Microsoft Copilot for HR — what Australian privacy law requires you to set up first

Microsoft 365 Copilot landed broadly in Australian businesses through 2025 and accelerated in 2026. Most rollouts start with the finance team or the marketing team, where the data is sensitive but the legal exposure is narrow. Then someone in HR opens it up — and the rules change completely.

HR data is the most regulated category of information a typical Australian business holds. Performance reviews, medical certificates, complaints, exit interviews, salary records, disciplinary letters — all of it is covered by the Privacy Act 1988 and the Australian Privacy Principles (APPs), and most of it also sits inside the Fair Work Act's record-keeping obligations.

The single biggest Copilot misstep we see in HR rollouts is treating it as a productivity tool first and a compliance tool second. Copilot doesn't create privacy risk — it surfaces the privacy risk that was already there in your SharePoint and OneDrive permissions, by making everything searchable in plain English in a sidebar an HR business partner has open all day.

Test 1: APP 6 — use of personal information. Personal information collected for one purpose can only be used for that purpose unless an exception applies. Copilot summarising a performance review in a chat sidebar may technically count as a new use of that information. The fix is governance — define the use, document it, train the team.

Test 2: APP 11 — security of personal information. You must take reasonable steps to protect personal information from unauthorised access. Copilot inherits SharePoint + OneDrive permissions. If your "HR — Confidential" folder is actually permissioned to "Everyone except External Users" because someone fixed a sharing problem in 2022 and forgot, Copilot will happily summarise it for whoever asks.

Test 3: Notifiable Data Breach scheme. If HR data leaks via a Copilot summary that exposed it to the wrong staff member, you may have a notifiable breach. The 30-day investigation window starts the day you become aware.

Test 4: Fair Work Act s.535 record-keeping. Employee records must be kept accurate and accessible for 7 years. Copilot doesn't change that obligation. It does mean any AI-generated text that ends up in an HR record (e.g. a manager pastes a Copilot draft into a warning letter) is now part of the legal record.

The pattern goes like this. A workplace runs Copilot on a finance pilot for three months — works fine, no incidents. They expand to HR. Within two weeks, an HR business partner asks Copilot to "summarise the recent performance issues for [Person X]". Copilot returns a perfect summary — including content from a confidential investigation file that was supposedly only accessible to two people.

What happened: the investigation file was stored in a SharePoint library that inherited permissions from a parent site shared with the wider HR team six months earlier. The two-person restriction was a label on the file name, not a permission. Copilot doesn't read file names; it reads permissions. The HR business partner could always have seen the file via SharePoint search — they just never thought to look.

This is the Copilot rule: "Copilot is only as safe as your SharePoint + OneDrive permissions on the day you turn it on." Most organisations have years of accumulated permissions debt. Copilot makes that debt visible to every user with a single sentence prompt.

1. Audit SharePoint + OneDrive sharing on every HR site. Pull the permissions report. Look for "Everyone except external users", "Everyone in [org]", and anonymous sharing links. Either remove or replace with explicit security groups.
2. Apply sensitivity labels to HR data. Microsoft Purview sensitivity labels (Confidential, Highly Confidential) restrict Copilot from including the labelled content in responses for users without rights.
3. Restrict Copilot at the licence level for HR pilots. Roll out to a small HR group first, with content scoped to their direct reports + their own work, before opening to everyone.
4. Update your workplace policy on AI use. Many workplace policies pre-date Copilot. Spell out what HR can and can't put into Copilot (rule of thumb: nothing you wouldn't put in a shared email).
5. Add Copilot output to record-keeping training. Make sure managers know that AI-generated drafts they put into employee files become part of the legal record.
6. Plan for the Notifiable Data Breach scenario. Run a tabletop exercise — what would you do if a Copilot summary accidentally surfaced something it shouldn't have to the wrong manager?

Need the technology side handled? FairWork Mate's IT partner Frontrow Tech runs Modern Workplace, Copilot rollouts and Essential 8 cyber for Australian businesses — from sole traders setting up Microsoft 365 properly all the way to multi-site enterprise HR teams. Mention FairWork Mate when you contact them.

If you have a specific workplace-law question about a Copilot rollout — for example, can you compel an employee to opt in, what counts as AI surveillance under your state's surveillance act, or how to amend your employment contracts to cover AI-generated content — ask the FairWork Mate AI advisor. It cites the Fair Work Act + relevant FWC and Federal Court decisions.

If you need help with the technology setup — permissions audit, sensitivity labels, conditional access, Copilot governance config — that's where Frontrow Tech picks up. They specialise in Copilot rollouts for Australian businesses and have shipped this exact workflow many times.

And if you're reviewing your workplace policy on AI use, our templates include a starter AI-use clause you can adapt.