What we think
11 June 2026

OAIC consultation to develop guidance for automated decision making transparency requirements

Helen Clarke, Sophie Dawson, Emily Lau, Liesel Millard

New transparency requirements about the usage of automated decision making (ADM) will come into effect on 10 December 2026. The Office of the Australian Information Commissioner (OAIC) has released an Issues Paper seeking feedback on proposed guidance to support compliance. Submissions for the consultation are due on Monday 15 June 2026. The OAIC intends to release its guidance by September 2026.

This article outlines what the ADM transparency requirements are, the potential challenges in implementing the requirements for industry and why your organisation may consider making a submission.

The new ADM transparency requirements

From 10 December 2026, if an entity regulated by Australia’s Privacy Act 1988 (Cth) has:

  • arranged for a computer program to make a decision, or do a thing that is substantially and directly related to making a decision, that could reasonably be expected to significantly affect an individual’s rights or interests; and
  • that individual’s personal information is used in the operation of the computer program,

the APP entity must include the following information in its public facing privacy policy:

  • the kinds of personal information used in the operation of the computer program;
  • the kinds of decisions made solely by the operation of the computer program; and
  • the kinds of decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of the computer program.

The change will apply to decisions made after 10 December 2026.

Potential challenges in applying the concepts from the ADM transparency requirements

In a previous article, we identified some practical challenges in complying with the ADM transparency requirements. The key challenge will be conducting the threshold assessment, which will involve interpreting and applying the new concepts. For this reason, your organisation may consider making a submission to the OAIC to help inform their guidance on the requirements. 

The table below sets out these concepts and challenges your organisation may face when interpreting them. 

ConceptChallenges  Relevant Issues Paper question(s)
Arranged for

The Issues Paper indicates that “arranged for” recognises that one entity operates a computer program and another entity is responsible for arranging for a computer program to make or assist a decision. Examples provided are when an organisation procures another entity’s AI system to evaluate job applications or uses a case management system to automatically evaluate and escalate particular complaints.

The distinction between "arranging for" and "operating" ADM will be critical for organisations. Organisations should be aware that an entity that develops and hosts software that automatically approves or rejects customer applications, but does not use it itself, may simply be "operating" ADM rather than "arranging for" it.  

The challenge will be deciding how much control the organisation has over the operation of the computer program to make a decision or assist in a decision.

Question 9 asks for scenarios relevant to the meaning of “arrange for” for which you consider guidance is required, and the reasons why.
Computer program

The Privacy Act does not define the concept of “computer program”, but the Issues Paper states that the concept will cover a wide range of technologies e.g. software, apps, word-processing tools, AI and machine learning processes. 

Organisations will need to consider all their computer programs involved in making particular decisions given that the meaning of a computer program will likely be interpreted broadly.

There is no specific question in the Issues Paper about what a computer program is, but organisations are invited to comment on issues more generally and may raise any concerns about what is and is not caught by the concept of a “computer program”. 
Substantially and directly related to making a decision

The Explanatory Memorandum for the reforms indicates that for a thing to be substantially related to making a decision, it has to be a key factor in facilitating the human’s decision making and for a thing to be directly related to making a decision, it must have a direct connection to making the decision. It clarifies that word processing, and basic calculation tools are generally not substantially and directly related to making a decision.

This concept may be challenging to apply when decision making involves multiple stages. 

In question 1, the OAIC seeks views on what relevant factors enable an entity to assess whether a computer program substantially facilitates and is directly connected to a human decision.

Question 2 presents a fictional case study regarding an aged care insurance agency that uses a generative AI chatbot to summarise candidate profiles and receive recommendations about elderly people being eligible for aged care support. The question asks whether this use of generative AI is substantially and directly related to decision making.

Significantly affect rights or interests

The Issues Paper indicates that rights and interests will be interpreted broadly, and the impact on individuals will depend on their life circumstances, such that a decision may have a more significant effect on vulnerable groups. Such decisions may be:

  • a grant or refusal to grant, a benefit under statute to an individual;  
  • a decision affecting someone’s rights under a contract; or
  • targeted advertising and content that results in differential pricing, restricted access to goods or services, or limited employment opportunities.

The ADM transparency regime applies even if the significant effect on an individual’s rights and interests is positive.

Organisations will need to consider scenarios where a decision could significantly affect an individual’s rights or interests. 

Question 3 requests factors that increase the likelihood that a decision could affect an individual’s rights or interests.

Question 4 asks organisations about which classes of persons are considered vulnerable when thinking about a decision’s expected impact on a person, and the reasons why.

Question 5 asks organisations what constitutes a significant service or support.

Question 6 requests organisations to specify other legal frameworks or policies that the OAIC should consider when interpreting ‘rights’ and ”interest”.

Question 7 provides a fictional example of differential pricing of books based on geographic location and asks whether price inflation for a consumer product significantly affects the interests of an individual.

Making a decision

The Issues Paper considers the meaning of “decision” across other legislation. 

Organisations will need to navigate many decisions that will affect an individual’s rights or interests. They will need to consider the broad understanding of the meaning of “decision” in less visible ADM processes, any step of which may be caught by the ADM transparency regime.

Question 8 provides a fictional case study where an algorithm on a website determines which classes of potential candidates will see a job ad and asks whether a decision to not display a job ad to a female graduate engineer should be considered a “decision”. 

The second practical challenge will be how much information to disclose in a privacy policy to comply with the ADM transparency requirements without overwhelming the individual with unhelpful information. The Issues Paper acknowledges the importance of avoiding the provision of excessive details to individuals that obscures the transparency of the communication surrounding ADM and asks about the appropriate level of detail in question 10 of the Issues Paper. 

Why your organisation may wish to prepare a submission

Non-compliance may expose organisations to infringement notices, compliance notices and other more serious enforcement action. The OAIC has indicated that it will take a more proactive enforcement approach through its audit of specific industries’ privacy policies earlier this year. The OAIC may also consider whether disclosures indicate broader non-compliance with other Australian Privacy Principles – for example, in relation to the collection, use and disclosure of personal information.

The changes will impact a number of industries. Many organisations use AI tools to assist in recruitment and engage in targeted online advertising. In addition:

  • a number of banks use computer programs to assist in assessing loan applications;
  • many service providers use computer programs to triage consumers requesting their services; and
  • many healthcare providers use computer programs to make decisions impacting the level and type of healthcare that a patient receives.

Your organisation may wish to engage with the OAIC on the issues raised in the Issues Paper and make a submission to seek more clarity on the relevant concepts and how you will apply them when they take effect on 10 December 2026.

What else can your organisation do to prepare?

Organisations should not wait for release of the OAIC’s guidance before taking steps to prepare for compliance with the new ADM transparency requirements. Compliance preparation should include careful review and mapping of systems, ADM tools and functionality used across the organisation and:

  • how they are used in or influence decision making;
  • how and for what purposes they process personal information; and
  • what the potential impact on individuals and their data is.

Contact our team if you would like assistance in preparing submissions before 15 June 2026 or assessing the impact of these requirements on your privacy policy.

Insights

View more