On this page

Download the SACSF Ruling 4 – Use Of DeepSeek In The South Australian Government

Purpose

This Ruling provides a direction to South Australian (SA) Government agencies under the South Australian Cyber Security Framework (SACSF) on the access, use, and installation of DeepSeek products, applications and web services.

The Australian Government has determined that the use of DeepSeek products, applications and web services pose an unacceptable level of security risk.

Scope

The SACSF applies to SA public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this Ruling as “Agencies”.

This Ruling does not impact the use of DeepSeek on personal devices. However, agencies that accept the risks of the use of personal devices to access official, sensitive or security classified data (i.e. pursuant to remote access arrangements including Bring Your Own Device (BYOD) or equivalent) must formally assess the risk of DeepSeek as part of this policy position and should implement technical controls to mitigate the risks associated with the installation of DeepSeek on personal devices.

Ruling

Agencies must prevent the access, use or installation of DeepSeek products, applications and web services and where found remove all existing instances of DeepSeek products, applications and web services from all SA Government systems and devices.

Agencies must manage the risks arising from DeepSeek’s extensive collection of data and exposure of that data to extrajudicial directions from a foreign government that conflict with Australian law.

As of 5 February 2025, all agencies must:

  1. Identify and remove all existing instances of DeepSeek products, applications and web services on all SA Government systems and mobile devices.
  2. Implement technical controls to prevent the access, use or installation of DeepSeek products, applications and web services on all SA Government systems and devices.
  3. Instruct agency staff that they must not use DeepSeek for any government work purposes nor post any government information into DeepSeek applications or web services.

Exemptions:

  • The Accountable Authority may seek an exemption for a legitimate business reason, limited to national security and regulatory functions, for the use of DeepSeek products, applications and web services on government devices and must ensure that appropriate mitigations are in place.
  • A legitimate business reason is a need to install or access the DeepSeek products, applications or web services on a government system or mobile device to conduct business and/or achieve a work objective of an agency.
  • A legitimate business reason must be time limited, include mitigations, and be limited to where the use is necessary for the carrying out of national security or regulatory functions, including compliance and law enforcement functions.
  • Exemptions must be sought through the Office of the Chief Information Officer exemption process.

Roles and responsibilities

Accountable Authority - Accountable for the effective implementation of, and compliance with this Ruling within their agency.

Agency Security Executives - Responsible for ensuring that the Ruling is implemented within the agency and that business processes support the Ruling requirements.

Agency IT Security Advisor - Responsible for providing advice on application of this Ruling within the agency environment.

Definitions

Accountable Authority - The person or group of persons responsible for, and with control over, the agency’s operations (e.g. Chief Executive, Commissioner)

DeepSeek products, applications and web services - All products, applications, solutions, websites and web services supplied directly or indirectly by DeepSeek or any of its predecessor, successor, parent, subsidiary, or affiliate companies. This does not include open-sourced Large Language Models (LLM) where the entire codebase is available for inspection, the model is deployed locally on a government system, and appropriate mitigations are in place.

Devices - Government owned mobile devices, which includes all mobile phones, handheld computers, tablets, laptops, and personal digital assistants.