Privacy Act 2024 automated decision-making transparency: commencing 10 December 2026

What the new obligation is

The Privacy and Other Legislation Amendment Act 2024 introduces new transparency obligations concerning automated decision-making (ADM) into the Privacy Act 1988. These obligations are designed to ensure individuals are informed when ADM is used to make decisions about them. Privacy Act 2026 readiness

The new obligations will apply to APP entities. These entities must provide individuals with certain information when ADM is used to make decisions about them that have a legal or similarly significant effect. This means the decisions impact individuals in a way that carries legal weight or has substantial consequences for them.

The commencement date for these obligations is 10 December 2026, marking two years from the date the Act received Royal Assent on 10 December 2024.

What must be disclosed

The Privacy Act 2024 requires organisations to disclose information about automated decision-making (ADM) within their Privacy Policy. This disclosure must detail the types of personal information used in ADM processes and the kinds of decisions that are made, or substantively informed, by those processes.

The level of disclosure is intended to ensure a reasonable user understands the existence and general nature of ADM being employed. Organisations are not required to reveal the specifics of the ADM model itself, the individual data points used, or proprietary technical details beyond what is necessary to achieve this transparency.

It is important to recognise that this transparency obligation does not create a separate right for individuals to demand a detailed explanation of a particular automated decision. However, other obligations under the Privacy Act, such as those relating to access rights, may still be relevant.

Scope of 'ADM'

Automated decision-making (ADM) is broadly understood to encompass decisions made primarily or substantially by automated processes. This includes, but is not limited to, algorithmic scoring, AI-based recommendations that are relied upon without meaningful human review, and rules-based automated systems that drive outcomes. The Privacy Act 2024’s requirements relating to transparency around ADM apply to these types of processes.

Decisions that have legal or similarly significant effect are particularly relevant. Examples of such decisions include credit and insurance pricing, employment decisions, government benefit eligibility, and certain automated content moderation outcomes. These are the types of decisions where transparency obligations will be most keenly felt.

Further details regarding the scope of ADM, and guidance from the Office of the Australian Information Commissioner (OAIC), will be issued prior to the commencement of the new requirements on 10 December 2026.

What APP entities should do now

APP entities should begin preparing for the new automated decision-making transparency requirements now. The first step is to inventory all existing automated decision-making systems and processes. This involves a thorough review of how personal information is used and the types of decisions being made by these systems.

Following the inventory, entities should identify the kinds of personal information used within each system and the nature of the decisions generated. This detailed understanding is essential for accurately communicating with individuals about how their data is being processed when the requirements commence.

To ensure compliance, APP entities should update or draft Privacy Policy language to meet the transparency requirement. This should be done in line with guidance published by the Office of the Australian Information Commissioner (OAIC). It is also recommended that this work be coordinated with any existing AI governance program, particularly if the entity follows the AI Voluntary Safety Standard, ISO/IEC 42001, or similar frameworks.