JDCS
Start a conversation
Start a conversation Or call 0418 858 937

jdcs.au · Mid North Coast, NSW

Getting started · 8 min read

The Privacy Act changes, and your automations.

By James Durkin, JDCS Updated 19 June 2026

Australia's privacy rules are changing, with new obligations phasing in from December 2026, and one of them lands squarely on the kind of automation small businesses are starting to use. The good news is that none of it stops you automating the busywork. It just asks you to be open about where software helps make decisions about people, and to keep a real human on the ones that matter. This is a plain read, not legal advice.

The short version: from late 2026, if a computer program makes or substantially shapes a decision that could significantly affect someone, you need to say so in your privacy policy. And the catch worth remembering: a rushed human rubber-stamp still counts as an automated decision. To rely on a person being in the loop, that person has to genuinely be able to change the outcome.

What's actually changing

The reforms cover a lot of ground, but the part most relevant to automation is transparency about automated decision-making. The principle is simple: people shouldn't be on the receiving end of consequential decisions made by software without knowing software was involved. So where an automated system makes, or does most of the work in making, a decision that could significantly affect a person, that needs to be disclosed in your privacy policy.

"Significantly affect" is the key phrase. We're not talking about an automation that sorts your inbox or drafts a reply for you to send. We're talking about decisions with real consequences for someone: approving or declining a request, setting a price for a particular customer, deciding who gets contacted or prioritised. If a program is making those calls, the new rules want it on the record.

The rubber-stamp trap

Here's the bit that catches people out, and it's worth saying plainly. You can't dodge the rules by having a person click "approve" at the end while the software does all the real thinking. A token sign-off, where nobody genuinely weighs the individual case, is still treated as an automated decision. The label "a human checked it" doesn't change what actually happened.

For human involvement to count, it has to be genuine. That means a real person, with the authority to overturn the result and the information to judge it, actually considering the case in front of them. If your "review step" is someone batch-approving a hundred decisions a minute without looking, that isn't oversight, it's a formality, and it won't protect you. Real human-in-the-loop is the standard, not a checkbox.

Does any of this apply to your business?

Possibly, and it's worth checking rather than guessing. Many small businesses with turnover of $3 million or less have long sat under an exemption, but that exemption has been under review and several obligations are broadening. Some small businesses are already covered regardless, for instance if you provide a health service or trade in personal information.

The sensible posture is to assume good privacy practice is expected of you, then confirm the specifics for your situation. Even where a rule may not strictly bind you yet, doing the right thing by people's data is both good business and the direction the law is heading. We won't overclaim here. The detail depends on your business, and a quick check beats an assumption.

What good practice looks like

If you're building or running automations, a few habits keep you comfortably on the right side of all this, and they happen to make for better systems anyway:

  • Know where decisions happen. List any automation that touches a decision about a person, and be honest about whether software or a human is really making the call.
  • Keep a real person on the consequential ones. Anything that affects a customer, a price or an approval should wait for genuine human review, not a token tap.
  • Say so in your privacy policy. Where automated decisions are made, disclose it in plain language. People should be able to understand what's going on.
  • Handle the data carefully. Collect only what you need, keep sensitive information protected, and be able to explain how a decision was reached if someone asks.

This is exactly how JDCS builds anyway. Our whole approach to AI automation keeps you approving anything that touches a customer, so the human stays in the loop by design rather than as an afterthought. The reforms simply make that the expected baseline, which suits us fine.

A simple way to get ready

You don't need a compliance project. Start with a short audit: walk through your automations and mark the ones that make or shape a decision about a person. For each, ask two questions. Is software making the call? And if a human signs off, is that review genuine? Where the answer leaves you uneasy, that's where to add real oversight and a line in your privacy policy.

If you'd like a structured way to set the rules for your whole team, our free AI policy and safe-use course walks through writing a simple, practical AI policy, including how to handle automated decisions and human review. And if you want a second opinion on which of your flows this even applies to, that's a good use of a free AI consulting conversation. For the wider picture on data handling, our guide on whether your data is safe with AI is a useful companion read.

Bottom line: the December 2026 changes don't ban automation, they ask for honesty and genuine human oversight where software shapes decisions that affect people. Disclose automated decisions in your privacy policy, make sure any human review is real rather than a rubber stamp, and handle personal data with care. Build it that way and you're ready. This is general information, not legal advice, so check your own obligations.

Not sure if the changes touch your automations?

The first conversation is free. You'll get a plain-English read on which of your flows make decisions about people, and what genuine human oversight looks like for your business.

Start a conversation

Privacy Act questions, answered.

What are the Privacy Act changes coming in December 2026?
The reforms phase in new obligations for Australian organisations, and the one most relevant to automation is transparency about automated decision-making. From late 2026, where a computer program is used to make, or substantially help make, a decision that could significantly affect someone, your privacy policy needs to say so. The aim is that people aren't subject to consequential decisions by software without knowing it's happening.
Does the Privacy Act apply to my small business?
It depends. Many small businesses with annual turnover of $3 million or less have historically been exempt, but that exemption has been under review and several obligations are widening. Plenty of small businesses are already covered (for example if you trade in personal information or provide a health service). The safe move is to assume good privacy practice is expected and check your specific situation rather than rely on the exemption.
Does a human checking the result make it not an automated decision?
Not on its own. A token sign-off, where a person clicks approve without genuinely weighing the case, is widely understood to still count as automated decision-making. To rely on human involvement, the review has to be real: a person with the authority and the information to actually change the outcome, who considers the individual case rather than rubber-stamping whatever the system produced.
Can I still use AI automation under the new rules?
Yes. The changes are about transparency and genuine human oversight, not a ban. You can keep automating the busywork. What matters is being open about where software shapes decisions that affect people, keeping a real person in the loop on the consequential ones, and handling personal information carefully. That is exactly how a well-built automation should already work.
What should I do to get ready?
Make a short list of any automation that touches a decision about a person (pricing for a customer, approving or declining something, prioritising who gets contacted). For each, note whether software is making the call and whether a human genuinely reviews it. Update your privacy policy to mention automated decisions where they happen, and make sure your human-in-the-loop steps are real, not for show. A free conversation can help you work out which of your flows this even applies to.
Keep reading
AI automation An AI receptionist: stop letting jobs go to voicemail 7 min read·Read AI automation How to automate quoting so no enquiry goes cold 7 min read·Read AI automation Automated lead follow-up, so no enquiry slips through 6 min read·Read