Privacy Act automated decision-making — what changes 10 December 2026
The 2024 amendments to the Privacy Act 1988 require Australian organisations using automated systems to make decisions about individuals to give notice in their privacy policy, respond to transparency requests, and provide a human-review pathway. This is a plain-English explainer of what changes, who is affected, and a readiness checklist you can run today.
The three obligations
Who is in scope
The amendments apply to APP entities under the Privacy Act 1988 — federal government agencies plus most private organisations with annual turnover over A$3 million. Smaller organisations can also be in scope where they trade in personal information or hold sensitive categories such as health data. If you are an NDIS provider using AI in support planning, an HR-tech business running automated shortlisting, an insurer pricing on a model, a lender scoring applications, or a platform moderating user content — the amendments likely apply to you.
The OAIC has signalled it will publish more detailed guidance closer to commencement. The honest read is that "in scope" will be broader than many organisations are currently planning for.
Readiness checklist
Run these seven questions across your AI / automated systems inventory. A "no" or "not sure" on any of them is a gap to close before 10 December 2026.
- Do we know every place in our business where an automated system makes or substantially contributes to a decision affecting an individual?
- For each of those systems, can we describe in plain English the kinds of personal information used and the kinds of decisions made?
- Does our privacy policy currently disclose that ADM is in use, and where?
- If an affected person asked us today, could we explain in writing how a specific automated decision about them was reached?
- Do we have a documented process for routing a human-review request to a qualified reviewer, with timeframes?
- Have we identified which of our automated decisions are 'significantly affecting' under the OAIC's anticipated guidance?
- Have we mapped the overlap between our ADM systems and the Voluntary AI Safety Standard's 10 Guardrails?
How GuardRail helps
GuardRail is an Australian compliance scanner built for the Privacy Act ADM amendments, the NDIS Practice Standards, and the Voluntary AI Safety Standard. It runs an inventory of your automated systems, flags which ones are in scope for each framework, drafts the privacy policy disclosures, and produces an audit-ready evidence pack. Free tier includes one full readiness scan; Professional tier covers ongoing repeat scans and Trust Hub publishing.
We are not a generic GDPR / SOC 2 retread. The framework modules and template library are written against Australian regulators — OAIC, NDIS Quality and Safeguards Commission, Department of Industry, Science and Resources.
Frequently asked
What is 'automated decision-making' under the Privacy Act?
The amendments cover decisions where an automated system is the sole or substantial driver of the outcome. A human rubber-stamping a model's recommendation is still likely to be in scope. A human reading data the system pulled and then making a genuine judgement call is generally not.
Who do the amendments apply to?
Any APP entity — federal government agencies and most private-sector organisations with annual turnover over A$3 million — that uses ADM in decisions about individuals. Smaller businesses can still be in scope where they trade in personal information or hold sensitive categories.
When do the amendments commence?
10 December 2026. The commencement window was set 24 months from Royal Assent of the Privacy and Other Legislation Amendment Act 2024.
What does 'significantly affecting' actually mean?
The OAIC has signalled that 'significantly affecting' captures decisions with material legal, financial, employment, access-to-service, safety, or reputational consequences. Examples likely in scope: hiring decisions, credit scoring, insurance pricing, NDIS support allocation, content moderation that excludes a user. Examples likely out of scope: spam filtering, search ranking, internal productivity scoring with no individual-level consequence.
How does this interact with the Voluntary AI Safety Standard?
The Standard's 10 Guardrails are voluntary today but the government has signalled mandatory consideration for high-risk AI. The Privacy Act ADM amendments are the harder edge that already has a commencement date. If your business addresses both at once, you avoid two-phase rework.
What evidence will a regulator want to see?
Inventories of ADM systems with documented data inputs and decision types; updated privacy policies; written response procedures for transparency and human-review requests; logs of those requests and how they were resolved; and clear lines of accountability for who owns each system.
Run a free readiness scan
Upload your privacy policy and an inventory of your automated systems. GuardRail returns a per-obligation gap analysis and an evidence list to gather before commencement.
This page is general information about Australian regulatory direction, not legal advice. For specific application to your organisation, consult a privacy lawyer or the OAIC's published guidance. Last reviewed 2026-05-25.