The OAIC is ramping up enforcement under the reformed Privacy Act, and one obligation buried in the second tranche is starting to bite: from 10 December 2026, any organisation that uses an algorithm or AI to make decisions that “significantly affect” a person must say so in its privacy policy. The OAIC calls this automated decision-making — ADM for short — and most SMBs we talk to don’t realise it applies to them.

What ADM actually means. Forget the science-fiction framing. ADM is any time a computer program uses personal information to reach a decision a human would otherwise make. The rules cover both “solely automated” decisions and those where a human rubber-stamps the software’s output. Examples that catch SMBs out: a CRM that scores a lead and routes “low-value” prospects to junk; a HR platform that filters job applicants before a recruiter sees the shortlist; a wealth platform that auto-flags clients for KYC review; a not-for-profit donor system that decides who gets a renewal call; a hospitality booking engine that quietly denies certain card types or addresses.

Why it matters now. APP 1.7 will require your privacy policy to spell out what kinds of decisions you automate, the types of personal information involved, and the broad logic behind them. The OAIC already has new infringement notice powers — up to $62,600 per breach for a corporation — and has signalled privacy policy content as a near-term enforcement priority.

The practical step before December: list every system your business runs that ingests personal data and produces an outcome, then ask the vendor whether it makes automated decisions, what data feeds the model, and how the logic can be described in plain English. If you’d like help with that audit and the policy rewrite, we run privacy and compliance reviews across our hospitality, NFP and financial services clients.