Privacy Act 2026 AI compliance checklist
A 26-item self-assessment for Australian businesses preparing for the automated decision-making transparency obligations that commence on 10 December 2026 under the Privacy and Other Legislation Amendment Act 2024.
Know your AI use
You cannot govern what you have not mapped. These items build the inventory.
Automated decision-making disclosure
From 10 December 2026, organisations must disclose in their privacy policy where AI makes or substantially assists decisions that significantly affect individuals.
Privacy policy and data handling
The Privacy Act reform tightened disclosure obligations and introduced enforcement teeth. The policy must reflect current AI use.
Staff and training
Human error drove 37% of notifiable data breaches in H1 2025. Training reduces the risk before it becomes a breach.
Governance and ownership
For Commonwealth agencies, naming accountability officials is already mandatory under the DTA policy. For private organisations, it is simply good practice.
Records and review
Governance is not a one-off exercise. These items keep the posture current as AI use evolves.
Want help closing the gaps?
VibeZero works with Australian businesses on the practical side of Privacy Act compliance, AI governance, and data loss prevention. General information only, not legal advice.
This checklist is general information only, not legal advice. Your obligations depend on your specific circumstances. Consult a qualified legal or privacy professional for advice about your situation.
Six areas, 26 items
Know your AI use
Approved tools, shadow AI, data flows, offshore processing. You cannot disclose what you have not mapped.
Automated decision-making
Identifying which AI uses are ADM under the Privacy Act and updating your privacy policy before 10 December 2026.
Data handling
Policy currency, overseas disclosures, data minimisation, vendor retention terms, and breach surface awareness.
Staff and training
Written policy distribution, rules on personal accounts, sensitive data categories, and incident reporting paths.
Ownership
Named accountability, new-tool review process, vendor due diligence, and the AI register.
Review cadence
Annual review scheduling, mid-cycle tool additions, policy review dates, and incident logging below threshold.
The legal basis for the key items: the Privacy and Other Legislation Amendment Act 2024 (Cth) received Royal Assent on 10 December 2024. Automated decision-making transparency requirements commence 10 December 2026. The OAIC recorded 532 notifiable data breaches in H1 2025, with 37% attributed to human error. Infringement notices of up to $66,000 per contravention are available to the regulator under the reform. This checklist is general information only. See our AI governance field note for cited source material.
Go deeper with the guides
Privacy Act 2026 AI Compliance Guide
The step-by-step companion to this checklist. Covers the law in plain language, how to identify ADM uses, and how to structure your privacy policy disclosures.
Read the compliance guideADM Disclosure Template
A ready-to-adapt disclosure statement for your privacy policy. Covers the language the Privacy Act reform requires for automated decision-making disclosures.
Get the templateFrequently asked questions
From 10 December 2026, organisations covered by the Australian Privacy Act must disclose in their privacy policy where they use personal information in a computer program to make, or substantially assist in making, decisions that could significantly affect an individual. This obligation comes from the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024.
The Privacy Act applies to Australian Government agencies and private sector organisations with an annual turnover above $3 million, plus certain others including health service providers, credit reporting bodies, and those that opt in. The automated decision-making disclosure obligation from 10 December 2026 applies within that same scope. If you are a WA public sector entity, the WA Privacy and Responsible Information Sharing Act 2024 also takes effect from 1 July 2026.
The Privacy and Other Legislation Amendment Act 2024 defines it as using a computer program to make, or substantially assist in making, a decision that significantly affects the rights or interests of an individual. Screening job applications, scoring creditworthiness, triaging insurance claims, and personalising access to services are examples likely to fall within scope. The obligation is to disclose this use in your privacy policy, not to stop the practice.
Six sections: knowing your AI use (inventory and shadow AI), automated decision-making disclosure, privacy policy and data handling, staff and training, governance and ownership, and records and scheduled reviews. Each section has 4 to 6 items. Ticking all items indicates a reasonable governance baseline, not legal compliance. Your actual obligations depend on your specific circumstances.
This checklist is a self-assessment starting point. The /resources/privacy-act-2026-ai-compliance guide gives the detailed compliance walkthrough. The /resources/adm-disclosure-template-australia gives a ready-to-adapt disclosure statement for your privacy policy. Use all three together for a thorough preparation. None of these resources are legal advice.
The Privacy and Other Legislation Amendment Act 2024 allows the regulator to issue infringement notices of up to $66,000 per contravention for certain breaches. Serious or repeated interference with privacy can attract much larger civil penalties under the Act. These figures are stated in the legislation; consult a legal professional for advice about how they might apply to your situation.