Transparency guidance for automated decision making and AI

Transparency around automated decision making (ADM) is becoming a governance issue, not just a privacy issue.

The OAIC has released a consultation on guidance for the new transparency obligation created by the Privacy and Other Legislation Amendment Act 2024. The consultation seeks views on scope and on the issues paper that will inform guidance for automated decision making, ahead of the obligation taking effect from 10 December 2026.

30 Second Take

For organisations, the message is important, if your business uses personal information in automated decisions that can affect rights or interests, the question is no longer whether the technology is clever enough. The question is whether you can clearly explain it, govern it and evidence it.

In plain English, this matters because customers, regulators and boards will expect more than a vague statement that “systems help us make decisions”. Organisations will need to know what data is used, what decisions are made, who owns the controls and whether the privacy policy actually tells the story in a way people can understand.

Who is impacted

The ripple effects will not stop with Privacy Teams.

AI and analytics teams, product owners, operations, cyber and internal audit may all be pulled into the same conversation.

Even organisations that are not obviously “AI businesses” can be affected if automated tools shape onboarding, credit, fraud, complaints handling, claims, service prioritisation or eligibility decisions.

Ask the practical questions now:

  • Where are we using automated decision making today?
  • Could we explain that process clearly to a customer, a board and a regulator?

Boards and executives should be asking whether the organisation has a complete inventory of ADM use cases.  For these use cases whether privacy disclosures are accurate, and whether the control environment is strong enough to support the forthcoming obligation. They should also ask what evidence exists to prove the organisation knows its data, its decision logic and its accountability lines.

That is where risk managers play a critical role. They can connect privacy, technology and operational risk, challenge assumptions, lift evidence quality and make sure the business is not confusing technical capability with governance maturity.

What can you do to prepare

Practical next steps include mapping use cases, testing policy disclosures, clarifying ownership, documenting controls and identifying where uplift is needed before the new obligation bites.

A focused maturity assessment can quickly show where gaps exist, what evidence is missing and which remediations should be prioritised first. 

Innovation of Risk helps organisations do exactly that through practical maturity assessments, AI-enabled risk tools and targeted consulting support across privacy, governance, cyber, conduct and operational risk. The goal is to move from broad concern to clear accountability and measurable uplift.

If automated decision making is part of your operating model, this consultation is a timely prompt to get organised now.

#Privacy #AIgovernance #AutomatedDecisionMaking #RiskManagement #OAIC #Governance

Innovation of Risk has developed a beta tool for understanding AI Maturity and undertaking AI Risk Assessments, contact us for further information.

More from the Reading Room

Using AI Risk Management to Accelerate Innovation

New Diligent Institute / Governance Institute of Australia data shows 61% of Australian boards restrict employee AI use while only 13% have an AI-literate director — proof that restriction and real governance are pulling apart. NIST's expanding AI Risk Management Framework and the EU AI Act's 2 August 2026 third-party accountability deadline show how structured, evidence-based workflows are what actually let AI adoption move faster, safely.

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.

AI Risk Management Must Shift from Advisory to Driving Informed Risk Taking

Commonwealth Bank's 2026 AI transparency report, Deloitte's board AI-literacy data and PwC's 2026 AI Performance Study all point the same way: risk teams stuck in a purely advisory role are becoming a competitive liability, not a safeguard. Here's what separates governance that enables from governance that only gates.