DeepSeek products, applications and web services policy
Purpose
The Queensland Government is committed to protecting information and minimising security risks associated with the use of information communication and technology (ICT) services, facilities and devices.
This policy states the Queensland Government’s position on using DeepSeek on government systems and devices. This policy is aligned to the Federal Government Direction 001-2025 on the use of DeepSeek products, applications and web services.
Policy statement
The Queensland Government prohibits the access, use or installation of DeepSeek products, applications and web services on any government provided information and communication technology (ICT) services, facilities and devices. This includes but is not limited to smartphones, tablets, laptops and desktops.
Policy requirements
Requirement 1:
Agencies must identify and remove all existing instances of DeepSeek products, applications and web services on all Queensland Government systems and devices.
Requirement 2:
Agencies must prevent the access, use or installation of DeepSeek products, applications and web services on all Queensland Government systems and devices.
Agencies can use capabilities of their fleet management platforms to identity, remove and prevent future installation of the DeepSeek applications on Queensland Government devices. Gateway and internet filtering products can be configured to restrict access to the DeepSeek web services.
Advice
Queensland Government employees should only use tools authorised by their agencies. Generative-AI tools should be adopted and deployed in a safe, secure and efficient manner, considering security, ethical, social, and legislative risks.
The Queensland Government Information security classification framework (QGISCF) details how Queensland Government agencies undertake information security classification of their information assets and holdings. Conducting a business impact level assessment and determining the security classification can assist agencies to understand the information’s importance and assess damage that could be caused if the information was compromised through AI. Personal and sensitive information should not be used as an input for any commercial AI tools.
The Queensland Government Artificial intelligence governance policy requires agencies to take a structured and consistent approach when evaluating AI solutions. Additional guidance is available in the Use of generative AI in Queensland Government guideline. Queensland Government employees should only utilise generative AI tools approved by their agencies such as QChat.
Agencies should strengthen supply chain risk management arrangements to accommodate emerging generative-AI technology risks, including transparency measures to minimise the introduction of additional risk in the supply chain.
Further information about mitigations is available in ASD’s Information security manual and in ACSC publication Guidance for engaging with artificial intelligence.
Scope
This policy applies to government provided information and communication technology (ICT) services, facilities and devices. It also applies to all employees, contractors, consultants, vendors and any other parties who have access to Queensland Government owned network, data or devices.
Agencies should ensure their “Bring Your Own Device” (BYOD) policies include considerations to mitigate the risk that applications such as DeepSeek and other AI products or services present.
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). This policy also applies to accountable officers (not already in scope of the Public Sector Act 2022) and to statutory bodies under the Financial and Performance Management Standard 2019 in the context of internal controls, financial information management systems and risk management. Please see How to apply the QGEA for further information, including how to apply for an exception.
Agencies can apply for exceptions from the policy requirements and/or the reporting requirements as per QGEA alignment and exception (Government employees only). Where an agency has a departure from a sub requirement within a mandated standard or framework under this policy (e.g., departure from a single control), agencies can seek sign off by the agency accountable officer.
Other Queensland government entities, including local governments, are strongly encouraged to apply the policy as recommended better practice.
Implementation
This policy comes into effect from the issue date.
Policy benefits
This policy helps departments to manage the risks associated with use of the DeepSeek products, applications and web services and is consistent with Australian Government policy.
Issued
This QGEA policy is published within the QGEA and administered by the Queensland Government Customer and Digital Group. It was developed by the Cyber Security Unit.