Skip to main content
AFSL 222640 · Global Mutual Funds Pty Ltd
AI Engineer
{"automated decision making"
"Privacy Act 1988"
"APP 1.7"

Privacy Act Automated Decision-Making Obligations: What Australian Businesses Must Know in 2026

From 10 December 2026, Australian businesses using AI for decisions must disclose automated systems under APP 1.7. Learn what compliance requires.

MyMoney® Editorial12 July 2026 7 min read

From 10 December 2026, Australian businesses that use artificial intelligence or automated systems to make decisions affecting individuals face new mandatory transparency obligations under the Privacy Act 1988 (Cth). For organisations deploying AI-powered tools — from recruitment filters and credit scoring engines to dynamic pricing algorithms — these changes represent one of the most significant compliance milestones in Australian AI governance to date. Understanding what is required, and engaging a qualified AI engineer to implement compliant systems, is now a business imperative.

Understanding the New Automated Decision-Making Obligations

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced new requirements under Australian Privacy Principle (APP) 1.7, which take effect on 10 December 2026. These obligations apply to all "APP entities" — organisations already bound by the Privacy Act 1988 — that use computer programs to process personal information as part of a decision-making process.

The obligation is triggered when an automated system makes, or substantially and directly assists in making, a decision that could reasonably be expected to significantly affect an individual's rights or interests. This is a deliberately broad standard, designed to capture not only fully automated decisions but also hybrid processes where a human formally approves an outcome that was effectively determined by an algorithm.

Decisions that fall within scope include, but are not limited to, employment screening and recruitment, credit assessment and loan approvals, insurance pricing and underwriting, tenancy applications, access to government services, and academic assessments. If your business uses any software that ranks, filters, scores, or recommends outcomes based on personal data, it is likely within scope.

What Businesses Must Disclose by 10 December 2026

By the compliance deadline, APP entities must update their publicly available privacy policies to include specific disclosures about their automated decision-making systems. The required disclosures include:

  • Confirmation of use — A statement that the organisation uses automated systems to make or substantially assist in making decisions that significantly affect individuals.
  • Categories of personal information — The types of personal data processed by these automated systems (for example, financial history, employment records, or behavioural data).
  • Fully automated decisions — The types of decisions made solely by automated means, without human involvement in the outcome.
  • Substantially assisted decisions — The types of decisions where automated technology performs the core ranking, filtering, or scoring function, even if a human formally signs off on the result.

These disclosures must be written in plain language that is accessible to the individuals whose data is being processed. Vague or technical descriptions that obscure the nature of the automated process will not satisfy the obligation.

Key Operational Requirements for AI Engineers

Compliance with APP 1.7 is not simply a matter of updating a privacy policy. It requires a thorough understanding of how AI and automated systems operate within your organisation — and this is where a qualified AI engineer plays a critical role.

System Mapping and Audit

Before any disclosure can be made, organisations must identify every automated system that processes personal information for decision-making purposes. This includes obvious AI tools such as machine learning models and natural language processing systems, but also less visible automated logic embedded in CRM platforms, recruitment software, pricing engines, and workflow automation tools.

An AI engineer can conduct a systematic audit of your software stack to identify all systems within scope, document the data inputs and decision logic for each, and assess whether each system meets the threshold of "significantly affecting" individual rights.

Human Review Pathways

For decisions with significant impact on individuals, organisations must provide a mechanism for human review. This means designing systems so that affected individuals can request reconsideration of an automated outcome by a human decision-maker. An AI engineer can implement review workflows, audit trails, and escalation mechanisms that satisfy this requirement while maintaining operational efficiency.

Explainability and Documentation

Organisations must be able to explain, in plain language, the logic behind automated decisions and the data inputs involved. This requires AI engineers to build or retrofit explainability features into existing models — a technically demanding task that is best addressed proactively rather than in response to a complaint or enforcement action.

Common Mistakes Businesses Make with AI Compliance

As the December 2026 deadline approaches, many Australian businesses are discovering that their AI compliance posture is less mature than they assumed. The following are the most common gaps that AI engineers and legal advisers are identifying:

  • Shadow AI — Employees using unvetted AI tools (such as consumer-grade generative AI platforms) to assist with decisions involving personal data, without organisational awareness or governance controls.
  • Underestimating scope — Assuming that only purpose-built AI systems are within scope, while overlooking automated logic embedded in off-the-shelf software such as HR platforms, CRM systems, or accounting tools.
  • Inadequate data mapping — Failing to document what personal data flows into automated systems, making it impossible to produce the required privacy policy disclosures.
  • No human review mechanism — Deploying fully automated decision pipelines without any pathway for individuals to seek human reconsideration of outcomes.
  • Generic privacy policies — Updating privacy policies with boilerplate language that does not specifically describe the organisation's actual automated systems and decision types.

Australian Regulatory Context

The automated decision-making transparency obligations sit within a broader and rapidly evolving Australian AI governance landscape. Several key regulatory bodies and frameworks are relevant to businesses deploying AI systems in 2026.

The Office of the Australian Information Commissioner (OAIC) has signalled that privacy policy compliance is an enforcement priority. The 2024 reforms established a three-tier penalty regime: administrative infringement notices for non-compliant privacy policies; mid-tier penalties of up to $3.3 million for bodies corporate for non-serious interferences; and high-tier penalties for serious or repeated breaches reaching the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover.

The Australian AI Safety Institute (AISI), launched in early 2026 with $29.9 million in government funding, serves as a technical advisory body responsible for testing and evaluating advanced AI models. While the AISI does not directly enforce the Privacy Act, its guidance on responsible AI deployment is increasingly referenced by regulators and courts.

The Australian Competition and Consumer Commission (ACCC) has also prioritised enforcement against "AI-washing" — misleading claims about the capabilities or safety of AI systems. Businesses that overstate the accuracy, fairness, or transparency of their automated decision-making systems face potential action under the Australian Consumer Law.

Australia's approach to AI regulation remains technology-neutral, leveraging existing legal frameworks rather than enacting a comprehensive AI Act. However, the December 2026 APP 1.7 deadline represents a concrete, enforceable obligation that businesses cannot defer.

Questions to Ask Your AI Engineer

When engaging an AI engineer to assist with automated decision-making compliance, consider asking the following questions:

  • Have you conducted a full audit of our software stack to identify all systems that process personal data for decision-making purposes?
  • Which of our automated systems meet the threshold of "significantly affecting" individual rights or interests?
  • Can you document the data inputs, decision logic, and outputs for each in-scope system in plain language?
  • What explainability features can be implemented or retrofitted into our existing models?
  • How will we implement human review pathways for significant automated decisions?
  • What governance controls can be put in place to detect and manage Shadow AI usage within our organisation?
  • How will we monitor and update our privacy policy disclosures as our AI systems evolve?

How MyMoney® Can Help

Meeting the December 2026 automated decision-making compliance deadline requires technical expertise that goes beyond legal advice alone. A qualified AI engineer can audit your systems, implement explainability and review mechanisms, and help you produce the specific privacy policy disclosures required under APP 1.7.

MyMoney® connects Australian businesses with experienced AI engineers who specialise in responsible AI deployment, governance frameworks, and privacy compliance. Whether you need a full system audit, help retrofitting explainability into existing models, or guidance on building compliant AI pipelines from the ground up, our network of professionals is ready to assist.

Post a Brief to describe your AI compliance needs and receive competitive proposals from qualified AI engineers. Or Browse AI Engineers on the MyMoney® Marketplace to find a specialist who can help your business meet its obligations before the December 2026 deadline.

This article provides general information only and does not constitute personal financial advice. Consider whether the information is appropriate for individual circumstances before acting on it. MyMoney® Marketplace is operated by Global Mutual Funds Pty Ltd (ABN 20 090 555 436, AFSL 222640).

Need Professional Help?

Post a brief and let verified professionals compete with transparent, scored proposals.