Helios Salinger

How to get ahead of the new ADM rules before they rule you

, Emily McGufficke and Alex Kotova

Are you across the new Automated Decision-Making transparency requirements? Getting ready to comply with the changes will take time, so organisations should start now.

Many of the first tranche privacy reforms passed in December 2024 require organisations to tighten up their practices. In particular, the new rules regarding transparency and Automated Decision-Making (ADM) systems require organisations to take active steps to ensure compliance – and a failure to use the time now to adequately prepare could leave organisations at risk of non-compliance and regulatory action.

Why? The new ADM transparency rules introduced as part of the tranche one reforms will commence on 10 December 2026, which means that organisations will have had two years to get ready to comply since they were introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA Act). Also, because Privacy Policies are publicly facing documents, they are easy for the Office of the Australian Information Commissioner (OAIC) to proactively check for compliance with the new requirements, without your knowledge or involvement. Given this lengthy runway and the ease in which the OAIC can review Privacy Policies, organisations should expect that non-compliance could soon attract enforcement action under the OAIC’s new infringement notice regime.

Indeed, at the fireside chat with our Partner Anna Johnston held to mark the start of Privacy Awareness Week this year, Australian Privacy Commissioner Carly Kind revealed that her Office is gearing up for a ‘compliance scan’ of privacy policies.

While two years sounds like a long time to prepare for the ADM transparency changes, organisations that do not yet have a good handle on which of their systems and decision-making processes are in scope for the new requirements will need to use the time they have wisely.

What are the new ADM transparency rules?

If your organisation uses automated decision-making in specific ways, you will need to update your Privacy Policy before December 2026. The new ADM rules will apply if:

  • your organisation uses computer programs to “make, or do a thing that is substantially and directly related to making, a decision”
  • where that decision could reasonably be expected to “significantly affect the rights or interests of an individual”, and
  • “personal information about the individual is used in the operation of the computer program to make the decision or do the thing”.

The new Privacy Policy content must explain:

  • what personal information is used by the automated decision-making system
  • the types of decisions made
  • whether the decisions are made ‘solely’ by the computer program.

A failure to do so will result in non-compliance with APP 1.

‘Making a decision’ includes refusing or failing to make a decision, and the new rules apply regardless of whether the decision is beneficial or adverse to the individual.

What types of computer programs are ADM systems?

Only computer programs that make decisions – or substantially assist in making decisions – need to be considered in relation to the new rules. So look for systems that make decisions without any human involvement, or that support humans who are making decisions.

It’s important to note that while many ADM systems will involve AI technologies, not all will. A classic example of an ADM system that didn’t use AI technology was the rules-based algorithm used in the Robodebt scheme to calculate overpayments. This means that, in certain contexts, even uses of simple programs like spreadsheets could constitute an ‘ADM system’.

In addition to AI, be on the lookout for systems that use:

  • algorithms and / or that apply rules
  • predictive analytics
  • machine learning, or
  • deep / neural learning or processing.

What is a decision?

Outputs generated from ADM systems that could be “decisions” – or be used to assist a human when making a decision – might include:

  • Scoring, profiling or classification of individuals, for example, determining an individual’s ‘life stage’, credit score, or risk in respect of certain attributes (such as fraud, or vulnerability).
  • ‘Personalised’ content in relation to a specific user, including a decision to suppress certain content from the user’s visibility, for example, a system determining the types of ads an individual sees, or what product offerings or pricing they are presented with.
  • Predictions, such as predicting how likely an individual is to engage with a particular offer, or behave in a certain way.
  • Deliberations, such as analysis, evaluation or weighing up of possible options with reasons.
  • Recommendations, for example, recommending a course of medical treatment for the individual, or flagging that a particular customer interaction should be subject to quality assurance checks.
  • Determining a particular action or course of action, for example alerting a fraud officer that a particular individual should be investigated.
  • Generating results from a ‘self-assessment’ process where an individual enters data, for example what government benefits they may be eligible to apply for.
  • Extracting data from records or other types of content that are reviewed and used by a human to make a decision, for example, an automatically-created summary of the contents of a customer file to support decisions about their insurance premiums.
  • Making an outright decision, for example, approving or declining a customer’s application for a banking product.

Assisted decision-making in scope

The new rules apply both to systems that make decisions solely, and to systems that assist humans to make decisions.

A decision made ‘solely’ by an ADM system would not involve a human in the decision-making process.

In terms of ADM systems that assist decision-making, an ADM system will be in scope if its involvement was both substantially and directly related to making the decision. This means it’s not enough for a computer program to simply have been used in the course of making the decision (for example, creating a graph in Microsoft Excel); the computer program must have been used to facilitate the decision-making.

An ADM system may assist decision-making processes in a number of ways, such as by generating an output which is reviewed and used by a human in making a decision (such as an extract, analysis or guidance which is further considered and analysed by the human), or by proposing a decision for a human’s review and sign-off.

Significance of impact

The new ADM transparency rules don’t apply to all types of decisions which are made (or assisted by) an ADM system, only those which “could reasonably be expected to significantly affect the rights or interests of an individual.”

When it comes to assessing whether a decision is one that could be expected to affect the rights or interests of an individual, the new requirements provide the following examples:

  • Decisions impacting rights under a contract.
  • Decisions impacting access to a significant service or support.
  • Decisions about the granting or refusal of a benefit.

However the significance of the impact must also be considered; trivial impacts will not meet the threshold for triggering the new transparency obligations.

Personal information of affected individual must be involved

For the new ADM transparency rules to apply, the ADM system must use personal information in the operation of the computer program. For example, ADM systems used in the context of manufacturing or inventory management may use a range of inputs that don’t involve personal information, so these types of systems would not be in scope for the new rules.

In particular, the system must be using personal information about the individual whose rights or interests could reasonably be expected to be significantly affected.

Where should I start?

The first step for many organisations in preparing to comply with the new ADM transparency rules will be to undertake a review and determine which systems and decision-making processes are in scope.

The following steps can help you narrow down your list of the ADM systems that will be subject to the new transparency rules:

  • Identify your ADM systems. Different systems will have different levels of automation. Ask: Does this system make decisions or help a human to make decisions? You should also categorise your ADM systems into those that make decisions solely (i.e. without human involvement) and those that assist human decision-making processes. Don’t forget to review systems that are used by your third-party suppliers on your behalf.

  • Assess the types of decisions made or assisted by each ADM system in terms of their impact. Ask: Are these decisions of the kind set out in the examples in the new rules? If not, do these decisions otherwise significantly impact individuals? If the ADM system made an error, or produced an inaccurate result or unexpected output, is there a risk the individual would be treated unfairly, discriminated against, or be adversely impacted? Following your assessment, categorise the decisions made or assisted by your ADM systems in terms of their potential impact. Those that fall into the ‘significant or greater’ impact category should remain on your list.

  • Determine whether the ADM system needs to be included in your Privacy Policy. The third step is to ask: Does the ADM system use or process personal information, or data about individuals? Not all ADM systems will use personal information – think for example about heating and cooling systems which adjust automatically depending on the weather or time of day. But when decisions are being made about humans, be very cautious around relying on de-identification techniques as a strategy to escape the ADM transparency rules. Assume that any system which uses or produces information about humans at an individual or household level are in scope.

Examples to look out for

For organisations that maintain thorough and up-to-date IT system registers and personal information inventories, identifying which systems fall within scope of the new rules (and the content that will need to be added to your Privacy Policy), may not be much of a stretch.

However, if your privacy program is not at this level of maturity and you don’t have the capacity to review all systems across the whole enterprise, be strategic about your efforts. Focus on your highest risk areas: certain types of decisions should be prioritised. Some sectors will also likely be higher risk than others.

The Australian Government’s response to the Privacy Act Review Report identified a number of examples where the denial of ‘consequential’ services or support could be of significance. The examples given include decisions about “financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services, or access to basic necessities such as food and water” as those which could have a legal or similarly significant effect on an individual’s rights.

We would suggest that potentially high risk ADM systems could include systems which are used:

  • in recruitment processes, such as resume / applicant screening, classification and / or ranking, and personalisation or targeting of your job ads
  • to assess an individual’s credit worthiness and / or suitability for financial services and products, including financial hardship services
  • to calculate payments
  • to determine pricing (such as in differential or dynamic pricing models)
  • for decisions around access to essential services, including housing (such as ADM systems used to assess the outcomes of rental housing applications)
  • for law enforcement purposes
  • for processes related to the exercise of consumer protection rights
  • in healthcare settings, such as diagnostic, triage and / or patient monitoring systems
  • to make decisions that are largely based on an individual’s sensitive information, including sexuality, religion, and health information
  • to make decisions about children or other vulnerable populations
  • in connection with government decision-making
  • to manage educational programs, such as student admissions and / or automated grading.

The use of ADM systems in the context of targeted content or advertising could also be in scope, where these activities may have a significant impact on the individual, such as where they restrict an individual from accessing certain pricing, goods, services or opportunities made available to others.

Preparing your communications

Once you have identified the ADM systems that are in-scope for the new ADM transparency rules, it’s time to prepare the content required under the new rules. When it comes to updating your Privacy Policy, the Government expects plain language that is “jargon-free and comprehensible” that can be understood by the broad range of audiences whose personal information your organisation handles.

In reflecting on the new ADM transparency rules required under the Privacy Act and the content that will need to be added to Privacy Policies, the Attorney-General’s Department notes:

“Entities would be required to include information in their privacy policy about the kinds of decisions and kinds of personal information used in these decisions. It is not expected that the information required to be included in privacy policies would be at a level of detail which would compromise commercially sensitive information about automated decision-making systems, or confidential information about ongoing detection of wrongdoing using automated decision-making systems”.

What else?

Don’t fall into the trap of thinking this process is once-off. Schedule a regular review and assessment of your ADM systems, and update your Privacy Policy as necessary. This review may be aligned, for example, with an annual review of your Privacy Policy, but should also be triggered by the either the introduction of new software tools or changes in decision-making processes. The new ADM transparency rules apply to all existing ADM systems within scope – not just those that are adopted after the commencement of the new rules.

Also consider that ADM systems which use personal information to make significant decisions will likely fall into the category of ‘high privacy risk’. Meeting the new transparency requirements is not your only privacy compliance concern. You may also need to conduct Privacy Impact Assessments (PIAs) on these systems and related processes.

Federal government agencies are required by law to conduct a PIA for all ‘high privacy risk projects’, which include new or changed ways of handling personal information that are ‘likely to have a significant impact on the privacy of individuals’. Private sector entities may also risk breaching APP 1 if they fail to conduct a PIA of a high privacy impact project or technology.

The OAIC considers that the types of automated decision-making which may trigger the need to conduct a PIA “might include the use of artificial intelligence technologies or data analytics techniques on personal information to produce insights for policy-making or improved service delivery. It might also include using automated decision-making to make decisions that affect the rights, entitlements and opportunities of an individual.” This is a lower threshold than the test used in the ADM transparency rules.

Given the ease in which the OAIC can review Privacy Policies for compliance with the new ADM transparency rules, don’t be surprised if the OAIC also uses the opportunity to ask ‘did you carry out a PIA on this ADM system?’

Under-resourced and need to know where to focus your efforts?

Consider whether your organisation is likely to engage in any of the types of decisions described above as potentially high risk, and focus on those first. It may be helpful to document the ADM systems responsible for these decisions in a basic register to ensure you can revisit these systems. The register should document: the system, its owner, the type of decision made (or supported), the personal information the system processes, and whether the system supports the decision or makes it ‘solely’. Capturing this information in a register will make it easier to seek advice on whether the decisions meet the threshold for the new transparency requirements and ensure all the information you need to include in the Privacy Policy is readily available.

Helios Salinger’s template Privacy Policy and template Privacy Risk Assessment Questionnaire have been updated to reflect the new ADM transparency requirements. Both templates are included in our comprehensive Compliance Kits for Businesses & Non-profits, and for Australian Government agencies. Get in touch to find out more.

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month.

Privacy Compliance Kits

Helios Salinger can help you navigate the complexity of the regulatory environment, and ensure the trust of your customers.

CONTACT US

T: 02 9043 2632
Level 37, 180 George Street
Sydney NSW 2000
Email Enquiry

© Helios Salinger Pty Ltd
ACN 655 748 593
ABN 59 655 748 593

Our Privacy Policy

Terms of Engagement

Subscribe to our newsletter.

These details will be added to our mailing list to receive the Helios Salinger eNews and Product News newsletters. You can unsubscribe or adjust your preferences at any time, from the bottom of any newsletter.