Skip to main content

What You Must Do Before 10 December 2026

APP 1.7–1.9 creates new transparency obligations for automated decision making. This page outlines who is captured, what entities must have in place, and a practical compliance roadmap.

10 Dec 2026
Commencement
All APP Entities
In scope

Scope: Who and What is Captured

APP 1.7–1.9 captures any APP entity that has arranged for a computer program to make, or do a thing substantially and directly related to making, a decision that could reasonably be expected to significantly affect a person's rights or interests.

Read with the OAIC Issues Paper (18 May 2026), this includes:

Spreadsheet-based scoring tools where the score materially shapes a human decision
Generative-AI chatbots used for eligibility recommendations or service routing
Differential pricing and ranking algorithms
Automated resume filters and similar opportunity-allocation tools

Key threshold: The test is not "sophisticated ML pipeline." It is substantial and direct relationship to a decision that significantly affects rights or interests.

What Entities Must Have in Place

1. ADM Use-Case Register

An ADM use-case register that identifies each computer program meeting the APP 1.7 threshold, including:

  • The decision class affected
  • Personal-information categories used
  • The human review point
  • The contestability pathway

2. Privacy Policy Update

A privacy-policy update that goes beyond the bare-minimum "we may use AI" formulation. Meaningful disclosure should include:

  • The kinds of decisions involved
  • The kinds of personal information used
  • The role of any human review
  • How individuals can seek review

3. Impact Assessment Process

An impact-assessment process proportionate to the decision class, drawing on the Guidance for AI Adoption six essential practices (available at ai.gov.au) and, where applicable, the ICO / Alan Turing Institute "Explaining Decisions Made with AI" guidance.

4. For Agentic Deployments

These align with the Five Eyes / ASD-ACSC joint guidance of 1 May 2026:

  • Identity management for AI agents (distinct, revocable, attributable credentials)
  • Least-privilege configuration
  • Isolation boundaries to limit "blast radius"
  • Interruption/kill-switch capability
  • An action log

WA-Specific Obligations

Effective 1 July 2026

WA public-sector entities must additionally provide active ADM notification, impact assessment, and human-intervention pathways under IPP 10 of the PRIS Act 2024.

Commonwealth-Specific Obligations

Multiple deadlines

  • Appointment of a Chief AI Officer at SES Band 1+ by 31 July 2026
  • Legacy AI use-case assessment by 30 April 2027

Penalties and Exposure

Australian Privacy Act

Serious or repeated interferences with privacy attract civil penalties of:

$50MUp to AUD $50 million

OR

Three times the benefit obtained

OR

30%30% of adjusted turnover

(whichever is greater)

EU AI Act

Under the EU AI Act, prohibited-practice penalties reach up to:

€35MUp to €35 million

OR

7%7% of worldwide annual turnover

Australian organisations with EU-resident users or in-EU deployment should treat the EU regime as in scope.

International Deadlines Affecting Australian Entities

DateObligationStatus
2 August 2026EU AI Act transparency obligations applyConfirmed

Practical Compliance Roadmap (Now to 10 December 2026)

1

Now → End June 2026

Foundation Phase

  • Stand up an ADM Use-Case Register. Inventory every computer program (including spreadsheets, GenAI assistants, and third-party SaaS) that contributes to decisions affecting customers, employees, students, patients, or service recipients.
  • Submit your organisation's response to the OAIC ADM Transparency consultation (closes 15 June 2026).
  • Map each registered use case against the six essential practices in the Guidance for AI Adoption.
  • WA public-sector: stand up the IPP 10 notification and intervention pathway in advance of 1 July 2026.
2

July → September 2026

Assessment & Documentation Phase

  • Conduct algorithmic impact assessments for high-impact use cases, drawing on ICO/Alan Turing Institute and OAIC guidance.
  • Update your privacy policy to include APP 1.8 disclosures with sufficient granularity to be meaningful (not boilerplate).
  • Commonwealth: appoint and announce your Chief AI Officer by 31 July 2026.
  • For any agentic deployments, implement non-human identity governance, least-privilege controls, isolation boundaries, action logs, and interruption capability per ASD/ACSC May 2026 guidance.
3

October → 10 December 2026

Verification & Assurance Phase

  • Conduct an end-to-end transparency audit: privacy policy, contextual notices at the point of decision, individual explanations on request, and contestability pathway.
  • Run a tabletop exercise simulating an OAIC information request and an individual complaint.
  • Brief the board, the executive, and (where applicable) the audit/risk committee on residual exposure.
4

Post-10 December 2026

Ongoing Maintenance

  • Maintain the ADM register as a living document.
  • Track Commonwealth legacy-AI assessments to the 30 April 2027 backstop.

Core Compliance Frameworks

National Mandates

National Framework for the Assurance of AI in Government (June 2024) and Policy for the responsible use of AI in government (effective 15 December 2025)

  • Five Assurance Cornerstones: Governance, data governance, risk-based approach, standards, and procurement form the common assurance spine across all Australian governments.
  • Phased Implementation: Policy effective 15 Dec 2025; first new mandatory requirement begins 15 Jun 2026; remaining requirements commence Dec 2026.
  • Mandatory Controls: AI strategy, oversight, preparedness, operations, impact assessment, and automated decision-making governance.

NSW AI Assessment Framework (Benchmark)

Leading Practice Jurisdiction

Streamlined compliance with NSW AIAF (mandatory under Circular DCS-2024-04, modernised January 2026)

  • Auto-Scored AIAF: 16-question assessment with risk-based outcomes, mitigation measures, and delegate sign-off.
  • AIRC Escalation: Higher-risk outcomes routed to NSW AI Review Committee via designated independent chair.
  • Investment Thresholds: Digital Assurance Framework pathways for projects exceeding $5 million.

Pan-Australian Readiness

The platform supports the exact requirements of every Australian jurisdiction

Active Consultation

OAIC Consultation: Transparency in Automated Decision Making

The Office of the Australian Information Commissioner (OAIC) is consulting on guidance for the new automated decision making (ADM) transparency obligation, effective from 10 December 2026.

Key Information

Obligation Commencement
10 December 2026
Consultation Closes
Monday 15 June 2026
Who Must Comply
APP entities using personal information in automated decision making with the potential to affect rights or interests
Requirement
Privacy policies must include information about the kinds of personal information used and the kinds of decisions made using ADM

Why This Matters for the Sprint

The ADM transparency obligation is a key compliance milestone covered in the Responsible AI Governance Sprint. Participants will develop practical governance artefacts aligned with these requirements, ensuring organisations are prepared before the December 2026 commencement date.

Learn how the Sprint prepares you for ADM compliance

Related Resources

View All in AI Hub

Governance Guide

Detailed state-by-state AI governance frameworks and requirements.

Glossary

AI governance terminology explained for Australian professionals.

FAQ

Common questions about the AI Governance Sprint programme.

Master Australian AI Compliance

Apply to join the Responsible AI Governance Sprint™ and gain expert guidance on meeting regulatory requirements across all Australian jurisdictions. Access compliance frameworks, templates, and hands-on support.

Apply to Participate

Rolling admissions until places are filled