As generative AI involving automated decision-making is increasingly accepted, one of the issues is understanding how automated decision-making operates and ensuring it operates as intended.
While AI and automated decision-making can make you more efficient, you need to understand how to use it while protecting your customers’ personal information.
Whether the decision relates to making a loan or offering employment, someone needs to be accountable for the model or algorithm, its sound operation, and the outcomes it delivers.
The Privacy Amendment Act 2024 inserted new requirements in the Privacy Act for regulated businesses concerning the information that must be included in their privacy policies about the kinds of personal information used, and types of decisions made, in automated decision-making.
Automated decision-making is broadly defined to include:
(a) a computer program which makes, or does a thing that is substantially and directly related to making a decision; and
(b) the decision could reasonably be expected to significantly affect the rights or interests of an individual; and
(c) personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.
From 11 December 2026, the information which must be included in a privacy policy will include:
- the kinds of personal information used in the operation of such computer programs;
- the kinds of such decisions made solely by the operation of such computer programs; and
- the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.
To make those disclosures you need to understand how the person affected can access automated decision-making and whether they can opt out of it?
This requires decisions about the program’s design: what information is used and what influences its decisions?
You also need to train your staff in the use of the system.
Privacy guides on AI for organisations
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.
