Most Businesses Using AI in Hiring Are Already Covered by This Law. Here's What It Actually Requires.

Here's the assumption most hiring teams are making right now: “automated decision-making” means a machine making the final call. No human involved. Fully autonomous. Science fiction stuff.

That assumption is wrong, and it’s going to matter a great deal before December 2026.

Australia’s new privacy rules, which take effect on 10 December 2026, don’t just capture AI that decides things on its own. They capture AI that helps a human decide. If your tool ranks candidates, scores applications, or produces output that a hiring manager relies on to choose who gets an interview — you’re likely in scope, even though a person made the final call.

That covers a lot of tools most businesses already use. And most of the people using those tools don’t know it yet.

What the Law Actually Says

In December 2024, the Australian Parliament passed the Privacy and Other Legislation Amendment Act 2024. Buried inside a broader overhaul of the Privacy Act 1988 was a new clause — APP 1.7 — specifically targeting automated decision-making.

The obligation doesn’t kick in immediately. Organisations have until 10 December 2026 to comply. What it requires, in plain terms: if you use AI anywhere in your hiring process, you have to say so in your privacy policy — what personal data the system uses, and what kinds of decisions it makes or contributes to.

Not a code of practice. Not voluntary guidance. Law, with penalties attached.

The part most people miss is the definition of what’s “automated.” An organisation is covered if:

• they’ve arranged for a computer program to make, or do something substantially and directly related to making, a decision about an individual;
• that decision could reasonably be expected to significantly affect the individual’s rights or interests; and
• personal information is used in the process.

Read that middle phrase again: “substantially and directly related to making.” This is not limited to systems that operate without humans. If your AI tool produces a shortlist score, a suitability ranking, or a behavioural assessment result — and a hiring manager looks at that output to decide who moves forward — that’s caught. The law firm Johnson Winter Slattery flagged in their analysis that the definition is broad enough to capture “a decision as to whether to grant a job applicant a job interview.”

Resume ranking. Candidate scoring. AI-assisted screening. All potentially in scope.

Compare that to the EU’s GDPR, which only triggers for decisions made solely by automated systems. Australia’s version captures human-assisted decisions too — as long as the system’s output is substantially and directly connected to the outcome. That’s a meaningful difference, and most businesses building their understanding on the GDPR comparison are starting from the wrong place.

“We’re Too Small for This to Apply to Us” — Are You Sure?

A lot of Australian SMEs assume privacy law is a big-business concern. Banks and telcos. Not them.

The Privacy Act generally applies to organisations with annual turnover above $3 million. Below that, many businesses are currently exempt. “Many” is doing some work in that sentence, though — smaller businesses lose the exemption if they handle health information, trade in personal data, or operate under certain Commonwealth contracts, among other exceptions. The threshold is messier than most people think.

More importantly: even if your business sits comfortably under that $3 million line, the AI recruitment platform you’re using almost certainly doesn’t. That platform is the one processing candidate data, contributing to hiring decisions, and carrying the disclosure obligations from December 2026. What it does with candidate data is something you need to understand and be able to explain — regardless of where your own turnover sits.

One more thing. The government has already signalled — in its formal response to the broader Privacy Act review — that it intends to remove the small-business exemption altogether. No date is locked in yet. But building a hiring process around “we’re exempt for now” is building on ground that’s already shifting.

The Penalties Are Real — Which Is Why Early Preparation Pays Off

APP 1.7 is specifically listed in section 13K of the Privacy Act, which means non-compliance can attract infringement notices of approximately $62,600 per contravention for bodies corporate (200 penalty units at the current rate). Where non-compliance rises to the level of serious interference with privacy under section 13G, penalties can reach the greater of $50 million, three times the benefit obtained, or 30% of turnover. The OAIC is better resourced than it’s ever been, and enforcement appetite has grown alongside its powers.

The businesses that find December 2026 straightforward are the ones that started mapping their process now, not the ones who waited for the guidance to drop.

What the Disclosure Actually Requires

Once the obligation applies, your privacy policy needs to cover three things in plain language:

• the kinds of personal information your automated tools use;
• which decisions, if any, are made solely by a program; and
• which decisions a program is substantially and directly involved in producing — even where a person makes the final call.

You don’t need to expose your algorithms or reveal commercially sensitive technical detail. But candidates need to understand what’s happening to their data and how it shapes the outcome.

The organisations that will find this straightforward are the ones who already know the answer to those three questions. The ones who’ll struggle are the ones who’ve never actually mapped what their tools do — which is most of them.

The Real Problem Isn’t Compliance. It’s Not Knowing How Your Process Works.

Here’s what the legislation is exposing that has nothing to do with penalties.

A significant number of businesses using AI in hiring couldn’t accurately describe, right now, what their tools are actually doing. They know a tool ranks candidates. They don’t know exactly what data it weighs, how it produces that ranking, or what the output looks like relative to the final hire. They couldn’t write a disclosure statement today because they’d need to investigate their own process first.

That’s the gap the legislation is forcing open — not the compliance paperwork, but the question underneath it: can you explain how you arrived at a hiring decision?

What data did the system use? What did it produce? Who reviewed it? Who made the final call?

Answer those four questions cleanly for every role you’ve hired in the last year and you’re most of the way to compliant. Struggle with any of them, and the disclosure requirement is the least of your problems — because a process you can’t describe is a process you can’t defend.

The practical answer is a hiring process built on more than one data point. A resume is a starting point, not a decision. AI-assisted scoring or profiling is an input to a human judgment, not a substitute for one. Every candidate measured against the same criteria. A record at every step of what the system produced and who reviewed it. That’s not just what compliance looks like — it’s what a hiring process worth defending looks like.

What to Do Before December 2026

1. Map every tool that touches candidate data. Your ATS, any AI screening tools, assessment platforms, scheduling software. Ask: does this produce output that influences who gets an interview? If yes, it’s potentially in scope.

2. Review your privacy policy now. Does it say AI is involved in your process? Does it explain what data is used and what the system contributes to? If not, it needs to.

3. Ask your vendors to explain themselves. Any tool processing candidate data should be able to clearly describe how it works and what personal information it handles. If they can’t, that’s a risk signal worth taking seriously.

4. Build your process so you can explain it. Human review of AI output, consistent criteria across candidates, and a record of what the system produced and who decided — these aren’t explicitly mandated by APP 1.7, but they’re what a defensible hiring process looks like. If you can’t answer “what data did the tool use, what did it produce, and who made the call?” for any given hire, that’s the gap to close.

5. Watch for OAIC guidance, but don’t wait on it. The OAIC may release further guidance on APP 1.7 before the deadline. That could clarify grey areas in the definition — but waiting for it before starting your preparation is how you end up with three months to do six months of work.

Before any of that is useful, though, you need to know where your process actually stands.

The GrowMyTeam AI Hiring Compliance Check maps your current process across tool awareness, privacy policy disclosure, human oversight, candidate transparency, and your audit trail. The first two are what APP 1.7 directly requires. The last three are what a process worth defending looks like in practice. Ten questions, three minutes, a score and a personalised gap summary — because you can’t honestly prioritise the work until you can see where the gaps actually are.

Take the AI Hiring Compliance Check →

If you’d rather start with a printable checklist of everything that needs to be in place before December 2026, that’s available separately — no quiz required.

Get the AI Hiring Compliance Checklist →