What counts as 'automated decision-making' under the Privacy Act?

OAIC guidance indicates it covers decisions made wholly or partly by an automated system - including AI, algorithms, or scoring models - that significantly affect an individual's rights, opportunities, or entitlements. Examples include automated tenant application scoring, credit decisioning, employment screening, and insurance underwriting. Human review of an automated recommendation is still likely caught if the human rarely overrides the system.

Does this apply to small businesses?

The Privacy Act applies to businesses with an annual turnover above $3 million, and to some smaller businesses in specific sectors (health, credit, tax file number holders). If your business is currently covered by the Privacy Act and uses any form of automated decision-making affecting individuals, the ADM disclosure requirement applies from 10 December 2026.

What does an ADM transparency statement need to say?

At minimum: the types of decisions the automated system is used for; the kinds of personal information it processes; and a general description of how the automated process works. It does not need to disclose proprietary algorithms or trade secrets - a plain-English summary is sufficient.

What are the other Privacy Act reforms coming on 10 December 2026?

The same commencement date applies to: a strengthened right to request erasure of personal information; clearer consent requirements for sensitive data; enhanced mandatory data breach notification obligations; and expanded OAIC enforcement powers including higher civil penalties. Businesses should review all these changes together rather than addressing ADM in isolation.

10 Dec 2026

Privacy Act - automated decision-making transparency

Entities using automated decisions that significantly affect individuals must update privacy policies to disclose the use, types of decisions, and personal information involved. Applies to all APP entities - i.e. most SMBs handling personal information.

What this means for your business

From 10 December 2026, Australian businesses covered by the Privacy Act 1988 (Cth) must include an 'automated decision-making (ADM) transparency statement' in their privacy policy. This is one of several Privacy Act reforms being introduced in stages. The requirement applies where a business uses automated tools - including AI, algorithms, or automated scoring systems - to make decisions that significantly affect individuals.

The obligation is a disclosure requirement, not a prohibition. You don't need to stop using automated tools - you need to tell people, in your privacy policy, what kinds of decisions you use automated means to make and how those decisions are made. 'Significantly affect' is not yet defined by regulation, but OAIC guidance suggests it includes decisions about credit, insurance, employment, tenancy, and services.

For real estate agencies, this is particularly relevant for AI-powered tenant screening tools, automated application scoring, and property valuation models. Mortgage brokers and accountants using automated credit decisioning or tax assessment tools are also likely caught. The Privacy Act reforms also introduce enhanced individual rights (right to erasure, right to explanation) and strengthened enforcement powers for the OAIC.

What your business needs to do

Identify all automated or AI-assisted tools your business uses that make or contribute to decisions about individuals - tenant applications, credit assessments, insurance scoring, employment screening.
Review your current privacy policy - most existing policies do not contain an ADM transparency statement and will need updating before 10 December 2026.
Draft an ADM disclosure statement describing: what types of automated decisions are made, what personal information is used, and in general terms how the automated process works.
Publish the updated privacy policy before 10 December 2026 and ensure all staff who handle privacy-related queries are aware of the new content.
Consider whether any of the other Privacy Act reforms (right to erasure, enhanced breach reporting) require process changes before the same date.

Compliance FAQ

Common questions

Free tools and regulator sources

Free tools for this obligation

Regulator sources

Written by Tim Jones, Founder & Principal Consultant, Nifty Computing

Published 25 April 2026 · Last reviewed 5 May 2026

Applies to: Australia (all states and territories)

Sources: OAIC, Privacy Act 1988 (Cth)

Need help meeting this deadline?

Nifty Computing helps Australian small businesses get compliant without the complexity. Book a free walkthrough and we'll map out the practical next steps.