Sibenco Legal & Advisory

Automated Decisions and Privacy Policies: New Transparency Obligations from December 2026

by

From 10 December 2026, new transparency obligations will apply to APP entities in relation to automated decision-making, significantly expanding what must be disclosed in privacy policies where AI or computer-based decision systems are used.

Under new APP 1.7 to APP 1.9, additional information must be included in an APP Privacy Policy where:

  • an APP entity has arranged for a computer program to make a decision, or to do a thing substantially and directly related to making a decision
  • the decision could reasonably be expected to significantly affect the rights or interests of an individual, and
  • personal information about the individual is used in the operation of the computer program

Where these conditions are met, the privacy policy must include information about:

  • the kinds of personal information used in the operation of computer programs
  • the kinds of decisions made solely by the operation of computer programs
  • the kinds of decisions for which a thing substantially and directly related to making the decision is done by the operation of such computer programs

Importantly, ‘making a decision’ includes refusing or failing to make a decision, and the obligations apply regardless of whether the outcome is beneficial or adverse to the individual.
Examples of decisions that may significantly affect an individual’s rights or interests include:

  • decisions made under legislation to grant or refuse a benefit, such as immigration or housing assistance
  • decisions affecting an individual’s rights under a contract, such as insurance or financial services
  • decisions affecting access to significant services or supports, including healthcare

These obligations apply squarely to many AI-enabled and data-driven systems already in use across government and the private sector.

The OAIC has indicated it will publish detailed guidance on these new obligations in 2026. In the interim, organisations should refer to Part 15 — Automated decisions and privacy policies in the Privacy and Other Legislation Amendment Act 2024 (Cth) and the accompanying Explanatory Memorandum.

For Information Governance professionals, these reforms elevate automated decision-making from a technical issue to a governance, assurance and accountability priority. Organisations should begin mapping automated decisions now, assessing data inputs, documenting decision logic at a high level, and ensuring privacy, data and AI governance frameworks are aligned well ahead of December 2026.

Access APP 1 and further information here