What the Privacy Act 1988 and the 13 Australian Privacy Principles require when you use AI on personal information — consent, security, cross-border disclosure — without overclaiming.
dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.
The Privacy Act 1988 is Australia’s federal privacy law, and it applies to AI the same way it applies to any other handling of personal information. Here is what it actually requires — and what is coming.
| Item | Detail |
|---|---|
| Applies to | APP entities — most agencies and businesses over A$3m turnover (plus others) |
| Core duty | The 13 Australian Privacy Principles (APPs) |
| Cross-border | APP 8 — accountability for overseas disclosure, not a ban |
| Enforcer | Office of the Australian Information Commissioner (OAIC) |
What the Privacy Act requires for AI
The Act is technology-neutral: AI handling of personal information is subject to the same 13 Australian Privacy Principles — open and transparent management, collection limitation, use and disclosure limits, data quality, security, and access and correction. You remain accountable for personal information handled by an AI processor on your behalf.
Cross-border data under APP 8
Australia does not prohibit sending personal information overseas — but under APP 8 you generally remain accountable for an overseas recipient’s handling of the information, so you must take reasonable steps to ensure it is handled consistently with the APPs (or rely on a recognised exception). It is an accountability model, not a localisation mandate.
What is changing
A first tranche of reform passed in 2024: a statutory tort for serious invasions of privacy is in force (since 10 June 2025), stronger OAIC enforcement and civil penalties are in force, and a new automated-decision-making transparency requirement (APP 1.7) is scheduled to commence on 10 December 2026 — not yet in force in mid-2026. osFoundry’s managed cloud pins data to the US, EU or Japan — it does not currently offer an Australian managed region. For data that must stay in Australia, the honest path is self-hosting osFoundry (BYO Cloud) inside an Australian cloud region such as AWS (Sydney or Melbourne), Microsoft Azure (Australia East, Australia Southeast or Australia Central in Canberra) or Google Cloud (Sydney or Melbourne), or running models locally on-device.
Where dgm fits
dgm is an independent integration partner that helps Australian businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.