross-jurisdictional business directions, and supports efficient and effective service delivery.
Effective strategic planning for AI can support agencies to govern its use in several ways, including:
- enhancing agency investment governance processes by providing a level of confidence that AI investments benefit the agency and avoid harm or bias
- providing an evidence-based approach for aligning decisions to the values and obligations of the Queensland Government
- facilitating collaboration opportunities to reduce duplication, manage risk, and leverage existing AI investments or capabilities
- increasing the information available to support evidence-based decisions
- increasing the appropriate selection of AI solutions to augment business capabilities
- assisting government stakeholders as they consider when it is appropriate to use of AI in reasoning and decision making
- mitigating information security risks associated with AI.
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). This policy also applies to accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 in the context of internal controls, financial information management systems and risk management. Please see How to apply the QGEA for further information.
Policy requirements
1. Agencies must use a consistent and evidence-based process which incorporates an ethical framework to evaluate their transparency, accountability, and risk associated with the AI lifecycle
A comprehensive, consistent, and evidence-based evaluation process contributes to an agency’s management of risks and benefits. When evaluating AI solutions, agencies must use a structured risk assessment process that demonstrates appropriate consideration of all relevant factors pertaining to AI, and at a complexity appropriate for the AI solution. For agencies and accountable officers within the scope of this policy’s applicability statement, any selected evaluation process or approach must also satisfy any reporting requirements as per the ICT profiling standard.
2. Agencies must establish AI governance arrangements based on ISO 38507
Agencies must establish AI governance arrangements based on the current version of ISO 38507 Information technology - Governance implications of the use of artificial intelligence (AI) by organisations. AI governance should be consistent with existing agency governance structures such as ICT governance, agency risk governance, or Information Security Management System (ISMS) governance. AI governance ensures that AI use is efficient, effective, and acceptable and contributes towards business direction at an agency, cross-agency, government, and cross-jurisdictional level.
Advice
For further information on planning obligations, agencies should refer to the Financial and Performance Management Standard 2019 and the supporting Agency Planning Requirements.
For further information on a comprehensive, consistent, and evidence-based evaluation process for AI, see the National Framework for the Assurance of AI in Government , and instruments such as the Foundational AI risk assessment Framework (FAIRA) framework, ISO 42001, and ISO 22989.
Implementation
This policy comes into effect from the issue date.
Reporting requirements
This policy has specific reporting requirements:
No. | Reporting requirements | Date |
|---|---|---|
| 1 | The reporting requirements submitted as per the current QGEA ICT profiling standard (Queensland Government employees only). | as per ICT profiling standard |
Issue and approval
Issue date: September 2024
This QGEA policy is published within the QGEA and administered by the Queensland Government Customer and Digital Group. It was developed by QGCDG and approved by the Director-General, Department of Transport and Main Roads.