Back to insights

Complying with the new transparency requirements for automated decision-making

18 Nov 2025

Alerts
Technology

From 10 December 2026, amendments introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) will commence, imposing new transparency obligations on entities regulated under the Privacy Act 1988 (Cth), particularly in relation to the use of automated decision-making involving personal information.

Below are five practical compliance steps for businesses and government agencies navigating this reform.

1. Identify Automated Decision-Making in your operations

Conduct an audit of your operational and technical processes to determine where:

  • computers or algorithms are used to make, or contribute to the making of, a decision by your business;
  • that decision could reasonably be expected to significantly affect the rights or interests of an individual; and
  • personal information about the individual is used in the operation of the computer program to make the decision (i.e. where a decision significantly affects an individual’s rights or interests, whether positively or negatively).

Examples include:

  • granting or refusing benefits or services;
  • employment-related decisions such as screening applicants; and
  • credit, insurance or eligibility assessments.

The definition of “automated decision-making” is broad and may capture tools not traditionally seen as AI. This includes both simple rule-based tools and more complex AI systems.

2. Map data flows and establish a human review process

Mapping data flows and inputs supports both compliance and defensibility. For the purpose of ADM, a data mapping exercise will generally focus on: 

  • the types of personal information feeding into your automated systems; and
  • how that data is processed or combined to influence outcomes.

Even where a decision is automated, individuals should be able to seek clarification or review by a human. This safeguard supports fairness, aligns with the Office of the Australian Information Commissions (OAIC) expectations, and helps manage reputational risk (lessons highlighted by the Robodebt Royal Commission).

3. Update your Privacy Policy 

From December 2026, your privacy policy must include the kinds of:

  • personal information used in automated decision-making;
  • decisions made solely by computer programs; and
  • decisions for which the computer performs a substantial or direct role in making the decision.

Use clear, accessible language. Avoid overly technical or “dense” disclosures that could obscure key details.

4. Conduct Privacy Impact Assessments 

Privacy impact assessments are strongly recommended for organisations engaging in automated decision-making, as they help identify:

  • bias or discrimination risks;
  • security and data governance gaps; and
  • transparency issues in model design and data use.

Consider getting legal advice on privacy impact assessments to preserve privilege.

5. Develop internal guidance and staff training

Educate your staff about:

  • what is considered an “automated decision-making” and what types of data should or should not be used in the operation of a computer program;
  • the requirement for clear explanations in public-facing materials; and
  • an internal escalation process for automated decision-making queries or complaints.

As businesses and government agencies anticipate these upcoming amendments, proactive preparation is essential. Considering updates to policies, procedures and staff training can help foster transparency and accountability.

This article was written by Ariel Bastian,  Senior Associate Corporate Commercial.

Previous Next

Share Insight

Relevant Contacts

ELIZABETH TYLICH

Chairperson & Partner | Corporate Commercial
Previous Next
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Stay up-to-date and subscribe to receive our latest news and insights