What the December 2026 privacy changes mean for AI in disability services
From 10 December 2026, you must disclose AI-assisted decisions in your privacy policy. What's changing, what counts, and what to do before then.
What is changing on 10 December 2026?
On 10 December 2026, a new privacy rule starts. If your organisation uses a computer program to make — or substantially help make — a decision that could significantly affect someone's rights or interests, your privacy policy has to say so.
It comes from the Privacy and Other Legislation Amendment Act 2024. Confirmed, dated, close.
Does having a human reviewer take you outside the rule?
The test has three parts, and the rule applies when all three are true:
- —A computer program makes a decision, or does something substantially and directly tied to making it.
- —That decision could reasonably be expected to significantly affect a person's rights or interests.
- —Personal information about that person is used.
Read the scope carefully: it catches decisions where a human is still in the loop. “We had someone review it” does not take you outside the rule.
Which AI uses in an NDIS service fall inside this rule?
In an NDIS service, that's a wide net. Rostering that decides who supports whom. Incident triage that classifies severity. Referral prioritisation. Anything that flags a participant for review. If AI shapes a decision that touches a participant, it is likely in scope.
A disclosure obligation. You tell people, in your privacy policy, the kinds of personal information your automated programs use and the kinds of decisions they make or assist.
A right for an individual to demand a human re-decide. That may arrive in a later tranche. For now the obligation is transparency — and transparency you can prepare for.
What should NDIS providers do before December 2026?
Three things worth doing before December:
Write down every place AI touches a participant-affecting decision in your operation. You can't disclose what you haven't mapped.
Draft the privacy-policy paragraph now, so it's ready to switch on — not written in a panic in November.
For any AI system you bring in between now and then, ask the vendor for the disclosure language as part of the package. The ones who've taken compliance seriously already have it written.