Legal Insights

Beyond Compliance: Preparing for the New APP Regime from December

By
• 16 June 2026 • 4 min read

By December this year, organisations that are subject to the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) must update their privacy policies to include information on their use of automated decision-making (ADM). 

New requirements are being introduced into APP 1, and it will be important for all APP entities to assess what changes will need to be made to their privacy policies to meet these requirements.  This assessment may be quite complex, and will involve a detailed consideration of the organisation’s systems and processes.

What does APP 1 currently say? 

APP 1 deals with the open and transparent management of personal information. The main obligation which it currently imposes on APP entities is to publish a privacy policy that includes certain information on how the entity collects, holds, uses and discloses personal information. 

What new requirements to APP 1 are being introduced? 

The Privacy and Other Legislation Amendment Act 2024 (Cth) will introduce three new obligations to APP 1, in the form of APPs 1.7, 1.8 and 1.9. These new obligations commence on 10 December 2026.

Under the new provisions, if an APP entity: 

  • uses a computer program to make or assist a person to make a decision;
  • the decision could be expected to significantly affect the rights or interests of an individual; and 
  • the computer program uses the personal information of that individual, 

then the entity’s privacy policy must include:

  • the kinds of personal information used in the operation of such computer programs; and
  • the kinds of decisions made solely by the operation of such computer programs; and
  • the kinds of decisions for which the computer program does something substantially and directly related to making the decision.

Decisions which are covered by the new obligations include decisions to grant a benefit, decisions to provide or not to provide a service, and decisions to both take, or not take, a particular action affecting an individual’s rights or interests. 

The Office of the Australian Information Commissioner (OAIC) has indicated that it intends to issue guidance in relation to these new requirements. While such guidance is not binding on APP entities, it will be important because it is likely to indicate how the OAIC will interpret and apply the new APPs in practice.

Why have these changes been made? 

In the context of increasing public awareness and concern about ADM, particularly after the report of the Robodebt Royal Commission in November 2023, the Commonwealth Government explicitly committed to update the Privacy Act to improve transparency. 

In the brief time since then, the use of decision-making programs, including AI, has only increased across government and the private sector. Thousands of decisions, including decisions relating to triaging customer emails, granting loans and approving insurance claims, are increasingly made or supported by AI.

What does this mean for APP entities in practice? 

By December, it will be important for APP entities to have done the following:

  • Carry out an ADM assessment

    The primary obligation is to update the APP entity’s privacy policy to include the information required in new APPs 1.7 to 1.9. 

    While updating the privacy policy may seem simple, doing so will involve identifying where, and the extent to which, the organisation uses ADM, including assessing in each case whether:

    • a computer program makes a decision, or performs an act or function that is substantially and directly related to making a decision;
    • the decision significantly affects the rights or interests of an individual; and
    • the computer program uses the personal information of the individual to make the decision.

    This is likely to be a detailed process for most complex organisations. Determining the boundaries of whether a computer program is used to make, or is substantially and directly related to making, a decision and what decisions ‘significantly’ affect an individual’s rights or interests will likely involve many judgement calls and a careful consideration of OAIC’s guidance once it is released. 

    Many organisations that provide important services to customers such as utilities, financial institutions, education providers and so forth are likely to have some form of ADM ‘baked in’ to various lengthy processes that may ultimately impact individuals. 

    Determining the extent to which ADM is involved in making the final decision, and how it impacts the rights or interests of individuals, will be important. It is also not yet clear to what extent keeping a human in the loop will mean that a computer program has not been involved in making the decision.

    Updating the privacy policy will also necessitate an assessment of third-party arrangements and the extent to which third-party providers adopt ADM in the services they provide to an organisation. Organisations should leave sufficient time to liaise with service providers to ensure that the information they publish in their privacy policies is accurate.

  • Update the privacy policy

    Once APP entities have assessed and identified the ADM that needs to be disclosed in the privacy policy, they should update the privacy policy to address the requirements of APP 1.7 to 1.9.  

  • Review the AI governance framework

    APP entities should also consider whether their broader AI governance framework captures the process to be followed with respect to new AI tools that involve ADM and the use of personal information, so that any required updates to the organisation’s privacy policy are identified and made going forward.

  • Assess controls

    While it is not explicitly required by the new provisions, APP entities should consider the controls they have in place around ADM and be prepared to respond to queries or complaints raised by individuals or regulators in response to any of the new information they publish in their privacy policies.

APP entities should also keep a close eye on emerging OAIC guidance, particularly on the boundaries of what is “substantially and directly related” to making a decision, what it means for a decision to “significantly affect” an individual’s rights or interests, and how these concepts apply where third-party tools or human oversight are involved.

Going forward, it will be important for APP entities that plan to adopt a new ADM program using personal information to conduct a detailed Privacy Impact Assessment (PIA).

How we can help

Maddocks can assist with reviewing privacy policies, updating privacy policies to comply with the updated APP 1, completing PIAs, identifying gaps in privacy compliance, and advising on other matters related to compliance with the Privacy Act and APPs.

Robert Gregory

Rob is an experienced commercial lawyer who advises Australian and international public, private and for‑purpose clients across education, technology, media, telecommunications and consumer law.

View profile

Georgia Hunt

Georgia is an experienced commercial lawyer advising government, professional services and education organisations.

View profile
By

Key contacts

Keep up to date with our legal insights and events

Sign up

Related capabilities

Corporate & Commercial Digital Transformation Competition, Antitrust & Regulation

Related sectors

Consumer Markets Infrastructure Education Government Healthcare Technology Property Development

Related services

Privacy, Data & Information Law Information Technology

Recent articles

Online Access

Maddocks Digital

A gateway for clients to interact and share documents.

ePortfolio

Transparent live access to your complete conveyancing portfolio.

Delegations & Authorisations

Delegations & Authorisations Service for Victorian Local Government.

Employment Contracts

Suitable, legally compliant, effective employment contracts.