The 2026 automated decision-making obligations are not just a privacy policy update. They test whether organisations can describe their own automated decisions.
From 10 December 2026, Australian APP entities will have to say more about certain automated decisions in their privacy policies. The wording sounds administrative, and a lot of organisations are treating it that way. It isn’t.
The obligation applies when a computer program uses personal information to make, or play a substantial role in making, a decision that significantly affects someone’s rights or interests. The privacy policy then has to describe the kinds of personal information used, the kinds of decisions the program makes outright, and the kinds where the program performs a substantial step.
Most organisations won’t struggle because the rule is impossible to read (which it is nonetheless because of its wide ambit). They’ll struggle because they’ve never mapped their decision environments with enough precision to know what they can honestly say.
Mapping business processes is a difficult task at the best of times, whether for procedures, business continuity, or just understanding what is critical to operations. Whether you’re a small, mid or large company, the activity is a challenge, and keeping the maps current is another challenge in itself.
These maps traditionally don’t include who actually makes the decision. There are pretty little diagrams with decision points and perhaps swim lanes, but decisions are ascribed to functions or titles, not to whether the decision is being made by a human or a system. The little triangle denoting a decision point is agnostic.
The Rule Catches More Than “AI”
The reform isn’t an “AI systems register” obligation, and it isn’t the GDPR-style right to human review either. It’s a transparency obligation about consequential automated decision-making, and the rule looks at what the system does, not what it’s called.
The systems that count aren’t just the ones internally labelled AI. Most organisations are running plenty of automated decision-making that was never categorised that way: rule-based logic, vendor tools, eligibility processes, ranking models, workflow engines, even the Excel macros that someone built years ago to handle a calculation that’s been quietly determining outcomes ever since. The 2026 rule reaches into that pile, and it’s usually much bigger than the AI register suggests.
The Disclosure Includes What Happens Before The Human
The rule applies even where a person approves the final outcome. What it asks the organisation to describe is the automated step that came before the human, whether the system ranked cases, routed customers, flagged risk, prioritised access, filtered applications, or shaped which matters received meaningful review.
That step is often substantially and directly related to the decision, even when a person sits at the end of it. By the time the human confirms an outcome, the automation has frequently already narrowed what the human can sensibly choose between.
Describing it accurately is where the inventory work actually starts.
The Disclosure Is the Output, Not the Work
Privacy policies are drafted last, after the substantive work has been done. The 2026 rule makes that ordering visible, because the disclosure can only be honest if the organisation knows what its automated decisions are doing.
The inventory itself requires identifying every consequential decision in the business, tracing which parts are automated and which a human takes, mapping what personal information each automated step uses, and reconciling all of that with what procurement signed, what IT deployed, and what privacy thought was in scope. No single function has all of it in one place, which is why the inventory typically stalls before it’s complete.
Generic wording in the privacy policy won’t suffice. A statement that the organisation “uses technology to support decision-making” reads as safe and means very little; if the regulator follows up, the gap between the description and the actual systems becomes the issue. The OAIC’s APP 1 guidance already requires privacy policies to be clearly expressed, up to date, and tailored to actual information-handling practices. Tailoring requires knowing what the practices are.
The Reform Tests Whether You Know Your Own Decisions
The December 2026 reform is being read as a transparency obligation. It’s really a test of whether the organisation can describe its own automated decisions clearly enough to stand behind the disclosure. The organisations that can’t will discover the gap when the disclosure goes out, the regulator reads it, the description doesn’t match what the systems are actually doing, and the gap itself becomes the issue. The OAIC has real penalties for getting it wrong now, as Australian Clinical Labs just showed.
Boards that want to avoid that moment should be commissioning the inventory work now. The disclosure date is fixed at 10 December 2026, which is seven months away. The work takes longer than people expect because no single function can do it alone. The only variable left for management is whether they start in time or finish after the regulator has already started asking questions.
Update, 20 May 2026: The OAIC opened a consultation on 18 May on the Issues Paper for guidance on the ADM transparency obligation. Submissions close 15 June 2026 and are open to anyone with a view on how the guidance should be shaped, including government, private sector, civil society and academia.
The consultation is also a signal that the obligation’s practical shape isn’t entirely settled. The Privacy and Other Legislation Amendment Act 2024 moved through Parliament quickly, and some of the operational ambiguity in this rule may reflect how little time the drafting had to anticipate edge cases. The consultation period is an opportunity to surface those before December, and the resulting guidance may end up shaping what compliance actually looks like in practice.