JUMP TO
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJiOTRiNzc5MS05ZTkxLTQzYjItYTgxYi0xNjkwZmQwNDFiMzYiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc4MjI0MzU1MiwiZXhwIjoxNzgyMjQ0NzUyLCJpYXQiOjE3ODIyNDM1NTIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL29haWMtc2Vla3MtZmVlZGJhY2stb24tYXV0b21hdGVkLWRlY2lzaW9uLW1ha2luZyIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL29haWMtc2Vla3MtZmVlZGJhY2stb24tYXV0b21hdGVkLWRlY2lzaW9uLW1ha2luZyJ9.YYHSTD9ydeKiR0KV3D51JNa-LGhT26U-6b-_GWu6djM
    https://www.minterellison.com/articles/oaic-seeks-feedback-on-automated-decision-making
    CLOSE
    CONTACT US Search Minter Ellison
    • Technical update

    OAIC seeks feedback on automated decision-making

    18 minute read  03.06.2026 Fiona Chui, Chelsea Gordon, Sam Burrett

    The OAIC seeks public feedback on the new ADM Obligation. We highlight key aspects and how to prepare for 10 December 2026. Further guidance from the OAIC is expected by September 2026.


    Key takeouts


    • The ADM Obligation will take effect on 10 December 2026.
    • The OAIC's public consultation is open until 15 June 2026.
    • APP entities should take steps now to comply with the new ADM Obligation. 

    The Office of the Australian Information Commissioner (OAIC) published its 'Automated Decision-Making Issues Paper' (Issues Paper) on 18 May 2026. The Issues Paper seeks public feedback in relation to the development of guidance on the automated decision-making obligation (ADM Obligation). The ADM Obligation commences on 10 December 2026 for agencies and organisations regulated by the Privacy Act 1988 (Cth) (APP entities). To support compliance, the OAIC will publish guidance by September 2026 following the conclusion of this consultation on the 15 June 2026.

    This article summarises the key elements of the Issues Paper and provides early guidance about which decisions may be captured.

    1. Background

    1.1 The Privacy and Other Legislation Amendment Bill 2024 (Cth) (Amendment Bill) received Royal Assent on 10 December 2024 and introduced Tranche 1 of the long-anticipated amendments to the Australian Privacy Laws. The Amendment Bill included a new transparency obligation for APP entities to disclose certain information about their use of 'automated decision-making systems' (ADM Systems) in Privacy Policies. 

    1.2 The Amendment Bill's Explanatory Memorandum (Explanatory Memorandum) provides that this obligation is intended to provide individuals with greater transparency about how an entity handles their Personal Information and for what purposes, and 'allows them to take further action if there has been a breach of their personal privacy'. The OAIC considers the ADM Obligation works synergistically with other legislation and supports individuals with appropriate exercise of their information access rights, including under the Freedom of Information Act 1982 (Cth).

    2. How will ADM transparency improve access to privacy and justice in the digital era?

    2.1 The ADM Obligation gives individuals visibility over how APP entities use Personal Information in ADM Systems and the kinds of decisions made using these systems. This will enable individuals to access appropriate review pathways under the relevant legislative frameworks, such as:

    • inappropriate handling of Personal Information in ADM Systems (e.g. without consent) could trigger complaints to the OAIC and recourse under the Privacy Act 1988 (Cth);
    • use of ADM Systems in ways that result in discrimination on the basis of age, disability, or sex, could trigger review under various anti-discrimination laws; and
    • use of ADM Systems in administrative decision-making could be challenged through merits review or judicial review. 

    2.2 ADM transparency will enable individuals to raise concerns in a more informed and efficient way.

    3. How do the transparency obligations apply to artificial intelligence?

    3.1 The ADM transparency requirements apply where computer programs are used to do things 'substantially and directly related to' making a relevant decision. This means decisions made or impacted by artificial intelligence (AI), such as generative AI and machine learning, are captured. However, the obligations also apply to non-AI computer programs. 

    3.2 The term, 'computer program' has its ordinary meaning under APP 1.7(a) and encompasses 'a broad range of matters, including pre-programmed rule-based processes, artificial intelligence and machine learning processes' (Explanatory Memorandum).

    4. The ADM Obligation – a quick summary

    4.1 The Explanatory Memorandum provides that:

    • the insertion of APP 1.7 will require APP entities to update their Privacy Policies to include the specific information set out in APP 1.8 about use of ADM Systems if:   
      1. the APP entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision (APP 1.7(a)); and
      2. the decision could reasonably be expected to significantly affect the rights or interests of an individual (APP 1.7(b)); and
      3. Personal Information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision (APP 1.7(c)).
    • Under APP 1.8, APP entities will be required to include information in their Privacy Policies including:
      1. the kinds of Personal Information used in the operation of such computer programs; and
      2. the kinds of decisions made solely by the operation of such computer programs; and
      3. the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.
    • The new APP 1.9 provides that for the purposes of APP 1.7 and 1.8:
      1. ‘making a decision’ includes refusing or failing to make a decision; and
      2. ‘doing a thing’ includes refusing or failing to do a thing; and
      3. a decision may affect the rights or interests of an individual, whether the rights or interests of the individual are adversely or beneficially affected. 

    4.2 The new obligations in APP 1 will apply broadly, regardless of whether the arrangement for a computer program to make the decision was made before or after commencement of the Amendment Act, and regardless of whether the Personal Information in the operation of the computer program was acquired before or after the commencement of the Amendment Act (Explanatory Memorandum, para [344]).

    5. Issues Paper – emerging guidance and areas for consultation 

    5.1 In the Issues Paper, the OAIC provides preliminary guidance and key edge cases, to seek feedback about whether they should be captured. We have summarised the preliminary commentary and edge cases in the below table.

    Computer program Navigation Show below Hide below

    Issues Paper guidance

    The Issues Paper confirms the term is intended to be interpreted broadly.

    Examples and edge cases

    The Explanatory Memorandum provides that the term is intended to include pre-programmed rule-based processes and AI and machine learning processes to make a computer execute a task.

    Examples from the Issues Paper: 

    • commonly-used software, apps, or word-processing tools; and
    • generative AI tools used to generate text, images, videos, code or synthesis, including chatbots.

    Arranged for Navigation Show below Hide below

    Issues Paper guidance

    The Issues Paper confirms 'arranged for' is distinct to 'operation of' a computer program. An APP entity that
    merely operates (i.e. develops, hosts, or maintains system infrastructure for) an ADM System would not likely
    be captured by the ADM Obligation. In order to be captured, an APP entity would 'need to be responsible for
    arranging the computer program to make or assist a decision'. 

    Examples and edge cases

    Examples from the Issues Paper that the OAIC suggests may be captured: 

    • the entity procures an AI system to screen and rank job applications, which leads to a decision on who the entity employs; 
    • an employer directs an employee to use an AI chat tool to draft performance assessments that determine promotion decisions; 
    • an entity contracts a third party software company to automatically approve or decline refunds on its behalf; and 
    • where an entity has a case management system that automatically escalates specific types of complaints. 

    Making a decision Navigation Show below Hide below

    Issues Paper guidance

    The OAIC is looking at how 'decision' is interpreted in other legal frameworks such as in administrative law and corporations law. 

    Substantially and directly related to Navigation Show below Hide below

    Issues Paper guidance

    This Issues Paper reiterates the Explanatory Memorandum's high-level guidance that:

    1. 'substantially' means where the thing made or done by a computer program is a key factor in facilitating the human’s decision making; and
    2. 'directly' means where the thing made or done by a computer program has a direct connection with the making of the decision.

    The OAIC is also considering the use of 'substantial' in other legal frameworks such as the Freedom of Information Act 1982 (Cth).

    Examples and edge cases

    The Explanatory Memorandum provides:

    • if Microsoft Excel was used to add numbers to arrive at a sum, the use may be 'directly related' to making a decision, but would not be 'substantially related' to making a decision.
    • if Microsoft Excel was used to generate a score about an individual which was a key factor in decision-making, this would be considered 'substantially related to' making a decision. 

    The Issues Paper provides additional clarification:

    • a pre-programmed formula in Microsoft Excel used to score and triage people calling a domestic violence hotline, which is a key factor in a human's decision of what order to attend calls, would arguably be considered substantially and directly related to making a decision.
    • however, if Microsoft Excel is used to calculate a person's age based on a date of birth in a spreadsheet, this would arguably be 'directly related' to making a decision but would not meet the 'substantially related' threshold in APP 1.7.

    Significantly affect the rights or interests of an individual Navigation Show below Hide below

    Issues Paper guidance

    The OAIC is considering overseas guidance on the meaning of 'rights' and 'interests', such as the UK Information Commissioner’s Office  Guidance and the European Commission Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679

    The OAIC provides that in order to reach the 'significant' threshold, 'the effects must be more than trivial, and must have the potential to significantly influence the circumstances of the individual concerned'. The OAIC acknowledges that whether the use of a computer program will 'significantly' affect individuals' rights or interests will be context-dependent and require consideration of factors such as the vulnerability of the individual, and the service or support to which the individual may be prohibited from accessing.

    Examples and edge cases

    The Explanatory Memorandum refers to APP 1.9(d) which provides the following examples of relevant decisions:

    • a decision made under legislation to grant or refuse to grant a benefit to an individual;
    • granting admission to a country;
    • entitlement to a housing benefit;
    • a contract for a life insurance policy;
    • access to healthcare services
    • use of computer programs to target individuals with content and advertisements where it results in differential pricing of goods and services, or limits access to employment opportunities. 

    5.2 Matters for public consultation

    5.3 The Issues Paper seeks public consultation on the following aspects of the ADM Obligation:

    1. what should be considered a 'decision' for the purposes of APP1.7;
    2. what relevant factors should be taken into account when considering whether an entity's use of an ADM System is 'substantially and directly related to making a decision'. The OAIC has proposed factors that may be relevant, including:
      1. the ability and likelihood of human override of an ADM System decision;
      2. the nature of the ADM System output; and
      3. explainability of ADM outputs.
    3. what factors could increase the likelihood that a decision could affect an individual's rights or interests;
    4. scenarios relevant to the meaning of 'arranged for' that may require further guidance;
    5. classes of persons considered to be vulnerable, whose rights will be more greatly impacted by an ADM System decision; and
    6. what constitutes 'significant services or support' for the purposes of APP1.9(d).

    5.4 ADM Obligation subject to APP 1 objective

    5.5 The overarching objective of APP 1 is to ensure APP entities handle individuals' Personal Information that is used in decision-making that impacts individuals' rights and interests in a transparent way. This means APP entities subject to the ADM Obligation will be required to include relevant APP 1.8 information in their Privacy Policies but also to present it in a 'clearly expressed' manner (APP 1.3). APP entities will need to strike a balance between providing accurate information, sufficient to discharge their ADM Obligation, and not providing excessively detailed technical information that may be unclear or inaccessible to readers.

    5.6 Entities likely to be captured by the new Children's Online Privacy Code (under consultation until 5 June 2026) will also need to consider how they can discharge their ADM Obligation in a way that is age-appropriate and accessible by children.

    6. What businesses should do to prepare for 10 December 2026

    6.1 Businesses should start to prepare now for the 10 December 2026 deadline. Key activities we recommend include:

    • Taking stock of what 'computer programs' are currently in use
      A useful first step would be to prepare an inventory of possibly relevant computer programs in operation in the business. Businesses should then consider whether the computer program is caught by the new ADM Obligation and if so, the extent to which its Privacy Policy must be updated. For most organisations, this will be the most significant and time-intensive phase of work. Not all computer program use will enliven the ADM Obligation. Computer programs will need to be used in ways which meet the APP 1.7 threshold (set out in paragraph 4.1(a)). Businesses should keep records of their assessments of computer programs, including reasoning for why certain computer programs do not qualify as ADM Systems.
    • Updating or developing IT Asset Registers and AI System Registers
      We recommend businesses develop or update existing IT Asset Registers and AI System Registers (if applicable) to assist with identifying relevant system owners, whether assets are likely to constitute ADM Systems, and other technical details to assist system mapping across the organisation. Beyond ADM Obligation requirements, understanding data flows is also a key privacy risk mitigation mechanism, particularly where businesses are beginning to adopt AI systems for use in connection with Personal Information.
    • Talking with vendors
      Fragmented ownership presents a risk. In the context of large businesses and technology stacks, we recommend businesses review current computer programs externally procured and consider how they use Personal Information. The OAIC in the Issues Paper recommends entities monitor third-party ADM System use and assess how third parties use such systems to make decisions, as well as what types of decisions are being made. Businesses may be at risk of function creep in relation to legacy systems. We recommend businesses reassess the current status and functionality of third-party computer programs ahead of 10 December 2026.
    • Preparing updates to Privacy Policies
      Where businesses use ADM Systems, they will be required to update Privacy Policies with the information in APP 1.8 and in ways that comply with the overarching APP 1 objective, to support transparency and informed privacy decision-making. Additional obligations may also apply where a business is captured by the new Children's Online Privacy Code    (see paragraph 5.6). 
    • Establishing ongoing ADM System management and oversight
      Compliance with the ADM provisions will require ongoing management. Businesses should have ongoing management processes in place to cater for the adoption of new computer programs involved in handling Personal Information. This could include:
      1. regular Privacy Policy review;
      2. establishing change-management triggers such that updates or fundamental changes to ADM Systems trigger a review of privacy obligations; and
      3. ensuring appropriate responsibility across the organisation for maintaining the inventory alongside, or integrated with, existing IT and / or AI system registers. 

    If your business is interested in providing feedback in response to the Issues Paper, or requires support to prepare for the ADM Obligation coming into effect on 10 December 2026, contact our AI and privacy specialist team . 

    Contact

    Tags

    Artificial intelligence Homepage display Education Childcare Schools Energy and resources Government Health Health Hospitals and health services Board & governance Charities, NFPs & community service Risk & Regulatory Consulting Technology consulting Doing business in Australia Professional services
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJkODU3ODVkNS01NGUzLTQwZTUtYmY5MC04ODYyOTZhYjk3ZmEiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc4MjI0MzU1MiwiZXhwIjoxNzgyMjQ0NzUyLCJpYXQiOjE3ODIyNDM1NTIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL29haWMtc2Vla3MtZmVlZGJhY2stb24tYXV0b21hdGVkLWRlY2lzaW9uLW1ha2luZyIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL29haWMtc2Vla3MtZmVlZGJhY2stb24tYXV0b21hdGVkLWRlY2lzaW9uLW1ha2luZyJ9.jKJ2BAgkGl-4-Djn2dEreXYGkXU8spKXCpJdJKJluSw
    https://www.minterellison.com/articles/oaic-seeks-feedback-on-automated-decision-making

    Read next

    © 2026 MinterEllison