If your team uses ChatGPT, Copilot, Claude, or any AI tool to help with client work — and most accounting and SMSF firms now do — there's a Privacy Act obligation coming into force on 10 December 2026 that almost nobody is talking about.
The part that catches people out: the obligation sits with your firm, not the vendor. You can't contract it away in a Microsoft or OpenAI agreement, no matter what the salesperson said.
What's actually changing
The Privacy Act reforms passed in late 2024 introduced an Automated Decision-Making transparency rule. From 10 December 2026, if your firm uses an AI system to make, or substantially contribute to, decisions that affect individuals, your privacy policy has to disclose it.
"Substantially contribute" is doing a lot of work in that sentence. The OAIC's position is that it covers things like using AI to triage client matters, flag audit anomalies, draft advice summaries or SOAs, or score and filter applications.
If anyone in your firm has ever pasted a client's super balance into ChatGPT to ask it to draft a contribution strategy summary, you're in scope. The fact that a human reviews the output afterwards doesn't get you out. The rule covers AI that "substantially contributes" to a decision, not just AI that makes one alone.
Why this is bigger than a privacy policy update
APES 320 already requires a written AI use policy for accountants. If your firm doesn't have one, you're already non-compliant with your professional standards, before the Privacy Act even kicks in.
PI insurers are starting to add AI questions to renewal questionnaires. A "we don't know" answer is the kind of thing that gets cited after a claim, when an adjuster is trying to figure out whether the policy should pay.
There's also a US case worth knowing about. A federal court ruled in February 2026 that AI-processed documents may lose legal professional privilege. That decision doesn't bind Australian courts, but it's the kind of reasoning that travels. The same logic could apply to accountant-client confidentiality in the right test case.
What a sensible response actually looks like
Getting this right isn't hard, but it does need to happen on purpose.
The first thing is dealing with shadow AI. Your staff are using ChatGPT and Claude already. The only real question is whether they're doing it inside your controls or outside them. A free personal account on a home laptop is the worst version. Client data leaves your environment and you have no audit trail if something goes wrong.
Then the policy needs to exist on paper. A two-page AI Use Policy covering approved tools, what data can go where, who reviews outputs, and what gets logged is enough to satisfy APES 320 and gives you something to point at when your PI insurer or the OAIC asks.
The third piece is consolidation. A properly configured Microsoft 365 tenant with Copilot, with data residency settings and audit logging turned on, will do more for your compliance position than ten different AI tools used ad-hoc. Same goes for Google Workspace with Gemini if that's your stack.
And then the privacy policy itself needs updating. Before December, not on December 10.
Where firms actually get stuck
The policy isn't usually the hard part. The audit is.
Working out what your team is actually using right now, what client data has already left your environment over the last 18 months, and which gaps matter most. That's the work most firm owners haven't done, and it's genuinely hard to do from the inside, because the people who could tell you the truth are also the people who'd be admitting they pasted client data into ChatGPT last Tuesday.
This is the kind of work we do at OrionX for accounting and SMSF firms across Australia. If you'd like to talk through where your firm sits before December, contact us.
