From 10 December 2026, Australian businesses that use automated decision-making (ADM) will have to spell it out in their privacy policy. New rules under the Privacy Act — APP 1.7 to 1.9 — say that if a computer program uses someone’s personal information to make, or help make, a decision that significantly affects them, you have to disclose it. As MinterEllison points out, this lands right as the OAIC runs its first privacy-policy compliance sweep and wields new powers to issue fines of up to $66,000 for policies that fall short.

Wealth and financial-advice firms lean on automated systems more than most — risk profiling, credit and insurance eligibility checks, fraud screening, even robo-advice tools. A decision about someone’s loan, cover or portfolio plainly affects their rights or interests in a significant way, which is the exact test the new rules use. So this is not a big-tech problem you can wave off; it is squarely a financial-services one. The OAIC has also signalled it will read these rules broadly. Given client financial data is already some of the most sensitive information you hold, a vague or out-of-date privacy policy is now a compliance risk, not just a bad look.

You have time — but less than it looks. Start by mapping where automated tools touch client decisions, including third-party platforms you have arranged to use on your behalf, because those count too. Then update your privacy policy to describe the kinds of personal information those systems use and the kinds of decisions they make, review it at least once a year, and date it so you can prove it is current. If you are not sure whether a tool you rely on counts as ADM, get advice now — not in November 2026.

Solid privacy compliance starts with knowing where your data actually lives and who can touch it. Our financial services IT team helps Australian wealth firms map their data flows, lock down client information and keep their compliance evidence in order.