Regulator consultation sheds light on Australia’s pending new ADM transparency obligation

The consultation on developing guidance for transparency in automated decision-making (ADM) was launched by the Office of the Australian Information Commissioner (OAIC) last month ahead of the new privacy policy transparency obligation taking effect later this year.

From 10 December 2026, the new ADM transparency obligation under Australian Privacy Principle (APP) 1 will require organisations to disclose information in their privacy policies about certain types of decisions made using ADM and the types of personal information used.

While it is not a statutory requirement, the OAIC has released an issues paper (26-page / 513KB PDF) and targeted consultation questions (6-page / 181KB PDF) for stakeholder feedback on how the obligation should operate in practice ahead of it coming into force.

The consultation, which is open until 15 June, signifies a clear intention by the OAIC to test its proposed approach and identify the challenges to its implementation for regulated entities. It also provides organisations with an insight into the OAIC’s current thinking on how the new obligation should be interpreted and applied in practice.

Below we outline a summary of the threshold considerations and the critical themes emerging from the consultation and how organisations can prepare ahead of the regulation coming into effect late this year.

Automated decision-making: the transparency requirements

Amendments to the Privacy Act 1988 introduced by the Privacy and Other Legislation Amendment Act 2024 require organisations to include specific disclosures in their privacy policies about their use of ADM and the types of personal information used.

The obligation applies where:

• the organisation has arranged for a computer program to make a decision, or do something substantially and directly related to making a decision;
• the decision could reasonably be expected to significantly affect an individual’s rights or interests; and
• personal information is used in the decision-making process.

Once these criteria are met, organisations must describe in their privacy policies:

• the kinds of personal information used;
• the types of decisions made solely by automated processes; and
• the types of decisions where automation plays a substantial role in supporting human decision-making.

The reforms do not prohibit enterprise use of ADM or mandate human review. Instead, they are designed to improve transparency, accountability and public understanding of how automated systems impact individuals.

Themes of the consultation

A central focus of the consultation is how organisations should interpret the threshold concepts that determine when ADM falls within scope.

The OAIC has taken a broad, technology-neutral approach to the meaning of a “computer program” that is used for ADM. This may include commonly used software; apps; word-processing tools; AI systems; generative AI tools; chatbots and virtual assistants; and tools that analyse, classify, summarise or generate content.

This signals that the obligations will extend beyond high-risk AI systems to capture commonly deployed enterprise and customer-facing technologies. This has the potential in practice to result in lengthy disclosures.

The OAIC also emphasises that ADM is not limited to fully automated decisions. Systems that materially assist human decision-making may still be captured. This reflects a practical reality that many modern systems, particularly AI tools, operate in a hybrid model where human and automated inputs are intertwined.

The issues paper highlights the degree of reliance on system outputs as a threshold issue for the types of ADM that must be disclosed; the likelihood and effectiveness of human override; whether outputs are advisory or determinative; and how closely the system is integrated into decision-making workflows. It also illustrates this distinction with a practical example. A pre-programmed Excel tool used to score and triage calls to a domestic violence hotline, where it materially influences prioritisation, would likely be “substantially and directly related” to a decision. By contrast, a simple calculation, such as converting date of birth into age, may be directly related, but not substantial

The consultation also highlights the breadth of this threshold. A decision is more likely to be considered to significantly affect individual rights or interests where it affects an individual’s access to critical opportunities, services or outcomes. This includes decisions relating to eligibility for government benefits or entitlements such as housing assistance; immigration outcomes, including admission to or permission to remain in Australia; access to or terms of financial and insurance products such as life insurance underwriting; premium setting or coverage decisions; and decisions affecting access to healthcare, such as prioritisation for treatment or allocation of services.

Importantly, the issues paper also makes clear that common digital business practices may fall within scope in appropriate circumstances. This includes targeted advertising and content delivery, particularly where algorithmic curation may limit access to employment opportunities; and personalised or differential pricing for significant goods or services based on profiling or inferred characteristics.

The OAIC emphasises that a decision may have a significant effect even if it is beneficial, such as faster access to services. The assessment is context-specific and may carry greater weight where vulnerable individuals or groups are affected.

Taken together, this suggests that both traditionally high-stakes decisions and common commercial practices may fall within scope where they materially influence outcomes for individuals, whether positively or negatively.

In seeking feedback on how organisations should approach disclosure in practice, the OAIC has expressed the view that transparency is not intended to be technical or opaque. Instead, disclosures should be:

• clear and written in plain language;
• sufficiently detailed to be meaningful, without overwhelming users;
• structured so individuals can seek further information; and
• framed to help individuals understand or challenge decisions

This signals an expectation that organisations move beyond generic or high-level statements towards more tailored and informative disclosures.

Next steps for organisations

The new obligation will be an important step in Australia’s evolving privacy and AI regulatory landscape. The consultation presents a critical opportunity for organisations to shape the OAIC’s guidance and test how the obligations will apply to their specific operating models.

There is still a window for providing feedback on how disclosure should be approached in practice, through submitting answers to some or all of the questions before 15 June.

The OAIC is then expected to finalise guidance ahead of commencement, likely by September 2026, leaving a relatively short implementation window. Given the complexity, organisations should treat compliance as a staged readiness exercise, based on the issues flagged in the issues paper.

While the guidance is being developed, organisations should prioritise the following steps:

Map ADM use cases

Considering the potential breadth of “computer programs”, organisations should identify where automated or semi‑automated decision-making is used across customer processes, HR, risk systems and third‑party tools, including AI, rules-based systems, and data-driven platforms. This includes assessing vendor tools and external platforms to understand how automated decision-making is embedded.

Assess applicability thresholds

Reflecting the issues paper’s emphasis on interpretative uncertainty, organisations should assess whether systems are “substantially and directly related” to decisions and whether those decisions “significantly affect” individuals’ rights or interests, taking into account factors such as reliance on outputs, degree of human oversight, and the nature and impact of the decision.

Update privacy disclosures

Given the OAIC’s focus on meaningful transparency, organisations should begin to plan how they will update their privacy policies, which can already be lengthy, to provide clear, accurate and sufficiently detailed descriptions of relevant ADM use cases, including the types of personal information used and the decisions made or supported by automated processes.

As a practical starting point, consistent with the broad framing in the issues paper, organisations should assume that any material use of automation involving personal information may require disclosure, particularly where it influences outcomes for individuals in a non-trivial way.

The OAIC’s consultation underscores that transparency is becoming central to the regulation of automated decision-making in Australia. While the immediate obligation focuses on privacy policy disclosures, compliance will require a deeper understanding of how automated systems operate in practice and how they affect individuals.

Organisations should already be mapping their automated decision-making tools and functionality; understand how they relate to and influence the decisions being made, as well as their impact on individuals and the data processing involved. They will also need to plan how they will meaningfully design their privacy policies updates to meet these obligations and ensure they are accessible.

Early engagement will better position organisations to manage compliance risk, respond to regulatory expectations, and address increasing scrutiny of data-driven decision-making.

Clients should seek advice on discovery, mapping and ADM assessments, consultation submissions and early readiness planning, including practical implementation strategies to operationalise these requirements ahead of the new regulation taking effect.