Australia Privacy Act 2026 — APP 1 ADM Transparency on December 10
The Privacy and Other Legislation Amendment Act 2024 turns on APP 1 automated-decision transparency December 10, 2026. The OAIC will publish detailed guidance. AI voice and chat agents need a privacy-policy refresh now.
Australia's Privacy Act reform arrived in tranches. The first tranche — the Privacy and Other Legislation Amendment Act 2024 — flips automated-decision-making transparency live on 10 December 2026. APP 1 Privacy Policies need new sections by then.
What the law says
The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) bind APP entities — agencies and most private organisations with annual turnover over A$3M, plus health-information handlers. The Privacy and Other Legislation Amendment Act 2024 (POLA Act), enacted in 2024, brought the first tranche of long-promised reforms. Among them, amendments to APP 1.3 require an APP entity to include in its Privacy Policy: a statement that the entity uses computer programs to make or substantially assist in making decisions that may have a legal or similarly significant effect on individuals; the kinds of personal information used; the types of decisions made; and the categories of decisions that may significantly affect rights or interests. Effective date: 10 December 2026.
The OAIC will publish detailed guidance on the new APP 1 obligations in 2026. Existing OAIC guidance on AI emphasises privacy by design, accuracy of AI-generated personal information including hallucinations, and consent for sensitive-information training. The Privacy Act Review Final Report recommended a future right to request meaningful information about automated decisions; the second tranche of reforms is expected to deliver that. The OAIC has expanded enforcement powers, civil penalties up to A$50M for serious or repeated interference with privacy, and a notifiable-data-breach scheme.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
What AI voice/chat must do
By 10 December 2026, every APP-bound voice and chat operator must update its Privacy Policy with the four ADM-transparency elements. Practically: enumerate the workflows that use AI to make or substantially assist a decision; describe the personal information inputs; describe the decision types; and call out the categories with significant effect. The OAIC's privacy-by-design expectation extends to model selection, retention, and accuracy controls. Sensitive information training requires consent. Hallucinations producing inaccurate personal information are a risk under APP 10 (quality of personal information) and trigger correction obligations under APP 13.
CallSphere posture
CallSphere — 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses, 4.8/5, HIPAA and SOC 2 aligned — generates Australian APP-aligned privacy-policy sections automatically from each tenant's workflow inventory. The accuracy-control layer flags low-confidence outputs and re-prompts before storing claims about a person; correction requests under APP 13 are handled within the tenant CRM. Sensitive-information consent flows are gated. Pricing $149 / $499 / $1,499; 14-day trial; 22% affiliate; see /pricing and /contact; about us at /about.
flowchart LR
A[AU Caller] --> B[Voice Agent]
B --> C[APP 1 Notice]
C --> D[ADM Section]
D --> E[Inputs + Types]
B --> F[APP 10 Accuracy]
F --> G[APP 13 Correction]
Compliance checklist
- Inventory every workflow that uses AI to make or substantially assist a decision with significant effect.
- Update the Privacy Policy with the four APP 1.3 ADM elements before 10 December 2026.
- Document the personal-information inputs per workflow.
- Catalogue the decision types and categories with significant effect.
- Adopt the OAIC privacy-by-design checklist for new model rollouts.
- Capture consent for sensitive-information processing and training.
- Implement APP 10 accuracy controls — verify, re-prompt, log corrections.
- Stand up an APP 13 correction workflow within 30 days.
- Track the second tranche of reforms — meaningful-information right is expected.
- Maintain notifiable-data-breach response within the 30-day assessment window.
FAQ
Does APP apply to small businesses? Most are exempt below A$3M turnover, with exceptions for health-information handlers, contractors of agencies, and commercial-data sellers.
Is voice metadata personal information? Often yes — combined with other data it identifies an individual.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
What counts as significant effect? The OAIC will detail this; legal or similarly significant outcomes such as eligibility, employment, finance, education, healthcare access typically qualify.
Are hallucinations breaches? Inaccurate personal information that an entity creates or stores triggers APP 10 quality and APP 13 correction obligations.
Is consent the basis for AI training? For sensitive information, yes. For other personal information, lawful collection and reasonable expectations apply.
Sources
- Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/
- Privacy Act 1988 — federal register of legislation: https://www.legislation.gov.au/Details/C2024C00006
- Privacy and Other Legislation Amendment Act 2024: https://www.legislation.gov.au/C2024A00126/latest/text
- OAIC APP 1 Open and Transparent Management Guidance: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information
- OAIC Submission on AGD Government ADM Use: https://www.oaic.gov.au/engage-with-us/submissions/agd-consultation-paper-use-of-automated-decision-making-by-government
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.