Following reforms to the Privacy Act in 2024, a new privacy policy transparency obligation for automated decision-making (ADM) will commence on 10 December 2026.
This transparency obligation requires entities regulated under the Privacy Act to provide information in their privacy policies about the kinds of personal information used and decisions made using ADM, where the use of ADM has the potential to significantly affect individuals’ rights or interests.
There is potentially a broad scope for the application of the ADM transparency obligation. It is not limited to use of generative AI tools, or decisions that are completely automated. The obligation will apply to certain decisions that are assisted by a computer program, even where a human remains in the loop.
If your organisation uses computer systems, from AI tools to rule-based engines or even spreadsheets, to make or influence decisions about individuals, it will be important to consider whether this use falls within the new ADM transparency obligation. For many organisations, compliance will require more than a policy update. Instead, a considered review of systems, data flows and decision-making processes should be well underway before 10 December 2026.
What is automated decision-making?
ADM is not defined in the Privacy Act. Instead, the new transparency obligation under Australian Privacy Principle (APP) 1.7 focuses on whether a regulated entity has arranged for a computer program to make a decision, or to do something that is substantially and directly related to making a decision.
The term “computer program” has its ordinary meaning and extends well beyond generative or agentic AI to cover a wide range of technologies, including commonly-used software, apps, or word-processing tools. The Office of the Australian Information Commissioner (OAIC) has also stated that “[g]enerative AI tools used to generate text, images, videos, code or synthesis, including chatbots, all fall within the definition of computer program for the purpose of the ADM obligation” (OAIC ADM Issues Paper, 18 May 2026).
Scope of the ADM transparency obligation
The types of ADM that require disclosure in a regulated entity’s privacy policy from 10 December 2026 are those that satisfy all of the three limbs described below:
1 |
Responsibility: The entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making, a decision.
The meaning of ‘making a decision and doing a thing’, includes refusing or failing to make a decision or do a thing (APP 1.9).The use of the words ‘arranged for’ is intended to recognise that a computer program may be supplied, hosted or operated by one entity, but another entity is responsible for arranging for the computer program to make or assist in making a decision. The key take-away is that the ADM transparency obligation sits with the regulated entity that ‘arranged for’ the computer program to make or assist with making the decision. This is particularly important in the context of third party platforms and software-as-a-service (SaaS) solutions. For example, the transparency obligation for a system that is used to screen and rank job applications to determine who to employ sits with the entity that procured and deployed such system, not the third party supplier of the system. The OAIC cautions regulated entities to ensure that during and after procurement, it monitors third party ADM usage: “Entities should actively identify, assess and keep oversight over how a [third] party product/service uses ADM. Amongst other considerations, entities should understand how ADM is being used in a [third] party product/service to make or assist decisions and what types of decisions are being made.” (OAIC ADM Issues Paper, 18 May 2026). |
2 |
Materiality threshold: the decision could reasonably be expected to significantly affect the rights or interests of an individual.
A decision may affect an individuals’ rights or interests, whether the individual is adversely or beneficially affected (APP 1.9). The decision must be capable of significantly influencing an individual’s circumstances. This includes decisions affecting contractual rights (such as an insurance policy), access to services, or eligibility for benefits or opportunities, regardless of whether the impact is positive or negative. Significance is context-specific and may be greater where the affected person is vulnerable, such as a child or a person in financial difficulty. The Explanatory Memorandum accompanying the ADM legislative reform also notes that the use of computer programs to target content or advertisements may significantly affect the rights or interests of an individual, such as where it results in differential or dynamic pricing for significant goods or services or limits employment opportunities. |
3 |
Personal information: personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.
The words ‘do a thing that is substantially and directly related to making a decision’ in APP 1.7(a) reflects that a computer program may be used to recommend a decision to a human decision-maker, or guide a human decision-maker. The key take-away point is that the ADM transparency obligation is not limited to fully automated decisions, but also applies to assisted decision-making. A human in the loop does not necessarily take an arrangement outside the new framework. If the software or other computer program is a key factor in facilitating the human decision, the transparency obligation may still arise. The OAIC has provided the following example to illustrate this point: “if a pre-programmed formula in Microsoft Excel was used to score and triage people calling a domestic violence crisis hotline, which was a key factor in a human decision-maker making a decision of what order to attend a person’s call, this would be considered ‘directly related’ and ‘substantially related’ to making a decision. However, if the pre-programmed formula in Microsoft Excel was used to only arrive at an age in years from a date of birth entered into the spreadsheet, this may be ‘directly related to’ making a decision, but would not be ‘substantially related to’ making a decision.” (OAIC ADM Issues Paper, 18 May 2026). |
This has real practical implications. For example, a contract management platform, CRM, underwriting engine, recruitment platform, customer support tool or compliance workflow may not “make” the ultimate decision by itself, but if its output materially steers the decision-maker, it may still fall within the scope of APP 1.7 and require disclosure in the regulated entity’s privacy policy.
What information must be disclosed under the ADM transparency obligation?
If a regulated entity determines that its use of ADM satisfies the above three limb test, it must disclose the following information in its privacy policy from 10 December 2026 under APP 1.8:
- the kinds of personal information used in the operation of the computer programs;
- the kinds of decisions made solely by the operation of such computer programs; and
- the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.
A roadmap to compliance
The new ADM transparency obligation has the potential to apply to a broad range of existing practices of regulated entities. The OAIC intends to publish guidance to assist regulated entities in meeting their obligations under APP 1.7 to 1.9 and commenced public consultation on 18 May 2026. Consultation closes on 15 June 2026 and guidance is anticipated in September 2026.
However, regulated entities should not wait for the OAIC’s guidance before beginning their compliance work. In order to be ready for 10 December 2026, regulated entities should commence (if not already) an internal review of systems, workflows and decision-making processes well before the deadline.
In practice, this means:
- Auditing existing systems: identifying all internally developed and third party systems where automated or assisted decision-making is occurring, including those where automation has been introduced incrementally or through software updates;
- Applying the threshold test: assessing whether identified systems involve decisions that could significantly affect individuals’ rights or interests, and whether personal information is used;
- Mapping personal information and outputs: understanding what data each system uses and what outputs it generates, to form the basis of privacy policy disclosures; and
- Building ongoing governance: embedding this assessment into procurement, implementation and change management processes, particularly where existing software vendors introduce new AI or automation functionality over time. A ‘set and forget’ approach will not support ongoing compliance with the ADM transparency obligation; regular review and update of privacy policies will be required.
If you would like to discuss how these reforms may affect your organisation, please contact Sophie Bradshaw or Sarah Gilkes.
