AI Regulation Reference

Does Privacy Act 1988 — Automated Decision-Making Reforms require Data Governance?

Australia • enacted

Yes — 1 provision

Requirements at a glance

This regulation imposes 5 specific requirements for Data Governance across 1 provision:

Data Minimisation for AI Systems #

Obligation:
Data Governance
 enacted
Effective:
Dec 10, 2026
Risk tier:
all
Scope:
providers, deployers
 sleepercross-domain
The reformed Privacy Act explicitly prohibits collecting broad datasets "in case they might be useful" for AI training. Each data input to an AI system must be demonstrably necessary for the specific purpose. This directly impacts how organizations build training datasets and deploy AI models using personal information.

Requirements

RequirementDetails
Data minimisationEach AI data input must be reasonably necessary for the specific purpose
No speculative collectionCannot collect broad datasets for potential future AI use
Primary purpose limitationAI systems may only use personal data for primary collection purposes
Enhanced consentSpecific, informed, voluntary, current consent required for AI training and profiling
Vendor due diligenceMust assess third-party AI vendors for data handling practices

Penalties

ViolationFine
Serious breachSignificant civil penalties per Privacy Act enforcement provisions
View full regulation View obligation Obligation matrix