The Privacy Act 1988 is the cornerstone of data protection in Australia, and its upcoming amendments will reshape how businesses can use artificial intelligence. This hub brings together everything you need to understand your obligations, prepare for the 2026 changes, and build compliant AI practices.
The Privacy Act 1988 regulates how Australian Government agencies and private sector organisations handle personal information. It establishes 13 Australian Privacy Principles (APPs) that govern the collection, use, disclosure, and storage of personal data. The Office of the Australian Information Commissioner (OAIC) is the primary regulator.
AI systems interact with the Privacy Act at multiple points. When an AI tool processes customer data, scores a loan application, filters job candidates, or personalises marketing, it is handling personal information in ways the Act was designed to regulate. The challenge is that the original legislation was written before AI became a mainstream business tool.
That is why the government is amending the Act. The Attorney-General's Privacy Act Review identified 116 proposals for reform, and the amendments working through Parliament include specific obligations around automated decision-making. For businesses using AI, these changes create new compliance requirements that must be met by December 2026.
The Privacy Act, together with its upcoming amendments, creates six core obligations for organisations that use AI to process personal information or make decisions about individuals.
Under the amended Privacy Act, organisations must disclose when AI is used to make or substantially assist in making decisions about individuals. This applies to customers, employees, job applicants, and any member of the public affected by your AI systems. Disclosure must be clear and accessible, not hidden in fine print.
When AI makes a decision that significantly affects someone, you must be able to explain how that decision was reached. This includes the logic behind the AI system, the data inputs used, and the factors that influenced the outcome. The OAIC has indicated that organisations should be able to provide this information in plain language.
Individuals will have the right to request human review of significant automated decisions. Your organisation must maintain the capacity for a qualified person to review, and where warranted override, decisions made by AI systems.
The Privacy Act already requires organisations to only collect personal information that is reasonably necessary. With AI, this principle becomes more important. AI systems that hoover up data beyond what is needed for their stated purpose will attract regulatory scrutiny.
Personal information collected for one purpose cannot be repurposed for AI training or processing without consent. If you collected customer emails for order confirmations, you cannot feed them into an AI system for marketing analysis without explicit agreement.
AI systems that process personal information must meet the same security standards as any other data processing system. This includes encryption, access controls, audit logging, and compliance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.
The Privacy Act is undergoing its most significant reform in decades. Here is a timeline of the key milestones that affect AI use in Australian businesses.
Privacy Act 1988 enacted. Establishes Australian Privacy Principles (APPs) governing how personal information is collected, used, disclosed, and stored.
Notifiable Data Breaches scheme commences under Part IIIC. Organisations must report eligible data breaches to the OAIC and affected individuals.
Attorney-General's Department releases Privacy Act Review Report with 116 proposals for reform, including provisions addressing automated decision-making.
Government responds to the Privacy Act Review and commits to introducing automated decision-making transparency obligations. OAIC releases guidance on AI and privacy.
Privacy Act Amendment Bill introduced to Parliament. Guardrails for AI in Australia (GfAA) framework published for consultation.
Automated decision-making transparency obligations take effect (December 2026 compliance deadline). Small business exemption under review.
1. Audit your AI footprint. Start by mapping every AI tool and feature your business uses. Include embedded AI in platforms like Xero, HubSpot, Microsoft 365 Copilot, and Salesforce. You cannot govern what you have not identified.
2. Classify by risk. Not all AI use carries the same privacy risk. An AI tool generating social media captions is lower risk than one scoring credit applications. Focus your compliance efforts on AI systems that process personal information or make decisions about people.
3. Update your privacy notices. Your privacy policy must disclose how you use AI to process personal information. Most existing privacy policies were written before AI became a standard business tool. They need updating.
4. Implement an AI usage policy. Create clear internal guidelines for how your team uses AI tools. Cover approved tools, data classification, prohibited uses, and incident reporting. Our AI usage policy template provides a practical framework.
5. Build human review capacity. For every AI system making consequential decisions about individuals, maintain a clear pathway for human review and override. This is becoming a legal requirement under the Privacy Act amendments.
6. Document everything. Regulators expect documentation. Record what AI systems you use, what data they process, how decisions are made, and what safeguards are in place. Our AI compliance checklist walks you through this step by step.
Our AI governance service helps Australian businesses build compliant, practical frameworks for AI use. We cover privacy impact assessments, policy development, staff training, and ongoing compliance support.
Explore AI governance servicesWe have published a series of detailed guides covering specific aspects of AI compliance and the Privacy Act. Each resource addresses a different angle to help you build a complete compliance picture.