AI & Agentic AI Use and Data Handling Policy

Future Ready Transformations
Version: 1.0 Effective date: 19 Nov 2025 Owner: Director
Applies to: Our website, consulting services, and any work delivered for clients where AI tools may be used.

• AI tools / Generative AI: Tools that produce text, code, images, or recommendations based on prompts and data.
   
• Agentic AI: AI that can take actions (e.g., create tickets, update records, trigger workflows) using configured permissions and rules.
   
• Client Data: Any data provided by or on behalf of a client (including personal information, operational data, confidential information).
   
• Personal information: Information about an identified or reasonably identifiable individual.
   

• Client-first control: Clients can request “no AI use” for specific engagements or data sets, and we will follow that instruction.
   
• Human oversight: AI outputs are treated as drafts or decision-support, not final truth. We validate material outputs before delivery.
   
• Data minimisation: We only use the minimum data needed to perform the task.
   
• Privacy-by-design: We design our ways of working to protect privacy and reduce risk from the start.
   
• Responsible AI practice: We align with recognised responsible AI guidance and risk management practices.
   

When we work with an organisation that has its own AI policy, privacy policy, security standards, or data handling requirements, we will comply with those requirements as agreed in the contract. If there is any conflict between this policy and a client’s written requirements, the client’s requirements prevail for that engagement (to the extent permitted by law).

• Draft or improve documents, without including sensitive identifiers unless approved
   
• Summarise long material and extract themes
   
• Produce options, frameworks, checklists, or test cases
   
• Assist with data analysis only where data is approved, minimised, and protected
   
• Support research and ideation using public sources
   

• Upload or input sensitive personal information into third-party AI tools
   
• Use AI to make automated decisions that materially impact individuals (e.g., eligibility, enforcement, adverse decisions)
   
• Allow agentic AI to take action in production systems (e.g., update customer records, send customer communications, change access/flags) without defined guardrails and approvals
   
• Use client data to train public AI models
   

A. Data classification and consent

• We classify data (e.g., public, internal, confidential, personal, sensitive) and apply handling controls accordingly.
   
• We follow client instructions on permitted tools, storage locations, and data movement.
   

B. Minimise and protect

• Prefer de-identified or aggregated data when possible.
   
• Remove or mask identifiers (names, addresses, account numbers) unless essential and permitted.
   
• Use secure storage and access controls consistent with the engagement’s risk level.
   

C. Tool selection and configuration

• Where possible, we select AI services that provide contractual assurances about data handling (e.g., not using submitted content to train their models) and enable appropriate security settings.
   
• We maintain an internal register of approved AI tools and the conditions under which they may be used.
   

D. Retention and deletion

• We retain Client Data only as long as needed for the engagement and then delete/return it per contract and agreed retention periods.
   

These controls support open and transparent handling expectations under Australian privacy principles where applicable. 

• Explicit scope: The agent’s purpose, permissions, and boundaries are documented.
   
• Least privilege: The agent gets the minimum access required.
   
• Human-in-the-loop: Material actions require approval/verification unless a client approves otherwise.
   
• Auditability: Logging is enabled for key actions and outputs.
   
• Kill switch: We maintain a clear method to pause/disable agent activity quickly.
   
• Environment controls: Prefer sandbox/test environments; production use requires client approval and defined change controls.
   

These practices align with established approaches to managing AI risk across the lifecycle.

• We implement reasonable security controls appropriate to the engagement (access controls, secure storage, controlled sharing, and vendor management).
   
• If we become aware of a suspected data incident affecting Client Data, we will notify the client promptly consistent with the contract and applicable obligations.
   

• Whether AI tools are being used in the engagement.
   
• The categories of tools (e.g., drafting/summarisation vs analysis vs agentic automation).
   
• The data handling approach (e.g., minimisation, masking, permitted tools).
   
• Any client-specific constraints applied.
   

Email: greg@futurereadytransformations.com
Business: Future Ready Transformations Pty Ltd (ACN 694 426 241)

We may update this policy from time to time to reflect changes in technology, risk, and guidance. We aim to maintain responsible AI governance aligned to recognised standards and principles.