AI That Works for Heavy Industry logo
AI That Works for Heavy Industry

A Simple Map

How Australia's AI rules hang together.

Four parallel streams. Different regulators. Different deadlines. Same target: every organisation using AI to decide things about people or run critical systems.

  • Privacy Act (OAIC)
  • Gov AI Policy (DTA)
  • National Framework (Finance)
  • SOCI Act (Home Affairs)
Source of Law / Policy
LIVE / STAGED

Privacy Act 1988 (as amended 2024)

Regulator: OAIC · Legislation

New ADM transparency duty — disclose when personal info is used in automated decisions affecting an individual.

Updated 10 Dec 2025

IN FORCE

Policy for Responsible Use of AI in Gov v2.0

Owner: DTA · Policy (Commonwealth)

In force 15 Dec 2025. Mandatory for all Commonwealth agencies — use-case catalogue, accountable official, training.

Updated 15 Dec 2025

STAGED

National Framework for Assurance of AI in Gov

Owner: Dept of Finance · Framework

Agreed June 2024. First mandatory req. 15 Jun 2026; all remaining Dec 2026. Covers Commonwealth, State & Territory.

Updated 20 Nov 2025

LIVE

SOCI Act 2018 + CIRMP

Regulator: Home Affairs / CISC · Legislation

Applies to defined critical infrastructure assets (not whole sectors). 22 asset classes, most with thresholds. AI in OT now in-scope via CIRMP.

Updated 15 Oct 2025

Mandatory Tools & Artefacts

Updated Privacy Policy

Public disclosure: personal info used, decisions made, how, and how to challenge.

Updated 10 Dec 2025

AI Impact Assessment (AIIA)

DTA tool — mandatory for Commonwealth AI use cases. Increasingly referenced in Gov tenders.

Updated 15 Dec 2025

AI Use Case Register + Accountable Official

Whole-of-gov baseline: catalogue, risk-tier, name an owner, report incidents.

Updated 20 Nov 2025

Critical Infrastructure Risk Management Program

Integrate AI into existing CIRMP under 4 hazard vectors, including cyber & personnel.

Updated 15 Oct 2025

Who Must Comply

Any APP entity

Most businesses >$3M turnover & all agencies using personal info in ADM.

Updated 30 Sept 2025

All Commonwealth agencies

Flows down to suppliers via procurement & contract clauses.

Updated 15 Dec 2025

Commonwealth + State + Territory agencies

Aligns all three tiers of Gov — suppliers face consistent requirements.

Updated 20 Nov 2025

Owners / operators of defined CI assets

Asset-specific, threshold-based (e.g. ≥30 MW generation). Also catches direct interest holders (≥10%) & some operational service providers.

Updated 15 Oct 2025

What This Means For Heavy Industry Contractors

Defence primes & subs

Hit by all four. Gov policy flows down via contract. SOCI applies directly. Privacy Act on HR/pre-qual.

Energy & water utilities

SOCI only if you cross the asset threshold (e.g. ≥30 MW generation). CIRMP must address AI in OT. Privacy Act still applies to hardship & workforce decisions.

Construction / Infra contractors to Gov

Gov AI Policy + Framework flow down via procurement. Tender responses will reference AIIA.

Oil, gas, mining & shipbuilding

Privacy Act on fitness-for-work, fatigue, HR. SOCI for CI assets. Framework if supplying Gov.