top of page
Search

New privacy rules: A Practical Guide to Implementing AI Governance across Automated Decision Systems

  • Writer: Bruce Mullan
    Bruce Mullan
  • May 19
  • 5 min read

Updated: 16 hours ago

Key points:


  • New privacy regulations come in force on December 10 2026 for any business that uses automated, or semi-automated, decision-making systems 

  • I have developed a useful 20-point action plan to guide you in implementing the minimum necessary governance changes 

  • Doing nothing may expose businesses to financial penalties, reputational damage and regulatory scrutiny


New Australian Privacy Principles (APPs) regulations come in force on December 10 2026 for any business that uses automated, or semi-automated, decision-making systems (ADS). 


An automated decision is any outcome where a computer system either:


  • makes a decision itself; or

  • performs a task “substantially and directly related” to making the decision; and

  • the decision “could reasonably be expected to significantly affect the rights or interests of an individual”.


The Office of the Australian Information Commissioner (OAIC) is targeting opaque algorithmic processing. The new rules will require transparency, auditing, explainability and human-review mechanisms in computer systems.


In the OAIC cross-hairs: Both Traditional Systems and AI Systems

Determining when an ADS system “significantly affects” rights or interests is context specific and may include these types of traditional or AI computer systems (and others): 


  • Employment application screening

  • Loan approvals for financing

  • Insurance underwriting for coverage

  • Student applications for course enrolment

  • Utility disconnections from a householder


What many people may not realise, this legislative change is MUCH MORE than just updating a privacy policy. It encompasses a holistic, persistent and things-will-never-be-the-same kind of change in how IT systems are managed, data is collected and information is used to make decisions that affect people's lives. 


An ADS To-Do List

This change requires careful consideration. I've put together a to-do list. This list is not exhaustive, just a starting point for your situation.


  • modifying IT systems and processes to implement transparency, explainability, auditing and human-in-the-loop mechanisms

  • obtaining legal advice on the depth of disclosure required,

  • updating privacy-policy documents (maybe a re-write?),

  • implementing ongoing, recurring AI governance procedures, 

  • maintaining documentation about an IT system or AI models

  • staff education and training, and

  • possibly restricting data collection and/or use to remain compliant.


Doing nothing is not really an option

ASIC, APRA and many other government agencies are urging organisations to apply governance as part of the rapid adoption of AI systems. The Voluntary AI Safety Standards are not enough, and regulators are beginning to catch up.

You risk legal, financial and reputational exposure. The OAIC has opaque algorithmic processing on it's radar, so enforcement is high on its agenda. Implement governance now to avoid (or minimise) the risk of being investigated, financial penalties or reputational harm.

Transparency, auditing, explainability and human-review mechanisms at the level required by the OAIC will be completely new to most organisations. 

The need for an AI governance framework

If you are not operating with an AI Governance Framework, this legislative change would be a good time to implement one. 


Australia's AI Governance Standard is a practical and implementable framework that would satisfy the new OAIC requirements and enable confident, progressive introduction of new AI systems in your company. I wrote about the new AI Standard earlier this year: here. Australia's AI Governance Standard offers a practical and best-practice approach for governing IT systems. The OAIC changes, at a minimum would require adoption of these eight AI Governance Statements.


  1. Statement 1 Define an operation model (system ownership and accountabillity)

  2. Statement 3 People Capabilities (for staff training)

  3. Statement 4 Auditing (to track decisions)

  4. Statement 5 Explainability (to understand decisions)

  5. Statement 6 Managing Bias (to avoid discrimination)

  6. Statement 7 Version Control (to include know which version made which decision)

  7. Statement 8 Watermarking (to ensure transparency)

  8. Statement 10 Human-in-the-loop (to apply a human-centred approach)

  9. Statement 36 Ongoing Monitoring (to keep everything on track as AI systems evolve)


I'll now go step-by-step in detail of what's needed so you can develop your own ADS action plan.


Automated Decision-making Systems (ADS) Action Plan

1. Establish an ADS register 


  1. Identify all your existing and planned ADS, including any system that classifies or profiles people, or makes decisions, predictions or recommendations. 

  2. Create an inventory of all relevant systems, capturing their purpose, what data they are consuming, a summary of the decision logic and the accountable owner.

  3. Integrate your ADS register into your current privacy management process. Ideally, it should be reviewed at board level as part of standard operating protocols.

  4. This is a good time to re-consider what ADS data you are collecting, the purpose(s) for which it is collected, and whether it is needed to be retained (and if so, for how long).


 2. Conduct ADS Impact Assessments


  1. For each ADS, you must be able to determine whether its outputs significantly affect individuals or promulgate potential bias and therefore trigger mandatory disclosures. Determine an impact rating and populate it in the ADS Register. 

  2. Identify and document risk management controls for each ADS in the ADS Register.


3. Update your privacy policy and disclosures for ADS


  1. Use the content in the ADS Register to guide privacy policy disclosures and ensure any technical language is translated into plain language. 

  2. For each ADS you will need to disclose the kinds of personal information used (e.g. demographic data, transaction data, a person's location, behaviour data etc).

  3. For each ADS you will need to disclose which decisions are made by a computer.

  4. You must develop processes for individuals to seek clarification of, or, contest an automated decision.


4. Existing ADS


  1. Ensure decisions are auditable, explainable, transparent and there are timely incident notification processes in place.

  2. Ensure you can reproduce its outputs, access all decision records, and enable explanation of decisions.

  3. Ensure you can track data used in a decision even if it's sourced from multiple systems or from a consumer's input.


 5. Train staff


  1. Provide training on the new privacy obligations, the definition of “significant effect”, and the importance of maintaining accurate consumer disclosures.

  2. Provide training and establish human-computer interaction procedures for decision auditing and explainability as well as decision reviews and contested decisions initiated by the consumer.


6. Ongoing monitoring


  1. Develop ongoing monitoring systems and processes to track ADS changes or data source changes or changes to an ADS' purpose.

  2. Develop ongoing monitoring processes to track new ADS implementations, ADS changes or data source changes.

  3. Ensure model evolutions will trigger alerts when operating outside boundaries or tolerance criteria, and relevant policy disclosures can be updated in a timely way.


7. Future ADS


  1. Update your RFx templates to ensure software vendors supply timely, accurate information about ADS logic, decision data used and periodical software changes.

  2. Negotiate clauses mandating auditability, explainability, transparency, data usage and timely notification for any changes.


So there you have it, a 20 point action plan and you're ready to get started.


You've got about 6 months before the new privacy regulations come in force on December 10 2026. AI Governance is a hot topic and no-one wants to be first in an OAIC investigation. 

The changes are significant. Businesses will need to uplift their governance capability to implement transparency, auditing, explainability and human-in-the-loop review mechanisms.

Doing nothing may expose financial penalties, reputational damage and/or regulatory scrutiny.


Start now.


Stay safe, Bruce


ABOUT ME

I believe the AI era will be an exciting, once-in-a-generation transformative opportunity. What role will AI governance play? Far more than just compliance, it helps organisations confidently adopt AI and turns governance into an operational capability. I partner with businesses to implement Australia's AI Governance Standard, enabling confident AI adoption while reducing the risk of high-profile failures.

I write all my own content, you can tell by the odd typo and occasional missing word. I use AI for my research.


To learn about my upcoming public AI Governance workshops visit: Public workshops

To learn more about AI Governance, check out my Hitchhikers Guide to AI Governance Podcast.



Bruce Mullan hosts Hitchhikers Guide to AI Governance podcast
Bruce Mullan hosts Hitchhikers Guide to AI Governance


 
 
 

Comments

bottom of page