Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Dark navy whitepaper hero graphic with a shield and decision-node motif, titled Automated Decision-Making Privacy Rules Start 10 December 2026, All IT Services

Author: Dan Briggs  |  Published: 15 June 2026  |  Reading time: 16 minutes

Executive summary

On 10 December 2026, a new transparency rule under the Privacy Act 1988 takes effect. If your business uses a computer program to make, or to materially shape, decisions about people, and those decisions could reasonably be expected to significantly affect someone’s rights or interests, you will have to say so in your privacy policy. The rule is new Australian Privacy Principle 1.7, added by the Privacy and Other Legislation Amendment Act 2024. It applies to any organisation already covered by the Privacy Act, and the date is fixed: there is no soft launch and no extension on the table.

This catches far more businesses than most owners assume. Automated decision-making (ADM) is no longer the preserve of banks and insurers. It now sits inside ordinary tools that professional services firms, hospitality operators and not-for-profits use every day, including recruitment platforms that rank or filter applicants, tenant and customer screening services, credit and payment-risk checks, dynamic pricing engines, and the AI assistants many teams switched on over the past year. If personal information goes into a system and a consequential decision comes out, you are likely in scope.

The cost of getting it wrong has also changed. The same 2024 reforms introduced a three-tier civil penalty regime, a standalone court action for individuals whose privacy is seriously invaded, and a regulator that has openly said privacy policies are a current enforcement priority. The work to comply is mostly process, not technology: find where automation touches decisions about people, decide what is genuinely in scope, and rewrite a section of your privacy policy in plain English before the deadline. This paper sets out exactly what is changing, who it affects, and a step-by-step plan to be ready well before 10 December.

What actually changes on 10 December 2026

The Office of the Australian Information Commissioner (OAIC) describes the new obligation plainly: from 10 December 2026, entities covered by the Privacy Act that use personal information in automated decision-making with the potential to affect people’s rights or interests must include specified information about that practice in their privacy policy. The mechanism is a new clause, APP 1.7, inserted into Schedule 1 of the Act. You can read the OAIC’s own summary on its APP 1 guidance page.

Three points are worth being precise about, because they decide how much work you have to do.

First, this is a transparency obligation, not a ban and not a right of appeal. The rule does not stop you using automation, and it does not give individuals a new right to demand a human review of a decision. That sort of stronger right exists in Europe under the GDPR and may yet appear in a future round of Australian reform, but it is not what commences in December. What the law requires now is disclosure: telling people, in your published privacy policy, that you use automated systems in certain decisions and what kinds of information and decisions are involved.

Second, the obligation attaches to your privacy policy specifically, the document that already has to sit on your website under APP 1. You are not required to send individual notices or build a self-service portal. You are required to expand the standing policy so that a reader can understand where automation influences decisions about them.

Third, the threshold is significant effect on rights or interests. Trivial automation is not caught. A spam filter, a product recommendation, or a system that sorts your inbox does not trigger the rule. A system that helps decide whether someone gets a job interview, a loan, a rental property, an insurance price, or access to a service almost certainly does. The legislation’s own examples point at decisions such as granting or refusing a benefit, determining a person’s contractual rights, or controlling access to a significant service. Law firm Johnson Winter Slattery has a useful breakdown of where that line is likely to fall in its practical implications note.

The two kinds of decisions you must disclose

The rule recognises that automation rarely works alone. It therefore covers two distinct situations, and your policy needs to address both where they apply:

  • Decisions made solely by automated means. The computer program produces the outcome with no meaningful human involvement. An automated credit cut-off or an instant online eligibility check are typical examples.
  • Decisions substantially and directly shaped by automation. A person signs off the final call, but the program does the heavy lifting, scoring, ranking or filtering in a way that substantially and directly drives the result. A recruiter who interviews only the candidates an algorithm ranked in the top ten is making a decision in this second category.

That second limb is the one businesses miss. Many owners assume that because “a human makes the final decision”, they are outside the rule. If the human is rubber-stamping a machine-generated shortlist or score, the decision is still substantially and directly automated, and it still needs to be disclosed.

Automated decision-making is broader than you think

When the term “automated decision-making” comes up, people picture a bank’s loan-approval engine. The reality in 2026 is that automation has quietly spread into routine business software, often through a feature that was switched on by default or bundled into a subscription. Here is where we are seeing it among the small and mid-sized clients we work with.

Recruitment and HR. Applicant tracking systems and hiring platforms increasingly score, rank or auto-reject candidates against criteria, and some now use AI to summarise or grade responses. If your hiring tool filters applicants before a human sees them, that is ADM affecting someone’s interests.

Customer and tenant screening. Real estate agencies, short-stay operators and service businesses often run prospective customers or tenants through screening or risk-scoring services. A decision to decline a booking or a tenancy based on an automated score is squarely in scope.

Credit, payments and fraud checks. Buy-now-pay-later integrations, automated invoice-finance approvals and payment fraud systems can approve or decline a person in real time. Even where you are using a third party’s engine, you are the one making the decision about your customer.

Pricing and offers. Dynamic pricing and personalised offers that vary by individual, common in hospitality and online retail, can affect a person’s interests when the variation is material.

AI assistants and chatbots. Over the past year many teams enabled Microsoft 365 Copilot, ChatGPT or Claude and pointed them at real work. Where one of these tools is used to triage, prioritise or decide how a person’s matter is handled, rather than simply to draft text, it can form part of an automated decision. Our recent guide on deploying AI across your team covers the data-protection side of that rollout; the ADM rule is the governance side of the same coin.

Not-for-profits and member services. Charities and member organisations that automate eligibility for grants, hardship support or membership benefits are making decisions that significantly affect individuals, even though no money changes hands in the commercial sense.

The common thread is simple. If personal information goes in, a consequential decision about a person comes out, and software did most of the work, you should treat it as in scope until you have a documented reason to conclude otherwise.

Does this apply to my business?

The new rule applies to “APP entities”, which is the same set of organisations already bound by the Privacy Act. For most readers, the practical test is whether the Act applies to you at all, and that turns on the small-business exemption.

At present, a business with an annual turnover of $3 million or less is generally exempt from the Privacy Act. If that is you, and none of the exceptions apply, the December ADM rule does not bind you yet. That is the good news. The important news is that the exemption is riddled with exceptions, and it is living on borrowed time.

Even under $3 million, you are not exempt if you fall into one of several carve-outs, including businesses that:

  • provide a health service and hold health information (this sweeps in allied health, dental, physiotherapy, psychology, gyms and many wellbeing businesses);
  • trade in personal information, meaning you buy or sell it;
  • are a contracted service provider for a Commonwealth contract;
  • are related to a larger company that is covered; or
  • are a credit reporting body or otherwise specifically covered.

A small medical or allied-health practice that uses an automated triage or recall tool, for example, is covered today despite its size. So is a small consultancy delivering services under a Commonwealth contract.

The exemption itself is also under review. The Government deferred any change to the small-business exemption to a later tranche of reforms rather than dealing with it in the 2024 Act, which means it remains in place for now but is widely expected to be narrowed or removed. The Pinsent Masons analysis of the next set of reforms sets out what is still in the pipeline. Our blunt advice to clients near or above the threshold, or growing toward it, is to prepare as though the rule applies. The work you do now will not be wasted, and it is far cheaper than retrofitting compliance under deadline pressure later.

Why this matters now: penalties, lawsuits and a regulator with appetite

It would be easy to file a December 2026 deadline under “deal with it later”. Two things make that a mistake: the penalties behind the Privacy Act are now materially larger, and the regulator has signalled it is willing to use them.

A three-tier penalty regime with real teeth

The 2024 reforms replaced a single, hard-to-trigger penalty with three tiers, summarised by Clyde & Co in its analysis of the new regime:

  • Low tier. The Commissioner can issue infringement notices for specified administrative failures, up to $330,000 per contravention for a body corporate and $66,000 for an individual. A privacy policy that does not meet its content requirements is exactly the kind of administrative failure this tier was built for.
  • Mid tier. For interferences with privacy that are not “serious”, penalties reach up to $3.3 million for a body corporate. This tier is new, and it matters because it removes the old requirement to prove seriousness before any penalty could apply.
  • High tier. For serious or repeated interferences, the maximum is the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover for the relevant period.

Failing to update your privacy policy by December is not, on its own, a $50 million problem. It is, however, a clear and easily proven administrative breach, the sort of low-hanging issue a regulator can act on without a lengthy investigation.

Individuals can now sue directly

Since 10 June 2025, individuals have been able to bring a standalone court action for a serious invasion of privacy, a statutory tort introduced by the same 2024 Act. The OAIC’s overview of the tort sets out the elements. Damages for non-economic loss are capped at $478,550 (or the equivalent defamation cap, whichever is higher), and the action covers both intrusion into someone’s private affairs and misuse of their information. Only individuals can sue, and they must show the invasion was intentional or reckless rather than merely careless. The relevance here is indirect but real: opaque, undisclosed automated profiling is precisely the kind of conduct that generates complaints, and a business that has been transparent about its automation is in a far stronger position than one that has hidden it.

The regulator is looking at privacy policies right now

The OAIC has been explicit that privacy policies, particularly in higher-risk sectors, are a current enforcement focus, as MinterEllison notes in its enforcement update. A privacy policy is the one privacy document a regulator can review without ever contacting you, because it is published. That makes it the cheapest possible thing for the OAIC to check and the easiest place for a non-compliant business to be caught out.

The timeline you are working to

This is not a deadline that arrives without warning, which is exactly why being ready early is worth something. The sequence is straightforward.

Date Milestone What it means for you
10 December 2024 Privacy and Other Legislation Amendment Act 2024 receives Royal Assent The 24-month clock on the ADM rule starts
10 June 2025 Statutory tort for serious invasions of privacy commences Individuals can sue directly; the stakes of poor privacy practice rise
15 June 2026 OAIC consultation on its draft ADM transparency guidance closes The detail of what “good” looks like is being finalised now
By September 2026 OAIC expected to publish final ADM guidance Your window to draft policy wording against confirmed expectations
10 December 2026 APP 1.7 transparency obligation commences Your privacy policy must comply from this date

The practical read on this calendar is that you have a comfortable runway if you start the groundwork, the inventory of where automation touches decisions, over the next quarter, then finalise the policy wording once the OAIC’s guidance lands around September. Leaving the inventory until November is how businesses end up writing a policy they cannot actually stand behind, because they have not had time to confirm what their tools really do.

What good looks like: the four things your policy must convey

The draft expectation is that an affected privacy policy will need to make clear, in language an ordinary reader can follow, the substance of how automation is used. In practical terms, build your updated ADM section around four questions:

  1. Do you use automated decision-making at all? A plain statement that the business uses computer programs in certain decisions about individuals.
  2. What kinds of personal information feed those decisions? The categories of personal information used, for example contact details, financial information, employment history or behavioural data.
  3. What kinds of decisions are involved? Both the decisions made solely by automated means and those substantially and directly driven by automation, described by category rather than by listing every internal rule.
  4. How does it affect the individual? Enough context that a reader understands the practical consequence, such as eligibility for a service, a price, or progression through a hiring process.

You do not have to publish your source code, expose a trade secret, or explain the inner mathematics of a model. The obligation is about meaningful transparency, not a technical specification. A short, honest, well-organised section will satisfy it far better than a wall of hedged legal text.

A worked example of the right tone

For a recruitment-heavy professional services firm, a compliant section might convey, in your own wording: that the firm uses an applicant tracking system which automatically screens and ranks candidates using the information they provide in their application and resume; that this ranking substantially influences which candidates are shortlisted for interview; that a person from the firm reviews shortlisted candidates before any hiring decision; and that applicants can contact the firm’s privacy officer with questions about how their application was assessed. That is four sentences. It is specific, it is true, and it meets the spirit and the letter of the rule.

Your pre-December action plan

The compliance task breaks into five steps. None of them require new software; most of the effort is in finding and documenting what you already run.

Step 1 — Build an ADM inventory

List every system that touches a decision about a person. Go application by application: your HR and recruitment tools, CRM, booking and screening platforms, finance and payments stack, marketing automation, and any AI assistant your team has enabled. For each, record what it decides or influences, what personal information it uses, and whether a human is genuinely in the loop or merely signing off a machine output.

Step 2 — Apply the significance test

For each entry, ask whether the decision could reasonably be expected to significantly affect a person’s rights or interests. Be honest rather than optimistic. Hiring, credit, tenancy, pricing, eligibility and access decisions almost always clear the bar. Internal productivity features and content suggestions usually do not. Where you are unsure, document your reasoning, and lean towards disclosure for anything borderline.

Step 3 — Check your third parties

Most SMB automation is delivered through vendors. Ask each relevant supplier, in writing, whether their product makes or materially shapes decisions about your customers, staff or applicants, and what personal information it uses to do so. Their answers feed directly into your policy and into your own due diligence.

Step 4 — Draft the policy section

Write the new ADM section using the four-question structure above, in the same plain voice as the rest of your policy. Hold the final wording until the OAIC publishes its guidance, expected by September 2026, then confirm your draft lines up with the regulator’s stated expectations.

Step 5 — Govern it going forward

Automation changes. The tool that does not make significant decisions today may gain an AI feature next quarter. Assign an owner, add an ADM check to your process for adopting any new software, and diarise an annual review of the inventory and the policy.

Compliance checklist

Task Owner Target date Done
Confirm whether the Privacy Act applies to us (turnover and exceptions) Owner / GM July 2026
Build the ADM inventory across all systems Ops / IT August 2026
Apply the significance test and document decisions Ops / Privacy lead August 2026
Send written ADM queries to key software vendors Ops / IT August 2026
Review OAIC final guidance when published Privacy lead September 2026
Draft and approve the new privacy policy ADM section Privacy lead / Legal October 2026
Publish the updated policy Marketing / Web By 10 December 2026
Add ADM check to new-software adoption process IT Ongoing

Common mistakes we expect to see

Having watched businesses scramble through the 1 July price changes and the CPS 230 deadline this year, a few predictable traps stand out for this one.

Assuming a human signature means you are exempt. If the human is approving a machine-generated score or shortlist, the decision is still substantially automated and still in scope. This is the single most common misunderstanding.

Treating it as a legal-only job. Your lawyer can draft the wording, but only your operations and IT people know what your tools actually do. A policy written without that input is a guess, and a guess is what gets you in trouble.

Forgetting the AI you switched on last year. The Copilot or chatbot deployment that felt like a productivity win may now sit inside a decision process. It belongs in the inventory.

Copying a competitor’s policy. Their automation is not your automation. A generic ADM clause lifted from another website is both inaccurate and, because it misrepresents your practices, arguably worse than saying nothing.

Waiting for the guidance before doing anything. The inventory does not depend on the OAIC’s final wording. Start it now, and you will only need the guidance to polish the language, not to do the whole job under pressure in November.

How All IT Services can help

This is a governance task with a technical core, which is the kind of work we do for Australian businesses every day. We can map where automation and AI touch decisions across your systems, build the ADM inventory with your team, put the right questions to your software vendors, and make sure the data those tools handle is protected to the standard the Privacy Act now expects. We work alongside your lawyer or privacy adviser on the policy wording so the final document reflects what your systems actually do.

If you have rolled out AI tools in the past year, or you are not certain where automated decisions are being made in your business, the next few months are the time to get clarity, well before the December deadline turns it into a rush.

Talk to us about an ADM and AI governance review. Call All IT Services on 1300 425 548 or get in touch via our contact page, and we will help you walk into 10 December 2026 already compliant.

Sources and further reading