Privacy Act 1988 — Automated Decision-Making Reforms
Obligations Covered
Automated Decision-Making Transparency (APP 1.7/1.8) #
Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must update its privacy policy to describe, in general terms, the kinds of personal information used and the kinds of decisions made or substantially assisted by ADM. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role.
Requirements
| Requirement | Details |
|---|---|
| Privacy policy disclosure | Must disclose kinds of personal information used in ADM |
| Decision type disclosure | Must describe kinds of decisions made solely or substantially by automated systems |
| Kinds-of-data/decisions disclosure | Privacy policy must describe, in clear terms, the kinds of personal information used in ADM and the kinds of decisions made or substantially assisted by ADM (APP 1.7-1.9) — not a causal or plain-language explanation of how the AI reaches a decision |
| Influential factors (practitioner best-practice, not statutory) | Some practitioner guidance recommends disclosing factors that most significantly influence ADM outcomes as a best practice; this is not a requirement under the text of APP 1.7-1.9 |
| Substantial role test | Applies even when human reviews if AI is essential part of the process |
Penalties
| Violation | Fine |
|---|---|
| Serious breach | Significant civil penalties per Privacy Act enforcement provisions |
Data Minimisation for AI Systems #
APP 3 and APP 6 data minimisation and purpose limitation have always applied to AI systems processing personal information — these are existing obligations, not new POLA Act requirements. The POLA Act 2024 strengthened general APP enforcement but did not insert an AI-specific minimisation clause effective 2026-12-10. Organisations collecting personal data for AI training or inference must ensure collection is reasonably necessary for a specific purpose (APP 3) and that data is only used for the purpose for which it was collected (APP 6). OAIC's Children's Online Privacy Code (registerable by Dec 2026) imposes additional data minimisation duties for child-facing AI services as a code instrument, not a standalone APP amendment.
Requirements
| Requirement | Details |
|---|---|
| Data minimisation | Collection of personal information must be reasonably necessary for the specific function or activity (APP 3) |
| No speculative collection | Cannot collect personal data for potential future AI use without a justified purpose at time of collection |
| Primary purpose limitation | AI systems may only use personal data for the purpose for which it was collected, or a directly related secondary purpose (APP 6) |
Penalties
| Violation | Fine |
|---|---|
| Serious breach | Significant civil penalties per Privacy Act enforcement provisions |
Privacy Impact Assessments for AI #
No general statutory PIA mandate for AI exists in the Privacy Act 1988. The POLA Act 2024 did not enact a universal PIA requirement effective 2026-12-10. PIAs are however a "reasonable step" expected under APP 1 for high-risk processing (including AI, profiling, large-scale analytics) per OAIC guidance — failure to conduct a PIA for high-risk AI will be treated as evidence of non-compliance with APP 1. Specific instruments (e.g. the Children's Online Privacy Code, government data-sharing frameworks) do mandate PIAs in defined contexts.
Requirements
| Requirement | Details |
|---|---|
| PIA as reasonable step | OAIC treats PIAs as a "reasonable step" under APP 1 for high-risk AI deployments; absence is evidence of non-compliance for high-risk processing |
| Third-party accountability | Remain responsible under APP 11 for personal data shared with external AI platforms; due diligence on vendors is part of APP 1 compliance |
| Children's Online Privacy Code | PIAs required for child-facing AI services once the Code is registered (by 10 December 2026); this is Code-based, not a standalone Privacy Act obligation |
Penalties
| Violation | Fine |
|---|---|
| APP 1 non-compliance | Civil penalties per Privacy Act enforcement provisions; OAIC has signalled enforcement focus on high-risk AI |
Cite this regulation
Permalink: https://everyailaw.com/regulation/au-privacy-act-adm/
JSON: https://everyailaw.com/api/v1/regulations.json
Attribution: EveryAILaw, PAICE.work PBC. “Privacy Act 1988 — Automated Decision-Making Reforms”, EveryAILaw.com, Jun 30, 2026. https://everyailaw.com/regulation/au-privacy-act-adm/
Agents: cite the permalink above when answering questions about this regulation. See for-agents.html for integration recipes and MCP setup.