The short version: From 10 December 2026, new APP 1.7 transparency obligations under the Privacy and Other Legislation Amendment Act 2024 commence. Any Australian clinic, law firm, or service business that uses a computer program — including AI receptionists, automated booking, or triage tools — to make decisions about individuals must disclose that use in their privacy policy. Penalties for non-compliance start at $66,000 and reach $50 million for serious interferences. This article walks through what changed, whether it applies to your practice, and the four practical steps to take before December.
The Privacy and Other Legislation Amendment Act 2024 was the largest update to Australian privacy law since the Privacy Act 1988 was introduced. It passed Parliament on 29 November 2024 and received Royal Assent on 10 December 2024. Most provisions took effect immediately. One did not.
The amendments to Australian Privacy Principle 1 — specifically the new APP 1.7 — were given a 24-month grace period. They commence on 10 December 2026. After that date, organisations covered by the Privacy Act (called "APP entities") must include specific information in their privacy policies whenever they use a computer program to make or substantially support decisions affecting individuals.
The Office of the Australian Information Commissioner (OAIC) has already signalled that healthcare is a priority enforcement sector in 2025–26, with policy compliance sweeps underway and infringement notices being issued at up to $66,000 per breach.
This is the question most Australian practice owners are asking us. The short answer is yes, in most cases — and the reason is the deliberately broad definition of "computer program" in the legislation.
The Explanatory Memorandum to the Privacy Bill makes clear that the term covers everything from sophisticated machine learning models down to basic rule-based logic. An AI receptionist that routes calls based on stated reason, prioritises an urgent caller over a routine booking, or escalates a complaint to a human is making decisions. If those decisions use personal information (the caller's name, contact details, reason for contact, history with the practice), and they could "reasonably be expected to significantly affect the rights or interests of the individual," APP 1.7 applies.
For Australian clinics, the threshold is met more easily than many practice owners assume. Routing a caller to "urgent" versus "routine" booking is a decision about access to healthcare. Declining to book a caller in the next available slot because the AI determined they were calling about something out of scope is a decision that affects their access. The Privacy Act treats these as material decisions, not administrative trivia.
The same logic applies to automated booking tools (HotDoc, Cliniko's online booking, PracSuite portals), triage chatbots, and any reminder system that decides which patients to contact and when.
Most clinics underestimate how many automated decisions are already being made on their behalf. Run through every system that touches patient information and ask: does this software make or substantially support a decision about a patient? Common sources:
Document each one. You don't need a forensic audit — a one-page list is fine. What matters is that you can identify them when asked.
Under the new APP 1.7, your privacy policy must include three pieces of information for each automated decision-making system:
The disclosure has to be in clear, accessible language. Burying it in technical jargon doesn't satisfy APP 1.7. Practice owners we've worked with have found this is best handled as a short, named section in the privacy policy — for example, "Our use of automated decision-making" — rather than scattered references throughout.
APP 1.7 doesn't require that every automated decision can be appealed. But the OAIC has repeatedly emphasised that "transparency" includes telling individuals how they can escalate to a human. For clinics using AI receptionists, this is straightforward: callers can always request to speak to a person, and the system is configured to honour that request. Document this. The audit trail matters more than the volume of escalations.
This one is healthcare-specific. AHPRA's August 2024 guidance on AI in healthcare is clear: practitioners remain fully accountable for clinical decisions even when AI tools are involved. The Privacy Act 2026 changes don't soften this — they layer on top of it. If your AI receptionist is making decisions that touch clinical territory (booking a patient to see one practitioner versus another based on described symptoms, for example), that's a decision the registered practitioner remains responsible for. Get the practitioner's sign-off on the AI's decision logic and keep it on file.
"We only use AI for admin, not clinical decisions, so this doesn't apply." APP 1.7 applies to decisions about an individual, not only clinical decisions. Booking, routing, and access to services all qualify if they significantly affect the individual.
"Our AI is hosted overseas — Australian privacy law doesn't reach it." The Privacy Act applies to APP entities operating in Australia regardless of where their software vendors are based. APP 8 cross-border disclosure obligations also apply.
"We'll wait and see what the OAIC does in 2027." The OAIC has already run a privacy policy enforcement sweep in 2025, with healthcare named as a priority sector. The deadline is the deadline. Non-compliant policies after 10 December 2026 are enforceable from day one.
"Our practice is small — the rules don't apply." The small business exemption to the Privacy Act has been under review for years and remains narrow. Any practice that holds health information is generally an APP entity regardless of turnover. Most allied health practices, dental clinics, and GP surgeries are covered.
If your practice already runs any AI or automation that touches patient information, treat the December 2026 deadline as a fixed milestone. Build backward from it:
If you're considering deploying an AI receptionist, build compliance in from day one rather than retrofitting it. The cost difference is small. The risk difference is significant.
We've put together a one-page practical checklist covering Privacy Act 2026, AHPRA guidance, ACMA telemarketing standards, and the Fair Work Right to Disconnect. It's the same document we use internally for every build at RJ Does AI.
Download the checklist