Privacy Act 1988 — Automated Decision-Making Reforms — Risk Assessment

Q: Does Privacy Act 1988 — Automated Decision-Making Reforms require Risk Assessment?

Yes. Privacy Act 1988 — Automated Decision-Making Reforms addresses Risk Assessment through 1 provision.

Does Privacy Act 1988 — Automated Decision-Making Reforms require Risk Assessment?

Australia • enacted

Yes — 1 provision

Requirements at a glance

This regulation imposes 3 specific requirements for Risk Assessment across 1 provision:

PIA as reasonable step — OAIC treats PIAs as a "reasonable step" under APP 1 for high-risk AI deployments; absence is evidence of non-compliance for high-risk processing
Third-party accountability — Remain responsible under APP 11 for personal data shared with external AI platforms; due diligence on vendors is part of APP 1 compliance
Children's Online Privacy Code — PIAs required for child-facing AI services once the Code is registered (by 10 December 2026); this is Code-based, not a standalone Privacy Act obligation

Privacy Impact Assessments for AI #

Obligation:

Risk Assessment

enforcing

Effective:

Dec 21, 1988

Risk tier:

all

Scope:

providers, deployers

sleeper

No general statutory PIA mandate for AI exists in the Privacy Act 1988. The POLA Act 2024 did not enact a universal PIA requirement effective 2026-12-10. PIAs are however a "reasonable step" expected under APP 1 for high-risk processing (including AI, profiling, large-scale analytics) per OAIC guidance — failure to conduct a PIA for high-risk AI will be treated as evidence of non-compliance with APP 1. Specific instruments (e.g. the Children's Online Privacy Code, government data-sharing frameworks) do mandate PIAs in defined contexts.

Requirements

Requirement	Details
PIA as reasonable step	OAIC treats PIAs as a "reasonable step" under APP 1 for high-risk AI deployments; absence is evidence of non-compliance for high-risk processing
Third-party accountability	Remain responsible under APP 11 for personal data shared with external AI platforms; due diligence on vendors is part of APP 1 compliance
Children's Online Privacy Code	PIAs required for child-facing AI services once the Code is registered (by 10 December 2026); this is Code-based, not a standalone Privacy Act obligation

Penalties

Violation	Fine
APP 1 non-compliance	Civil penalties per Privacy Act enforcement provisions; OAIC has signalled enforcement focus on high-risk AI

View full regulation View obligation Obligation matrix