Privacy Act 1988 — Automated Decision-Making Reforms — Data Governance

Q: Does Privacy Act 1988 — Automated Decision-Making Reforms require Data Governance?

Yes. Privacy Act 1988 — Automated Decision-Making Reforms addresses Data Governance through 1 provision.

Does Privacy Act 1988 — Automated Decision-Making Reforms require Data Governance?

Australia • enacted

Yes — 1 provision

Requirements at a glance

This regulation imposes 3 specific requirements for Data Governance across 1 provision:

Data minimisation — Collection of personal information must be reasonably necessary for the specific function or activity (APP 3)
No speculative collection — Cannot collect personal data for potential future AI use without a justified purpose at time of collection
Primary purpose limitation — AI systems may only use personal data for the purpose for which it was collected, or a directly related secondary purpose (APP 6)

Data Minimisation for AI Systems #

Obligation:

Data Governance

enforcing

Effective:

Dec 21, 1988

Risk tier:

all

Scope:

providers, deployers

sleepercross-domain

APP 3 and APP 6 data minimisation and purpose limitation have always applied to AI systems processing personal information — these are existing obligations, not new POLA Act requirements. The POLA Act 2024 strengthened general APP enforcement but did not insert an AI-specific minimisation clause effective 2026-12-10. Organisations collecting personal data for AI training or inference must ensure collection is reasonably necessary for a specific purpose (APP 3) and that data is only used for the purpose for which it was collected (APP 6). OAIC's Children's Online Privacy Code (registerable by Dec 2026) imposes additional data minimisation duties for child-facing AI services as a code instrument, not a standalone APP amendment.

Requirements

Requirement	Details
Data minimisation	Collection of personal information must be reasonably necessary for the specific function or activity (APP 3)
No speculative collection	Cannot collect personal data for potential future AI use without a justified purpose at time of collection
Primary purpose limitation	AI systems may only use personal data for the purpose for which it was collected, or a directly related secondary purpose (APP 6)

Penalties

Violation	Fine
Serious breach	Significant civil penalties per Privacy Act enforcement provisions

View full regulation View obligation Obligation matrix