At a glance
- Practitioners should be aware of their privacy obligations under AML/CTF (1 July 2026 commencement).
- Who is affected? Law firms with annual turnover under $3 million that provide AML/CTF designated services (typically conveyancing, business sales, company or trust structuring, managing client money + other). Firms with an annual turnover above $3 million are already fully regulated.
- What is regulated? Personal information collected or held for the purposes of, or in connection with AML/CTF activities (Privacy Act, s.6E) — for example, client identity documents, beneficial owner records, AML risk assessment notes.
- What are the penalties? OAIC has significant enforcement powers, including fines of up to $50 million dollars.
Note: Additional automated-decision-making disclosures commence 10 December 2026.
How do I get started
Read the Starter Guide, then work through the four-step roadmap. The Compendium sets out the same roadmap in more detail in Chapter 13.
Resources
QLS has prepared guidance and resources to assist practitioners to understand their privacy obligations under AML/CTF.
Note: It is important that you read the guidance, consider what regulated data your firm will collect and hold, then modify all templates accordingly
The Privacy Policy needs careful review. It must both guide and reflect your actual processes, and it should not bind your firm to deal with all personal information as if it were regulated personal information. A poorly drafted policy can extend your regulatory obligations beyond what the law requires by making general promises you will then be held to.
More on AML/CTF Privacy compliance
-
Assessing the privacy impact of new systems or processes
The Privacy Impact Assessment (PIA) template document includes a threshold assessment tool to help determine when a full PIA is warranted.
-
Cyber Breach Response
Effective breach response requires preparation before a breach occurs. The template Data Breach Response Plan provides a basic plan following the OAIC’s four-step approach to breach response.
-
Establishing a register of regulated personal information (PI inventory)
A personal information inventory is a register of the categories of personal information your firm holds, including where it is stored, how it is collected, and who has access to it. The personal information register document provides a template to get you started.
-
Privacy Program Overview
This Starter Guide is a short companion to the QLS Privacy Compendium (the ‘Compendium’).
-
Staff Training Program and Record Keeping
Effective privacy compliance depends on staff understanding their obligations and knowing how to apply privacy principles in their daily work.
-
Your Collection Notice
The privacy policy provides general information about your firm's privacy practices, collection notices provide specific information to individuals at the point of collection. Find out what should be included and when the notice should be provided.
-
Your Privacy Policy
The privacy policy is the public face of your privacy compliance program. The Privacy Policy Template provides a privacy policy drafted specifically for small law firms providing designated services.
-
Your Retention Schedule
Your retention schedule should outline your firm’s plan for document retention, having regard to requirements of the Privacy Act, Legal Profession Act 2007 (Qld) and QLS Document Retention Guidance.