The 10 December 2026 commencement of new automated decision-making transparency obligations under the Privacy Act is the most significant ADM-specific regulatory change since the Robodebt Royal Commission. For Australian government agencies, federal, state, territory (and increasingly local), it carries weight that goes beyond compliance.
Robodebt is the obvious frame for thinking about this deadline, and it should be. The Royal Commission’s findings made clear that the harm caused was a function of automated decision-making at scale, applied without adequate transparency, without meaningful human review, and without the public understanding what was being done with their data. The new APP 1.7, 1.8 and 1.9 obligations, introduced by the Privacy and Other Legislation Amendment Act 2024, are the legislative response to that lesson, at least the privacy-side response.
The legal scope for government agencies
Every Commonwealth government agency is an APP entity. Most state and territory agencies are subject to equivalent state privacy regimes that mirror the APP framework, and some are also subject to the Commonwealth Privacy Act directly under specific designations.
Government in this context is exceptionally broad. Service delivery agencies. Regulators. Statutory authorities. Government business enterprises. Local councils where state legislation captures them. Public hospitals and public health services. Public schools and the departments that run them.
If any of these has arranged for a computer program to use personal information to make a decision that could reasonably be expected to significantly affect the rights or interests of a person, the new transparency requirements apply. That captures enormous swathes of public sector activity in 2026.
Where ADM lives in Australian government
Eligibility decisions are the most obvious. Welfare payments, concessions, subsidies, public housing access, visa processing, licensing, permitting. Almost every benefit-granting or benefit-refusing decision in Australian government today involves a computer program using personal information to either make the decision or substantially contribute to it.
Case management triage is another. Child protection systems, family services, disability services, mental health services, justice services. Many of these now use prioritisation algorithms to allocate finite caseworker capacity to the highest-need cases. The algorithm doesn’t make the final decision, but it shapes which cases get attention and when.
Identity verification has shifted heavily toward automation. Document recognition, biometric matching, digital identity proofing. The verification decision affects access to government services. It is in scope.
Tax assessment and compliance triage uses ADM extensively. Risk-scoring of returns, automated audit selection, debt prioritisation. Each of these is a decision that significantly affects a person’s interests.
Public sector AI adoption has accelerated specifically through Microsoft 365 and Copilot. Commonwealth investment in AI for the Australian Public Service, and the equivalent state-level programs, have put Copilot agents and AI-augmented workflows into pretty much every line of public service work. Many of these are quiet, citizen developers building Copilot Studio agents for FOI triage, briefing preparation, complaint routing, eligibility pre-screening. Few are inventoried at the level the new disclosure obligations require.
The accountability gap
Government agencies have a structural challenge that private-sector organisations don’t share to the same extent. Public sector procurement and software development practices have, historically, allowed AI capability to be deployed faster than privacy and transparency frameworks can keep up. The pace of Copilot rollout across the APS over the past eighteen months is a good example. The technology is in production; the governance frameworks are still being written.
The new APP 1.7 obligations effectively force a reconciliation. Every agency will need to know, by December, what its AI estate looks like, not just the strategic AI investments, but the long tail of citizen-developer agents, vendor-embedded ADM features, and legacy rules-based systems that quietly meet the legislative threshold.
The privacy policy disclosure is the visible artifact. The work behind it is an organisational mapping exercise that most agencies have not yet started.
Three things public sector agencies should do now
The first is to commission an AI estate inventory at the agency level, with a brief that explicitly includes Copilot Studio agents, vendor-embedded ADM features, and rules-based eligibility systems alongside the more obvious machine learning deployments. Many agencies will find that their initial inventory understates the actual scope by half.
The second is to formalise human-in-the-loop review checkpoints for in-scope decisions. The new APP 1.7 obligations don’t require human review, but they do require disclosure. Disclosure that says we automate the decision and there is no human review is technically compliant but politically and operationally untenable for any decision that materially affects a person. Robodebt is the cautionary tale here.
The third is to align the disclosure work with the broader Australian Government AI policy framework. The DTA’s updated Policy for the responsible use of AI in government, the AI Plan for the APS, the AI Impact Assessment Tool, and various agency-level responsible AI standards, these all need to land in the same place: a privacy policy disclosure that the agency can actually defend, supported by an inventory and governance frame that’s coherent across the agency’s full AI footprint.
The deadline is real
10 December 2026 is now seven months away. The OAIC has made clear, through its current privacy policy compliance sweep, that it intends to enforce. The Robodebt context means that public sector enforcement, when it comes, will be politically and reputationally consequential in ways that go well beyond a $66,000 infringement notice.
Public sector agencies should treat this as a board-level governance issue, not a privacy team’s compliance task. The work that needs to be done by December is too distributed across the agency for any one function to own it.
That’s the wider sector frame. Over the coming months I’ll be looking at how organisations in education, healthcare, and government are starting to operationalise the December deadline, and where the practical readiness gaps are. The technical work behind a compliant disclosure is bigger than most realise, but it’s also tractable if it starts now.
Jan Davids Principal Consultant, Aureus Solutions Microsoft AI Cloud Partner | Adelaide, SA
Sources
1. Privacy and Other Legislation Amendment Act 2024 (Cth). Federal Register of Legislation. https://www.legislation.gov.au/C2024A00128/asmade
2. Office of the Australian Information Commissioner, Chapter 1: APP 1 Open and transparent management of personal information (APP Guidelines). https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information
3. Royal Commission into the Robodebt Scheme, Final Report (July 2023). https://robodebt.royalcommission.gov.au
4. Digital Transformation Agency, Policy for the responsible use of AI in government Version 2.0. https://www.digital.gov.au/ai/ai-in-government-policy
5. Digital Transformation Agency, AI Policy overhauled with new Impact assessment tool and Procurement guidance. https://www.dta.gov.au/media-releases/ai-policy-overhauled-new-impact-assessment-tool-and-procurement-guidance
6. Macpherson Kelley, Automated Decision-Making: Current privacy obligations and what’s in the pipeline for 2026. https://mk.com.au/automated-decision-making-current-privacy-obligations-and-whats-in-the-pipeline-for-2026/
7. Norton Rose Fulbright, Australian Privacy Alert: Parliament passes major and meaningful privacy law reform (December 2024). https://www.nortonrosefulbright.com/en/knowledge/publications/be98b0ff/australian-privacy-alert-parliament-passes-major-and-meaningful-privacy-law-reform
