Six months is not as long as it sounds.
On December 10, 2026, new obligations under the Privacy Act 1988 will require every applicable Australian organisation to disclose in its privacy policy when and how computer programs make or substantially assist in making decisions that could significantly affect an individual's rights or interests. The Office of the Australian Information Commissioner is already conducting a compliance sweep of privacy policies. That sweep is not a warmup. It is enforcement beginning.
The challenge facing most organisations is not understanding what the law requires. It is that accurate disclosure requires knowledge of AI systems that most governance programmes have never properly documented. You cannot write an accurate privacy policy about systems you have not mapped.
What the Law Actually Requires
New APP 1.7, 1.8 and 1.9, introduced by the Privacy and Other Legislation Amendment Act 2024, set out the disclosure obligations in specific terms. From December 10, APP entities must include in their privacy policies the types of personal information used in substantially automated decisions, the kinds of decisions made solely or significantly by computer programs, and where those decisions could reasonably be expected to significantly affect the rights or interests of an individual.
Two elements catch organisations off guard. First, the obligation covers decision-support tools, not just fully automated systems. If your AI substantially assists a human in reaching a decision, the obligation may apply. Second, the amendments apply to any decision made on or after December 10, regardless of when the AI system was built or deployed. You cannot argue your system predates the obligation.
The OAIC has been direct on this: generic or boilerplate language will not satisfy the requirements. Disclosures must be tailored to your actual systems and processes. That standard cannot be met without a prior inventory of what those systems are doing.
Who This Actually Applies To
Broader than most assume.
APP entities covered by this obligation include private sector organisations and not-for-profits with annual turnover above $3 million, health service providers, credit reporting bodies and certain other categories regardless of size. Foreign corporations carrying on business in Australia and collecting or holding Australians' personal information are also covered.
The specific obligation is triggered when a computer program uses personal information to make or substantially assist in making a decision that could significantly affect individual rights or interests. Emerging OAIC guidance points to credit assessments and lending decisions, hiring and workforce decisions, insurance underwriting and claims processing, customer eligibility and entitlement decisions, fraud detection and risk scoring that affects account access, and case management in healthcare, professional services or financial services.
If your organisation uses AI in any process where the outcome determines what someone receives, loses or is denied access to, the obligation is likely to apply. That includes AI-assisted workflows on platforms such as Microsoft Copilot where those tools access case files, financial records or HR data.
What the Disclosure Must Actually Say
To write a disclosure that satisfies APP 1.7, your organisation needs to know which computer programs are involved in decision-making, what personal information those programs use, what kinds of decisions are being made or substantially assisted, and which of those decisions could significantly affect individuals.
Most organisations cannot answer those questions quickly. They have AI tools deployed across business units that were procured without formal intake processes. They have workflow automation running for years without anyone having classified whether it involves automated decision-making in the Privacy Act sense. They have third-party AI tools embedded in CRM or HRM platforms whose data flows have never been properly examined.
The OAIC's position makes the gap more acute. A disclosure that says "we may use technology to assist with our decision-making processes" when specific systems are making specific decisions about specific categories of people will not pass scrutiny. The disclosure needs to name the system types and decision categories in actual use.
That is a governance exercise, not a legal drafting one.
Why Governance Infrastructure Is the Real Requirement
This is where most approaches to December 10 go wrong.
Legal teams cannot fix this alone because they do not have visibility into which AI systems are doing what. Privacy officers cannot fix it alone because they rarely have authority over AI deployment decisions made by business units or IT. Technology teams cannot fix it alone because they do not know how legal thresholds for "significant effect" map onto the systems they manage.
What compliance actually requires is an AI use-case register that records which systems are in use, what they do, what personal information they rely on, who they make decisions about and what impact those decisions have on individuals. That register, maintained properly, allows a privacy team to update a disclosure accurately in hours. Without it, the organisation faces an emergency inventory under deadline pressure with a high probability of getting the disclosure wrong.
Worth noting here: once an organisation has disclosed in its privacy policy that a computer program is substantially involved in decisions affecting individual rights, it has set an accountability standard that regulators and affected individuals can reference. An inaccurate disclosure is a more serious problem than a disclosure gap.
The OAIC Compliance Sweep Is Already Running
The OAIC's 2026 Community Attitudes to Privacy Survey found a significant escalation in public concern about how personal information is used in AI contexts, alongside falling trust in AI-related technologies. That combination signals an OAIC that is unlikely to treat superficial disclosures as adequate.
Penalties for Privacy Act non-compliance are real. Serious or repeated breaches can attract civil penalties up to the greater of $50 million, three times the benefit obtained or 30% of annual domestic turnover. The OAIC can also issue compliance notices and infringement notices for less serious contraventions.
In the event of a privacy incident involving an AI decision-making system, a non-compliant or inaccurate privacy policy is an aggravating factor. The time to act is not October.
What This Means for Your Organisation
What we see consistently across financial services, professional services and healthcare is that the AI systems most likely to trigger December 10 obligations are the ones furthest from formal governance oversight.
The automated scoring model built by the analytics team in 2022. The AI-assisted triage tool the contact centre deployed during a peak period and never formally onboarded. The workflow automation that determines which cases are escalated or approved. These systems were deployed before most organisations had a use-case intake process. They are making or substantially assisting decisions that affect people. And they are typically absent from any AI inventory that would allow a privacy team to write an accurate disclosure today.
The organisations that handle December 10 without disruption are those that already have structured use-case intake, a register capturing decision type and individual impact for each AI deployment, and clear ownership of who is accountable for each system. That infrastructure does not materialise from scratch in six months. But it can be built faster than most people assume if the right structure is in place from the outset.
Key Takeaways
- From December 10, 2026, APP entities must disclose in their privacy policies when and how computer programs make or substantially assist in making decisions that significantly affect individual rights or interests
- The obligation applies to any decision made on or after that date regardless of when the AI system was built or deployed
- Generic disclosures will not satisfy OAIC expectations: policies must reflect actual systems and decision categories
- Compliance requires a mapped inventory of AI use cases recording decision type, personal information used and individual impact
- The OAIC is already conducting a privacy policy compliance sweep and enforcement risk is live
How Trusenta Can Help
AI Governance provides the use-case register and risk assessment workflows that make December 10 compliance achievable. By capturing every AI initiative at intake with full context including decision type, personal information involved and individual impact on people, it creates the foundation for accurate, OAIC-compliant privacy policy disclosures.
Compliance Management tracks obligations across multiple frameworks in a single platform, including the Privacy Act automated decision-making requirements alongside EU AI Act, ISO 42001 and NIST AI RMF, so your team is not managing December 10 as an isolated compliance project.
AI Governance Foundations is a 10-day engagement that establishes the accountability structures, risk classification framework and use-case tracking infrastructure required to build an accurate picture of which AI systems are making what decisions about whom, giving your governance programme the foundation to meet December 10 with confidence.
The Accountability Gap Is About to Show
The December 10 obligation is not asking organisations to stop using AI in decision-making. It is asking them to know what their AI is doing and to say so honestly.
That is a reasonable request. It is also one that exposes a governance gap most organisations have quietly tolerated for years. The organisations that come through December 10 with credibility are those that treat it as what it actually is: a moment to build the AI governance infrastructure that makes responsible deployment provable and auditable. Not a documentation exercise. An operational capability.
