Transparency around automated decision making (ADM) is becoming a governance issue, not just a privacy issue.
The OAIC has released a consultation on guidance for the new transparency obligation created by the Privacy and Other Legislation Amendment Act 2024. The consultation seeks views on scope and on the issues paper that will inform guidance for automated decision making, ahead of the obligation taking effect from 10 December 2026.
30 Second Take
For organisations, the message is important, if your business uses personal information in automated decisions that can affect rights or interests, the question is no longer whether the technology is clever enough. The question is whether you can clearly explain it, govern it and evidence it.
In plain English, this matters because customers, regulators and boards will expect more than a vague statement that “systems help us make decisions”. Organisations will need to know what data is used, what decisions are made, who owns the controls and whether the privacy policy actually tells the story in a way people can understand.
Who is impacted
The ripple effects will not stop with Privacy Teams.
AI and analytics teams, product owners, operations, cyber and internal audit may all be pulled into the same conversation.
Even organisations that are not obviously “AI businesses” can be affected if automated tools shape onboarding, credit, fraud, complaints handling, claims, service prioritisation or eligibility decisions.
Ask the practical questions now:
- Where are we using automated decision making today?
- Could we explain that process clearly to a customer, a board and a regulator?
Boards and executives should be asking whether the organisation has a complete inventory of ADM use cases. For these use cases whether privacy disclosures are accurate, and whether the control environment is strong enough to support the forthcoming obligation. They should also ask what evidence exists to prove the organisation knows its data, its decision logic and its accountability lines.
That is where risk managers play a critical role. They can connect privacy, technology and operational risk, challenge assumptions, lift evidence quality and make sure the business is not confusing technical capability with governance maturity.
What can you do to prepare
Practical next steps include mapping use cases, testing policy disclosures, clarifying ownership, documenting controls and identifying where uplift is needed before the new obligation bites.
A focused maturity assessment can quickly show where gaps exist, what evidence is missing and which remediations should be prioritised first.
Innovation of Risk helps organisations do exactly that through practical maturity assessments, AI-enabled risk tools and targeted consulting support across privacy, governance, cyber, conduct and operational risk. The goal is to move from broad concern to clear accountability and measurable uplift.
If automated decision making is part of your operating model, this consultation is a timely prompt to get organised now.
#Privacy #AIgovernance #AutomatedDecisionMaking #RiskManagement #OAIC #Governance
Innovation of Risk has developed a beta tool for understanding AI Maturity and undertaking AI Risk Assessments, contact us for further information.

