By December this year, agencies that are subject to the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) must update their privacy policies to include information on their use of automated decision-making (ADM). 

New requirements are being introduced into APP 1, and it will be important for all agencies to assess what changes will need to be made to their privacy policies to meet these requirements. This assessment may be quite complex, and will involve a detailed consideration of the agency's systems and processes.

Current Framework - APP 1 explained: 

APP 1 deals with the open and transparent management of personal information. One obligation which it currently imposes on agencies is to publish a privacy policy that includes certain information on how the agency collects, holds, uses and discloses personal information. 

Legislative Changes and Scope of the New Obligations

The Privacy and Other Legislation Amendment Act 2024 (Cth) will introduce three new obligations to APP 1, in the form of APPs 1.7, 1.8 and 1.9. These new obligations commence on 10 December 2026.

Under the new provisions, if an agency: 

• uses a computer program to make or assist a person to make a decision;
• the decision could be expected to significantly affect the rights or interests of an individual; and 
• the computer program uses the personal information of that individual, 

then the agency’s privacy policy must include:

• the kinds of personal information used in the operation of such computer programs; and
• the kinds of decisions made solely by the operation of such computer programs; and
• the kinds of decisions for which the computer program does something substantially and directly related to making the decision.

Decisions which are covered by the new obligations include decisions to grant a benefit, decisions to provide or not to provide a service, and decisions to both take, or not take, a particular action affecting an individual’s rights or interests. 

The Office of the Australian Information Commissioner (OAIC) has indicated that it intends to issue guidance in relation to these new requirements. While such guidance is not binding on agencies, it will be important because it is likely to indicate how the OAIC will interpret and apply the new APPs in practice.

Regulatory Context

In the context of increasing public awareness and concern about ADM, particularly after the report of the Robodebt Royal Commission in November 2023, the Commonwealth Government explicitly committed to update the Privacy Act to improve transparency. 

In the brief time since then, the use of decision-making programs, including AI, has only increased across government and the private sector. Thousands of decisions, including decisions relating to triaging customer emails, analysing submitted applications and evidence, and preparing draft decisions for decision-makers, are increasingly made or supported by AI or other software applying business rules.

Practical Implications for Commonwealth agencies

By December, it will be important for agencies to have done the following:

	ADM assessment The primary obligation is to update the agency’s privacy policy to include the information required in new APPs 1.7 to 1.9.  While updating the privacy policy may seem simple, doing so will involve identifying where, and the extent to which, the agency uses ADM, including assessing in each case whether: a computer program makes a decision, or performs an act or function that is substantially and directly related to making a decision; the decision significantly affects the rights or interests of an individual; and the computer program uses the personal information of the individual to make the decision. This is likely to be a detailed process for most agencies. Determining the boundaries of whether a computer program is used to make, or is substantially and directly related to making, a decision and what decisions ‘significantly’ affect an individual’s rights or interests will likely involve many judgement calls and a careful consideration of OAIC’s guidance once it is released.  Most agencies are likely to have some form of ADM ‘baked in’ to various processes that may ultimately impact individuals – particularly agencies that have customer-facing interactions, but other agencies should also consider their staff management, IT access and/or contracting/procurement activities. Determining the extent to which ADM is involved in making the final decision, and how it impacts the rights or interests of individuals, will be important. It is also not yet clear to what extent keeping a human in the loop will mean that a computer program has not been involved in making the decision. Updating the privacy policy will also necessitate an assessment of third-party arrangements and the extent to which third-party providers adopt ADM in the services they provide to an agency. Agencies should leave sufficient time to liaise with service providers to ensure that the information they publish in their privacy policies is accurate.
	Privacy Policy Updates Once agencies have assessed and identified the ADM that needs to be disclosed in the privacy policy, they should update the privacy policy to address the requirements of APP 1.7 to 1.9.
	Strengthen AI governance frameworks Agencies should also consider whether their broader AI governance framework captures the process to be followed with respect to new AI tools that involve ADM and the use of personal information, so that any required updates to the agency's privacy policy are identified and made going forward.
	Controls and Compliance  Agencies should also look to the current Better Practice Guides on Automated Decision Making, taking into account the OAIC’s current Issues Paper (noting that consultation closed on 15 June 2026).
	Future Planning  Agencies should consider the controls they have in place around ADM and be prepared to respond to queries or complaints raised by individuals or regulators in response to any of the new information they publish in their privacy policies.

Agencies should also keep a close eye on emerging OAIC guidance, particularly on the boundaries of what is “substantially and directly related” to making a decision, what it means for a decision to “significantly affect” an individual’s rights or interests, and how these concepts apply where third-party tools or human oversight are involved.

Going forward, it will be important for agencies that plan to adopt a new ADM program using personal information to conduct a detailed Privacy Impact Assessment (PIA).