When the Algorithm Has to Answer
From 10 December 2026, Australian organisations covered by the Privacy Act must disclose their use of automated decision-making in their privacy policies. Under new transparency obligations introduced by the Privacy and Other Legislation Amendment Act 2024, if a computer program makes, or substantially assists in making, decisions that could significantly affect a person's rights or interests, the privacy policy must say so: the kinds of personal information used, and the kinds of decisions made.
It sounds like a paperwork change. It isn't. To write that disclosure accurately, an organisation first has to know every place an algorithm is making or shaping decisions about people. For most businesses, that map doesn't exist yet. Building it is the real work, and the deadline for having done it is now less than six months away.
Article Tags
Open Industry:Technology
What changes on 10 December 2026?
A new Australian Privacy Principle APP 1 (privacy policy transparency) takes effect. It applies where three things are true: a computer program makes a decision, or does something substantially and directly related to making it; the decision could reasonably be expected to significantly affect an individual's rights or interests; and personal information is used in the process.
Where that test is met, the privacy policy must disclose the kinds of personal information used in those programs and the kinds of decisions they make. The obligation is disclosure, not prohibition. Nothing stops a business using automation. What must stop is using it quietly.
Two details matter for planning. The obligation covers decisions made on or after 10 December 2026, regardless of when the system was built or bought. And “decision” is broad: it includes a failure to decide, and effects that are beneficial as well as adverse.
Who is caught by the obligation?
Every APP entity. That means most Australian organisations with annual turnover above $3 million, plus others regulated regardless of size, such as health service providers and credit reporting bodies, and foreign companies doing business in Australia. This is not an insurer rule or a big-tech rule. If your business uses algorithms, scoring, or AI to make or materially shape decisions about people (credit and fraud checks, automated onboarding, pricing, claims triage, hiring screens, service eligibility), you are likely in scope.
Why is this a board issue rather than a privacy memo?
Three reasons. First, enforcement is ready. The OAIC's powers to issue infringement and compliance notices took effect in December 2024, and a non-compliant privacy policy sits within the Privacy Act's tiered civil penalty regime, which for serious or repeated interference reaches up to $50 million, three times the benefit obtained, or 30% of turnover.
Second, the Disclosure needs to accurately reflect how the organisations systems operate . A privacy policy that misdescribes how decisions are made is itself a problem; the ACCC has already pursued non-transparent automated decision-making as potentially misleading conduct. Boilerplate wording is unlikely to satisfy a requirement that turns on what your systems actually do.
Third, the mapping exercise it forces (which systems decide, using what data, affecting whom) is the same visibility boards need for AI governance generally. Regulators including ASIC have flagged variable maturity in how businesses govern AI. This obligation effectively sets a date by which that visibility has to exist.
Where does insurance come into it?
Quietly, but materially. Once automated decisions are disclosed, they are also discoverable: by regulators, by claimants, and by the counterparties your systems affect. That sharpens a question we posed in our piece on AI accountability: if an automated decision causes loss, or draws regulator-led action, how would your current cover respond?
The answer depends on the wording of your specific policies, and this is general information rather than a view on any policy. Many existing management liability, cyber and professional indemnity policies were developed before algorithmic decision-making was an operational reality. Whether they respond to ADM-related investigations, claims or penalties is determined by their wording, and in some cases penalties may not be insurable at law. The exposure to test is not whether cover exists, but whether it has been confirmed against how your business actually automates decisions.
The forerunner's move
Some organisations will treat 10 December 2026 as a privacy-policy edit and start late. Forward-thinking businesses are treating it as a free forcing function: map the automated decisions now, mend the governance gaps the map reveals, align the disclosure, and then look over the insurance program against what the map shows.
Done in that order, a compliance deadline becomes an audit of how your business actually makes decisions. That knowledge compounds: it feeds AI governance, procurement, board reporting and risk transfer. The disclosure is the by-product. The visibility is the asset.
The Knightcorp point of view
Transparency obligations reward organisations that already understand how they make decisions. The businesses best positioned for December 2026 are not those with the most careful lawyers; but those that can say, quickly and accurately, what their systems decide, and what would happen if one of those decisions went wrong.
At Knightcorp, we focus on that second question. We help leadership teams test how their insurance program would respond to the risks their automated decisions create, while the deadline is still an opportunity. We turn assumption into evidence, and exposure into a plan. That clarity, ahead of the market, is the advantage.
Frequently Asked Questions
- What is the automated decision-making transparency obligation?
It is a new requirement under the Privacy Act, introduced by the Privacy and Other Legislation Amendment Act 2024, taking effect on 10 December 2026. Organisations covered by the Act (APP entities) that use computer programs to make, or substantially assist in making, decisions that could significantly affect a person's rights or interests, using personal information, must disclose this in their privacy policy.
- When does the ADM transparency obligation take effect?
10 December 2026. It applies to decisions made on or after that date, regardless of when the underlying system was deployed, so preparation needs to happen before the deadline, not after it.
- Which businesses must comply?
All APP entities. That covers most Australian organisations with annual turnover above $3 million, certain organisations regulated regardless of size (such as health service providers and credit reporting bodies), and foreign companies carrying on business in Australia. It is not limited to any one industry.
- What must a privacy policy disclose?
Two things: the kinds of personal information used in the operation of the relevant computer programs, and the kinds of decisions made (or substantially assisted) by them. The obligation is to disclose the categories accurately, not to explain each individual decision. Generic boilerplate that doesn't accurately reflect an organisations systems may not satisfy the transparency requirements.
- What counts as an automated decision?
The definition is broad. It covers a computer program making a decision or doing something substantially and directly related to making one, where the decision could reasonably be expected to significantly affect an individual's rights or interests. It includes a failure to decide, and effects that are beneficial as well as adverse. Examples given in the legislation include decisions about granting benefits, rights under a contract, and access to significant services.
- What are the penalties for non-compliance?
A non-compliant privacy policy can attract OAIC infringement notices and compliance notices and sits within the Privacy Act's civil penalty regime. For serious or repeated interference with privacy, maximum penalties may reach up to $50 million, three times the benefit obtained, or 30% of adjusted turnover. The OAIC is also developing detailed guidance on the obligation, expected during 2026.
- Does insurance cover losses or penalties connected to automated decisions?
It depends entirely on the wording of your specific policies, and this is general information rather than a view on any individual policy. Many existing management liability, cyber and professional indemnity policies were developed before algorithmic decision-making became operational, and whether they respond to ADM-related investigations or claims will depend on the specific policy wording; some penalties may not be insurable at law. The prudent approach is to review your program against how your business actually uses automated decisions rather than assume. Knightcorp helps leadership teams work through exactly that review.
8. What should boards do before December 2026?
Map where the organisation uses automated or AI-assisted decision-making and what personal information those systems use; verify what the systems actually do (vendor assurances alone are unlikely to be enough); update the privacy policy so the disclosure is accurate; and test governance and risk transfer against the map, including how the insurance program would respond. Organisations should seek their own legal advice on how the obligation applies to them.
References
OAIC, “Consultation on Guidance for Transparency in Automated Decision Making”, https://www.oaic.gov.au/engage-with-us/consultations/consultation-on-guidance-for-transparency-in-automated-decision-making, accessed 7 July 2026.
Norton Rose Fulbright, “OAIC consults on the new automated decision-making transparency obligation”, https://www.nortonrosefulbright.com/en/knowledge/publications/a2769c39/oaic-consults-on-the-new-automated-decision-making-transparency-obligation, accessed 7 July 2026.
claudiaelwaw. (2026, January 22). Automated Decision-Making: Current privacy obligations and what’s in the pipeline for 2026 - Macpherson Kelley. Macpherson Kelley. https://mk.com.au/automated-decision-making-current-privacy-obligations-and-whats-in-the-pipeline-for-2026/
ASIC, “REP 798 Beware the gap: Governance arrangements in the face of AI innovation”, https://www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-798-beware-the-gap-governance-arrangements-in-the-face-of-ai-innovation/, accessed 7 July 2026.
MinterEllison, “Preparing for the new ADM Obligation: OAIC consultation”, https://www.minterellison.com/articles/oaic-seeks-feedback-on-automated-decision-making, accessed 7 July 2026.
Johnson Winter Slattery, “OAIC consultation to develop guidance for automated decision making transparency requirements”, https://jws.com.au/what-we-think/oaic-consultation-to-develop-guidance-for-automated-decision-making-transparency-requirements/, accessed 7 July 2026.
Disclaimer: This article contains general information only and has been prepared without taking into account your objectives, financial situation or needs. Any third-party references or links are provided for information only. Knightcorp is not responsible for the content or accuracy of third-party material.


