From 10 December 2026, new transparency obligations under the Privacy Act take effect for automated decision-making, and most small businesses have not heard of them. If a computer program, artificial intelligence included, makes or substantially contributes to a decision that could significantly affect someone's rights or interests, your privacy policy must disclose the kinds of personal information used and the nature of those decisions. The rules sit in new Australian Privacy Principle provisions (APP 1.7 to 1.9) introduced by the 2024 privacy reforms, and they apply no matter which model you run.
That last point catches people out. We keep meeting owners who assume the compliance obligation attaches to the model vendor. It does not. Whether the engine is Claude, a self-hosted open-weight model, or a no-code tool with a model buried inside it, the disclosure duty lands on the organisation making the decision, not the company that trained the model.
Which decisions actually count
The obligations target decisions that have a significant effect on a person's rights or interests. In a typical Australian SMB, that usually means:
Screening job applications or ranking candidates
Approving credit terms, payment plans or rental applications
Setting insurance premiums or excess levels
Fraud flags that block a customer's transaction or account
Routine automation, such as drafting an email that a human genuinely reads before sending, sits outside the intent of the rules. The grey zone is wide, though. The phrase substantially automated will catch any workflow where a person clicks approve without really reviewing the output, and that describes a lot of quietly adopted AI in Sydney and Melbourne offices right now.
A useful test is whether a staff member could explain, in their own words, why a particular person got the outcome they did. If the honest answer is that the software decided and nobody looked closely, you are almost certainly in scope. If someone reworked the result, weighed it against context the model never saw, and could defend the call to the person affected, you are on the assisted side of the line. That distinction is the one the OAIC will care about, and the one worth designing around now rather than arguing about after a complaint.
What the December deadline actually requires
Transparency is the heart of the new obligations. By 10 December 2026 you need three things in place:
A privacy policy that discloses, in plain English, the kinds of personal information used in automated decisions and the nature of those decisions
A clear record of where a human genuinely reviews an outcome rather than rubber-stamping a ranked list
Enough logging to reconstruct how a specific decision was reached if a customer or the Office of the Australian Information Commissioner asks
None of this requires a law degree to begin. It does require knowing where automation touches consequential decisions in your business, which is often less obvious than owners expect once a few tools have crept in through different teams. The first honest inventory of AI-assisted decisions in a ten-person company routinely turns up workflows nobody set out to build.
A practical preparation project
A sensible project for a small business, run alongside your existing advisers, looks like this:
Inventory every workflow where software influences a consequential decision about a person
Classify each one as fully automated, substantially automated, or human-decided with AI assistance
Update the privacy policy with the required disclosures
Add genuine human review points wherever automation currently decides alone
Keep decision logs so you can evidence how a specific outcome was reached
For most SMBs this is a $5,000 to $15,000 piece of work, far cheaper than retrofitting compliance after a complaint lands with the OAIC. A firm with many decision points, such as a lender or a recruitment agency, should budget more and start earlier. The cost of doing nothing is not zero either: the reforms carry real penalty exposure for serious breaches, and a public complaint about an opaque AI decision is the kind of reputational hit a small brand struggles to absorb.
Where model choice helps
Disclosure duties are model-agnostic, but auditability is not. When we build decision-support workflows on Claude, we design in structured reasoning traces, logging and human checkpoints from the start, which turns the December obligations into a checklist rather than a scramble. A well-engineered open-weight deployment can reach the same standard. A scattered set of unlogged tools cannot, and that tangle is exactly what many businesses are accumulating without noticing.
In practice, an auditable setup gives you a written record you can actually stand behind:
A record of which model made or shaped each decision, and when
The inputs and the reasoning the model produced, stored against the outcome
A named human review step for anything with a significant effect on a person
Getting there is mostly organisational rather than technical. The businesses that will find December painless are the ones that treated their AI tools as decisions to be governed, not features to be switched on. A short exposure review this quarter buys you months of lead time and turns a looming deadline into routine housekeeping.
If automated decisions touch your hiring, lending, pricing or customer management, this is worth getting ahead of well before December. We map an SMB's exposure in a single session and hand back a plain-English action list rather than a compliance lecture. Book a free brainstorm and we will work through where you stand and what to fix first.



