When AI makes a decision about your customer, you may now have to say so
1 Jul 2026
From 10 December 2026, if your business uses a computer program (and that includes AI models) to make or substantially influence a decision about a customer, an applicant, or an employee, you may be legally required to disclose it. Most Australian organisations haven’t started preparing.
This post is adapted from Episode 7 of Nap Stack, Monica’s podcast on AI, data, and building a business. [Listen here.]
For this episode of Nap Stack we brought in Nhung Seidensticker, Principal Consultant at EdgeRed specialising in data and AI governance. Nhung works with organisations across financial services, healthcare, and the public sector – the exact industries where automated decisions already shape real outcomes for real people.
What’s actually changing
The Privacy Act was amended in late 2024, and three new provisions – APP 1.7, 1.8, and 1.9 – commence on 10 December 2026. The core obligation is transparency: if your organisation arranges for a computer program to make, or substantially support, a decision that could significantly affect someone’s rights or interests, you have to say so in your privacy policy.
“Significantly affect” covers more ground than it sounds like. The legislation points to examples like insurance decisions, healthcare access, and employment outcomes. If a model scores or ranks something and that score shapes what happens to the person on the other end, you’re likely in scope, even with a human still involved somewhere in the process.
And the obligation sits with you, not your vendor. Running a third-party AI tool that makes decisions about your customers doesn’t transfer the disclosure requirement to the company that built it. You’re the APP entity. You’re the one on the hook.
“Human in the loop” isn’t the safe harbour people think it is
This is the line from Nhung that’s worth sitting with: a human clicking approve doesn’t sanitise an automated decision.
The law captures decisions made by a computer program, but it also captures anything “substantially and directly related” to making one. A model scores a loan application, a human approves whatever the model recommends – that’s in scope. The honest internal test is whether the outcome would have changed if the model had scored the person differently. If yes, the model is doing the deciding, regardless of who clicked the button last.
For APRA-regulated entities, there’s an extra layer. Under CPS 230, which took effect in July 2025, if your AI tool counts as a material service provider – meaning its failure could affect critical operations – you’re carrying board-level governance and contractual obligations on top of the privacy policy disclosure.
This is a mapping project, not a policy edit
Updating the privacy policy is the floor, not the ceiling, and you can’t get to the floor without doing the harder work underneath it first.
Most organisations haven’t formally classified their AI-influenced processes as decision systems. They were scoped as analytics tools, dashboards, or workflow automation when they were built. The real question now is whether they’re quietly shaping decisions about individuals – and a lot of teams genuinely don’t know the answer yet.
The OAIC’s bar for an adequate disclosure is higher than most current privacy policies clear: it needs to give someone enough to ask about the input, the decision-making process, and the output, and to seek recourse if something went wrong. That means three jobs, not one – mapping the systems, working out which ones are in scope, and rewriting disclosures so an actual person could use them. And once that’s written into your privacy policy, you’re implicitly committing to being able to explain and defend those decisions if challenged. That’s a governance obligation, not just a legal one.
What to do this week
Ask your team one question: where in our business does a computer program touch a decision about a person, before it reaches a human?
You don’t need a governance program to start. You need a list. Once you’ve got it, you can work out which items are in scope, prioritise the ones with the highest impact on individuals, and start the policy work from there.
The OAIC has flagged it will publish detailed guidance on these obligations before the December 2026 commencement date. That leaves a window right now to get ahead of it, before the guidance lands and enforcement appetite sharpens.
About Nap Stack
Nap Stack is an Australian business podcast hosted by Monica Ly, co-founder of EdgeRed — an Australian data & AI consultancy (part of The Omnia Collective). Each episode is five minutes on AI adoption, data strategy, and the decisions senior leaders are actually making right now. It’s practical, no-hype, and built for executives and business owners — not technologists. New episodes drop weekly. Find Nap Stack on Spotify.