Does your privacy policy disclose your AI decisions?
From 10 December 2026, Australian organisations must disclose, in their privacy policy, where they use personal information in automated decision-making that can significantly affect people. It is one of the first concrete AI-transparency duties in Australian law — and the regulator is already signalling a broad reading.
The obligation, in plain terms
The Privacy and Other Legislation Amendment Act 2024 added new Australian Privacy Principles 1.7 to 1.9. From 10 December 2026, where an organisation uses personal information in qualifying automated decision-making, its privacy policy must say so. It is a transparency duty built into the policy itself, and it applies to decisions made from that date.
For the underlying concept see automated decision-making and the Privacy Act in our glossary; for the prudential angle, see APRA and AI.
Does it apply to you? The three-part trigger
A program makes — or shapes — the decision
You have arranged for a computer program to make a decision, or to do something substantially and directly related to making it. The OAIC signals this can reach AI-assisted decisions even where a human signs off, depending on how much the program shapes the outcome.
The decision significantly affects someone
The decision could reasonably be expected to significantly affect the rights or interests of an individual — for example eligibility, pricing, employment, or access to a service.
Personal information is used
Personal information about the individual is used in the operation of that program. If all three limbs are met, the transparency obligation is triggered.
All three limbs must be met for the obligation to apply.
What your privacy policy must disclose
The kinds of personal information used in the operation of the computer program.
The kinds of decisions made solely by the program, or substantially and directly by it.
This is disclosure in the policy, not a separate notice to each person — but getting the categories right means first understanding every qualifying decision you make.
How the OAIC is reading it
The OAIC released an Issues Paper on 18 May 2026 that telegraphs an expansive interpretation. It probes contested terms like "substantially and directly related" and "significantly affect," and uses worked edge cases — generative AI recommending aged-care eligibility, differential pricing by postcode, and job ads skewed by gender — to show how broadly the obligation might reach. Third-party ADM is flagged as a focus, alongside AI-assisted decisions that carry a human sign-off.
Two dates that matter
Submissions on the OAIC’s Issues Paper close 15 June 2026, with final guidance expected by September 2026 — a chance to shape how the obligation is applied. The obligation itself commences 10 December 2026. Confirm the current consultation status on the OAIC website before relying on these dates.
What to do before 10 December 2026
Inventory where automated or AI-assisted decisions use personal information across the organisation.
Test each use against the three-part trigger — including AI-assisted decisions that still have a human sign-off, which the OAIC indicates may be captured.
Map third-party and vendor ADM: "arranged for" can reach decisions a supplier makes or supports on your behalf.
Draft the privacy-policy disclosures: the kinds of personal information used, and the kinds of decisions made.
Align the work with your broader AI governance, board oversight, and (for APRA-regulated entities) operational-risk obligations.
Have the updated policy ready well before 10 December 2026 — the obligation applies to decisions made from that date.
Frequently asked questions
When does the obligation start?
The automated decision-making (ADM) transparency obligation in Australian Privacy Principles 1.7–1.9 — introduced by the Privacy and Other Legislation Amendment Act 2024 — commences on 10 December 2026 and applies to decisions made from that date. The underlying obligation and explanatory memorandum are already published; the OAIC is developing guidance on how it will work in practice.
Does it apply to AI-assisted decisions with a human in the loop?
Potentially yes. The trigger covers a program that makes a decision or does something "substantially and directly related to" making it, and the OAIC’s May 2026 Issues Paper signals a broad reading — a human rubber-stamping an AI-driven recommendation may not take the decision outside the obligation. The final position will be clearer once the OAIC publishes its guidance, expected by September 2026.
What exactly must our privacy policy say?
Where the obligation is triggered, the privacy policy must set out the kinds of personal information used in the automated decision-making process, and the kinds of decisions made solely, or substantially and directly, by the program. It is a transparency-in-the-policy obligation rather than a case-by-case notice to each individual.
What about third-party or vendor ADM?
The OAIC has flagged third-party ADM as a focus area. Because the obligation turns on whether you "arranged for" a computer program to make or shape a decision, it can capture automated decisions a supplier makes or supports on your behalf — so vendor due diligence and contracts matter.
Is this the same as a GDPR right to human review?
No. The GDPR (Article 22) gives individuals a right not to be subject to certain solely automated decisions and to seek human intervention. Australia’s obligation is narrower in nature: it is a transparency requirement to disclose ADM use in the privacy policy, not a standalone right to object or to obtain human review.
What happens if our privacy policy is not compliant?
The OAIC has begun an enforcement-led phase, including a compliance sweep of privacy policies in 2026. Under the strengthened Privacy Act, a non-compliant privacy policy can attract compliance notices, infringement notices, or civil penalties — so the December 2026 deadline is best treated as a hard one.
Related glossary terms
Turn the deadline into a governance win
The work the obligation demands — knowing where AI touches decisions about people — is the same work good AI governance needs anyway. A clear inventory is the place to start.
This page is general information about a Commonwealth privacy obligation and a live OAIC consultation, not legal advice, and not a substitute for advice tailored to your circumstances. Dates and interpretation may change as the OAIC finalises its guidance; always confirm the current position against the OAIC’s own publications and the Privacy Act 1988 (Cth).