With three major regulatory expansions landing on its desk in the next 13 months, the Office of the Australian Information Commissioner (OAIC) has suffered a funding cut in the 2026 federal budget,

The OAIC has been allocated $36.576 million in the 2026-27 Federal Budget. The figure is down from $39.753 million in 2025-26, representing an 8 per cent cut to the agency’s departmental appropriation.

Average staffing levels at the OAIC remain almost flat. The agency is funded for 175 staff in 2026-27, down from 176 in 2025-26.

Privacy Commissioner Carly Kind has previously been candid about OAIC resource constraints. Asked at a public event in 2024 what she would want if she could have anything, Kind replied "an unlimited enforcement budget”.

The OAIC is responsible for enforcing three significant Privacy Act expansions arriving between July and December 2026.

From July 1, the Anti-Money Laundering and Counter-Terrorism Financing regime expands to cover new sectors. Lawyers, conveyancers, accountants, real estate professionals and dealers in high-value goods become reporting entities.

Small business reporting entities lose their Privacy Act exemption when they enter the AML/CTF regime. The OAIC estimates this change will affect more than 100,000 small businesses.

The OAIC role expands accordingly. The regulator becomes responsible for privacy oversight of a much larger pool of small business entities.

From 10 December 2026, the Privacy Act will require businesses and government agencies to tell people when they use computer programs to make important decisions about them.

Organisations must update their privacy policies to explain three things. They must list the personal information their automated systems use. They must list the types of decisions those systems make.

Privacy policies must also identify which decisions could significantly affect a person’s rights or interests.

The rules cover any computer program that makes a decision, or substantially helps make one. This includes rule-based software, machine learning models and generative AI tools.

Who It Affects

The rules apply to any business or agency already covered by the Privacy Act that uses automated tools to make decisions about people. A decision is in scope if it could reasonably be expected to significantly affect a person’s rights or interests.

Examples include a bank using an algorithm to approve or refuse a loan. An insurer using software to set a premium or reject a claim.

A government agency using a system to grant or refuse a benefit is also in scope. So is an employer using AI to screen job applicants, or a healthcare provider using software to support diagnostic decisions.

The rules apply to any decision made on or after 10 December 2026. It does not matter when the algorithm was built or when the data was collected.

The OAIC will enforces the new rules. The Office will publish guidance on what organisations must include in their privacy policies.

A Children’s Online Privacy Code is also due to be registered by 10 December 2026.

The OAIC role includes drafting the Code, conducting a 60-day public consultation, and registering and enforcing it. The Office began consultation work in 2025.