From 10 December 2026, Australian organisations must disclose in their privacy policy where AI or automated processes make decisions that significantly affect individuals. The Privacy and Other Legislation Amendment Act 2024 introduced this obligation. This guide explains what it means, who it affects, and the steps to prepare. General information only, not legal advice.
General information only. Not legal advice. Review your obligations with a qualified privacy professional.
The Privacy and Other Legislation Amendment Act 2024 (Cth) received Royal Assent on 10 December 2024 and rolls out in stages. The automated decision-making transparency obligations take effect on 10 December 2026.
From that date, organisations covered by the Privacy Act 1988 (Cth) must disclose in their privacy policy where personal information is used in computer programs to make, or substantially assist in making, decisions that could significantly affect individuals.
The same reforms also introduced a statutory tort for serious invasions of privacy (commenced mid-2025) and increased the regulator's enforcement tools, including infringement notices of up to $66,000 per contravention for certain breaches.
Source: Norton Rose Fulbright, Privacy Act reform summary and the OAIC.
These categories are illustrative. Whether a specific process is in scope depends on your circumstances. Review with a qualified privacy professional.
The automated decision-making transparency obligation applies to organisations already covered by the Privacy Act 1988 (Cth). That covers most private sector organisations with annual turnover above $3 million, certain health service providers, and others covered regardless of turnover.
Whether the small business exemption (for organisations with under $3 million turnover) applies in your situation depends on your specific circumstances. The OAIC is the primary source for current guidance on exemption scope: check oaic.gov.au and the Attorney-General's Department.
If you are unsure whether the Act covers your organisation, a qualified privacy professional can assess your position. Assuming you are exempt when you are not is a more common mistake than assuming you are covered.
Generally covered. If you use AI in decisions affecting customers, employees, or other individuals, the ADM transparency obligation likely applies.
Covered regardless of turnover. Health data is sensitive information under the Privacy Act and the ADM obligation applies where personal health information is used in automated decisions.
Already subject to the Privacy Act and to the mandatory DTA Policy for the Responsible Use of AI in Government. The ADM obligation adds to existing transparency requirements.
Whether the small business exemption applies depends on your specific circumstances. Check with the OAIC or a privacy professional rather than assuming you are exempt.
List every AI tool or automated process your organisation uses. For each one, record what personal information goes in, what decisions or outputs it produces, and whether those outputs could significantly affect an individual. This is the foundation. Without it you cannot know which processes are in scope.
An automated decision, in the context of the Privacy Act reforms, is one where a computer program uses personal information to make, or substantially help make, a decision that could significantly affect an individual. Screening applications, scoring leads, triaging service requests, and setting pricing based on individual data are common examples. Flag each one.
For each automated decision process, write a plain-language disclosure: what is being decided, how automation is involved, what personal information is used, and what human review (if any) is in place. Our free ADM disclosure template gives you the structure to do this.
Embed the ADM disclosures in your privacy policy, or reference a dedicated disclosure document from it. The privacy policy is where the legal obligation sits. A disclosure buried in a separate document that your policy does not reference may not satisfy the requirement.
The ADM transparency obligation is about disclosure, not about requiring human override. However, good practice (and risk management) is to ensure a named person reviews automated outputs before they produce decisions that significantly affect individuals. Document who that person is and what their role in the process is.
Many AI vendors process data offshore. If personal information leaves Australia, the Privacy Act cross-border disclosure obligations apply in addition to the ADM transparency requirement. Check each vendor's data residency position and update your privacy policy accordingly.
Automated processes change. Vendors update their models. New tools are adopted. A one-off disclosure that is never reviewed becomes inaccurate and therefore non-compliant. Set a calendar reminder to review each ADM disclosure at least annually, and whenever the underlying process changes.
This checklist is also available as a dedicated resource: Privacy Act 2026 Compliance Checklist.
From 10 December 2026, organisations covered by the Australian Privacy Act 1988 (Cth) must disclose in their privacy policies where personal information is used in computer programs or automated processes to make, or substantially help make, decisions that could significantly affect individuals. This requirement was introduced by the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024.
The obligation applies to organisations already covered by the Privacy Act 1988 (Cth). That covers most private sector organisations with annual turnover above $3 million, as well as certain health service providers, businesses that trade in personal information, and others that have opted in or are otherwise covered regardless of turnover. Whether the small business exemption applies to your organisation depends on your specific circumstances. If you are not sure whether the Privacy Act covers you, check with the OAIC or a qualified privacy professional.
The concept covers decisions where a computer program uses personal information to make, or substantially assist in making, a decision that could significantly affect an individual. Screening job applications, scoring customer risk, triaging complaints, setting individualised pricing, and filtering eligibility for services are commonly cited examples. Not every use of AI is an automated decision: a chatbot that answers general questions is different from a tool that decides whether your loan application advances.
No. The obligation is about transparency, not prohibition. You can still use automated processes in decisions that affect individuals. What you must do is disclose in your privacy policy that you do so, describe what personal information is used, and explain what the process involves. Good practice is also to have a human review step for significant decisions, but the legal obligation is the disclosure, not the human review.
Breaching the Privacy Act can attract enforcement action from the OAIC, including investigations and orders to change practice. The Privacy and Other Legislation Amendment Act 2024 also introduced infringement notices of up to $66,000 per contravention for certain breaches. The more serious the breach and the more individuals affected, the more likely the regulator is to act. That said, the OAIC has indicated it will take a proportionate approach, especially for organisations making genuine efforts to comply.
Now. Mapping your automated processes, identifying which ones are in scope, and drafting clear disclosures takes time, especially if your AI use is spread across multiple tools and teams. The organisations that leave it until November 2026 will be writing disclosures in a hurry, which is when inaccurate language ends up in privacy policies. Organisations that start in mid-2026 have time to be accurate.