The Office of the Australian Information Commissioner (OAIC) has updated the Australian Privacy Principles (APP) Guidelines to reflect recent amendments to the Privacy Act 1988 (Cth).

The updates specifically relate to APPs 1 (open and transparent information), 8 (cross-border disclosure) and 11 (security of personal information). A brief summary of some of the key changes follows.

APP 1: Open and transparent management of personal information

Updates include new obligations, commencing in December 2026, for APP entities to include information about certain automated decisions in their privacy policies.

If your organisation or agency engages a computer program to use personal information to make, or do a thing that is substantially and directly related to making, a decision that could significantly affect an individual’s rights or interests, your privacy policy must include specified information about this use.

The Explanatory Statement to the Privacy and Other Legislation Amendment Bill 2024 provides a non-exhaustive list of examples of the kinds of decisions that would be captured, including:

a. a decision made under a provision of an Act or a legislative instrument to grant, or to refuse to grant, a benefit to the individual. For example, this may include a decision in relation to granting admission to a country or entitlement to a housing benefit.

b. a decision that affects the individual’s rights under a contract, agreement or arrangement. For example, this may include a contract for a life insurance policy.

c. a decision that affects the individual’s access to a significant service or support. For example, this may include access to healthcare services. The use of computer programs to target individuals with content and advertisements may have a significant effect on an individual if, for example, it results in differential pricing for provision of, or access to, significant goods or services, or limits access to employment opportunities.

Organisations and agencies should be using their time now to carefully review and map their decision-making processes to identify any affected decisions. Whether an automated decision will be captured will require careful analysis of the decision-making process and the likely impact on individuals.

APP 8: Cross-border disclosure of personal information

Updates to APP 8 provide guidance on the application of the new exception to APP 8.1.

The new exception provides that APP entities do not have to comply with APP 8.1 when disclosing personal information to an overseas recipient where:

(a)  the recipient of the relevant personal information is:

(i)  subject to the laws of a country that is prescribed by the regulations; or

(ii)  a participant in a binding scheme that is prescribed by the regulations; and

(b)  if the country or binding scheme is prescribed subject to conditions - those conditions are satisfied.

To date, no countries have been prescribed by regulations.

APP 11: Security of personal information

Updates to Chapter 11 of the Guidelines make it clear that taking reasonable steps to protect personal information for the purposes of APP 11.1 will include both organisational and technical measures.

The Guidelines note technical measures include physical and technological concerns relating to hardware and software. Organisational measures involve implementing procedures, policies and processes to protect information security.

If your agency or organisation needs assistance with understanding how any of these changes may impact you, please reach out to our information law experts James Pratt (james.pratt@adaptbl.com.au or 0423 368 823) or Geoff Adams (geoff.adams@adaptbl.com.au or 0404 608 231) to discuss.

A special thanks to Jemima Thomas, Paralegal, in our Information Law Team for her input to this article.