Coastie AI
Back to all articles
30 May 2026By Kristina AgustinPublished on Coastie AI5 min read

By December, Australian organisations have to disclose every place a computer makes decisions about people

From 10 December 2026 a new part of the Privacy Act takes effect. Every APP entity has to update its privacy policy to explain where it uses computers to make decisions about people. A plain-English guide to who is covered, what is in scope, and the mapping work to do now.

By December, Australian organisations have to disclose every place a computer makes decisions about people

By December, Australian organisations are liable to disclose every place a computer makes decisions about people.

On 10 December 2026, a new part of the Australian Privacy Act takes effect. From that day, every organisation covered by the Australian Privacy Principles has to update its privacy policy to explain where it uses computers to make decisions about people.

Who is covered

APP entities are the organisations covered by the Australian Privacy Principles. In practice that means every Commonwealth agency and every private business with annual turnover above AUD $3 million. If your business sits on either side of that line, this obligation is yours.

What is in scope

The obligation applies to every automated tool already in use, including the ones built before the law was written. A short list of the kinds of tools that are in scope:

  • A rostering tool built last winter is in scope.
  • A charter enquiry triage built in Lovable over a weekend is in scope.
  • An HR shortlisting model running quietly in the background is in scope.
  • A chatbot answering guest queries without a person reviewing the reply is in scope.

The common thread is not the tool's age, sophistication, or who built it. It is whether a computer is shaping a decision about a person, and whether personal information is involved.

The work to be ready

The work to be ready is a mapping exercise, not a technology project. It runs in a clear order:

  1. Identify the tools in use. Including the quiet ones. The AI features inside Microsoft 365 and Google Workspace. The bespoke things built in a no-code tool over a weekend. The script a team member wrote last year that everyone forgot about.
  2. Note which ones touch personal information. Customer names, staff records, guest data, applicant data, any identifiable detail about a person.
  3. Note which ones shape decisions. Sorting, ranking, filtering, recommending, approving, rejecting, drafting a response that goes out without a person reading it.
  4. Write the privacy policy from that picture, rather than from a guess. The disclosure has to reflect what is actually happening, not what you hope is happening.

Most organisations underestimate step one. The mapping itself is the project. Once the map exists, the privacy policy writes itself.

A sensible first move

There are seven months between now and 10 December 2026. That is enough time to do the mapping properly, write the disclosure honestly, and tidy up the tools that should not have been quietly making decisions in the first place. It is not enough time to leave the work until November.

We can help your organisation map and draft if you need. Our Blueprint is the right shape for this work, and it includes the AI policy and governance framework that goes with it. The Find your AI quick wins email is the right place to start. Tell us what you know about the tools already in use and we will reply with the shape of the mapping engagement that fits.

Written for Australian APP entities preparing for the 10 December 2026 commencement of the new automated decision-making transparency obligations in the Privacy Act. General information only, not legal advice.

Back to all articles