On 10 December 2026, a quiet but substantial change to the Privacy Act 1988 comes into force. New transparency obligations under APP 1.7, 1.8 and 1.9 will require any APP entity using a computer program to make decisions about people to disclose that fact, in plain language, in their privacy policy.
The deadline isn’t far off. And the language of the legislation is broader than most people realise.
What’s actually changing
The Privacy and Other Legislation Amendment Act 2024 (the POLA Act) introduced these new obligations as part of the first tranche of Australia’s privacy reforms. From 10 December 2026, an APP entity will need to update its privacy policy if it has arranged for a computer program to use personal information to make a decision that could reasonably be expected to significantly affect the rights or interests of an individual.
Three things in that sentence are worth pausing on.
The first is the definition of computer program. It captures pre programmed rule engines, machine learning models, and generative AI agents. If you have a Copilot Studio agent in your Microsoft 365 tenant making routing decisions about a person, it’s in scope. If you have a rules-based eligibility checker built in 2014, it’s in scope. The technology vintage doesn’t matter.
The second is the breadth of significantly affect rights or interests. The legislation gives examples: granting or refusing a benefit under legislation, decisions affecting contractual rights, decisions affecting access to a significant service or support. Critically, the effect can be either adverse or beneficial. Both count. A system that automatically approves a loan is just as captured as one that automatically declines it.
The third is that the requirement is prospective for any decision made on or after 10 December 2026. There is no grandfather clause for systems already in production. If your existing AI is making in-scope decisions on 11 December 2026, you need the disclosure in place.
Who’s caught
The obligation applies to APP entities, which includes most private-sector organisations with annual turnover exceeding three million dollars, foreign corporations carrying on business in Australia, and a long list of designated entities regardless of turnover. Health service providers, credit reporting bodies, and Consumer Data Right participants are all captured even if they’re small businesses.
That last point matters. A small specialist medical clinic running an automated triage tool is in scope. Government agencies are squarely in scope. So are most universities and TAFEs. Education, healthcare, and government are the three sectors where ADM use is most concentrated and where the December deadline will hit hardest.
The penalty regime
Failure to maintain a compliant privacy policy is now subject to a tiered penalty regime. The OAIC can issue infringement notices of up to $66,000 per contravention. Civil penalties for serious or repeated interferences with privacy can run into the millions.
The OAIC has already begun a privacy policy compliance sweep ahead of the deadline, and the regulator’s posture is clearly enforcement-led. Organisations should not assume they have until 10 December to start thinking about this. The sweep is happening now.
The hidden problem
Most organisations I speak with have a reasonable handle on what their privacy policy says today. Where they struggle is mapping the AI estate that the policy will need to describe.
In Microsoft 365 environments specifically, the proliferation of Copilot Studio agents over the past eighteen months means that ADM is happening in more places than IT teams realise. Citizen developers build agents for procurement triage, incident routing, customer eligibility, application screening. Many of these agents quietly use personal information and quietly contribute to decisions. Few are catalogued. Fewer still are governed.
You can’t write a compliant disclosure for ADM you don’t know is happening...
What to do now
Three actions are sensible between now and December.
The first is an inventory. Map every place in the technology estate where a computer program uses personal information to make or contribute to a decision affecting a person. This includes both bespoke systems and SaaS features that have ADM under the hood.
The second is a risk classification. Not every automated decision crosses the significantly affect threshold. Some clearly do, like an eligibility decision or a clinical triage flag. Some clearly don’t, like a routing decision that determines which inbox an email lands in. The middle ground needs careful judgment.
The third is to begin the privacy policy update conversation early with whoever drafts it. The technical descriptions need to come from the AI estate inventory. Lawyers can shape the language, but the substance has to come from the people who actually understand what the systems do.
Over the next two weeks I’m going to dig into what this means for each of the three sectors most exposed to the change. Education, healthcare and, government. Each one has its own particular complications, and each one deserves its own detailed look.
If you want to talk about how this lands for your organisation, the door is open.
Jan Davids Principal Consultant, Aureus Solutions Microsoft AI Cloud Partner | Adelaide, SA
Sources: Privacy and Other Legislation Amendment Act 2024 (Cth). Federal Register of Legislation. https://www.legislation.gov.au/C2024A00128/asmade Office of the Australian Information Commissioner, Chapter 1: APP 1 — Open and transparent management of personal information (APP Guidelines). https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information Office of the Australian Information Commissioner, "Passing of bill a significant step for Australia's privacy law" (29 November 2024). https://www.oaic.gov.au/news/media-centre/pasing-of-bill-a-significant-step-for-australias-privacy-law MinterEllison, "Privacy and Other Legislation Amendment Act 2024 now in effect" (29 January 2025). https://www.minterellison.com/articles/privacy-and-other-legislation-amendment-act-2024-now-in-effect MinterEllison, "OAIC ramps up privacy enforcement: are you ready?" (February 2026). https://www.minterellison.com/articles/oaic-ramps-up-privacy-enforcement-are-you-ready Norton Rose Fulbright, "Australian Privacy Alert: Parliament passes major and meaningful privacy law reform" (December 2024). https://www.nortonrosefulbright.com/en/knowledge/publications/be98b0ff/australian-privacy-alert-parliament-passes-major-and-meaningful-privacy-law-reform
