This Starter Guide is a short companion to the QLS Privacy Compendium (the ‘Compendium’). The Compendium summarises guidance from the Office of the Australian Information Commissioner (OAIC), AUSTRAC and other sources in enough detail to understand basic obligations. For most purposes you will not need to read the entire compendium, just the chapters which relate to your specific task.
What has changed?
Until 1 July 2026, the Privacy Act has largely left small law firms alone. Most firms operate within the small-business exemption, principally governed by turnover. The Privacy Act always regulated AML reporting entities, but until 2026 most law firms did not fall into that category. Now many will.
For a firm under the turnover threshold, the practical effect is a partial withdrawal of the exemption: some of your information is in scope, the rest is not. A firm over the threshold is Privacy Act regulated and has been for some time.
The Privacy Act does not regulate all of an organisation’s data holdings, only “personal information.” For firms otherwise within the small business exemption only the AML-related subset of personal information will be regulated. While the term “regulated personal information” does not appear in the Act, in practical terms that is what we are concerned with and references to personal information should be read accordingly. Personal information collected for a dual purpose (identity documents to comply with ARNECC/PEXA rules and AML/CTF, for example) is regulated.
Regulated personal information must be collected and managed in accordance with the Australian Privacy Principles (“APPs”).
In one sense the entirety of a solicitor’s file is relevant to AML activity – you must monitor the whole transaction as it unfolds to watch for money laundering red flags. On current indications, the OAIC does not appear to regard this broader use as falling within the definition.
Designated services — the trigger
Whether your small firm is AML regulated and therefore Privacy regulated depends on whether you provide any ‘designated services.’ Designated services are set out in Table 6 of the AML/CTF Act. The broad categories are:
- Assisting in the planning or execution of a transaction to buy or sell real estate (conveyancing).
- Assisting in the planning or execution of a transaction to buy, sell or transfer a business or shares.
- Managing a client’s money, securities or other property.
- Assisting in the creation, operation or management of trusts, companies or similar structures.
- Acting as or arranging for another person to act as a nominee director, secretary or shareholder.
Several common legal activities are excluded: providing legal advice only, representing a client in court or tribunal proceedings, and trust account disbursements made on client instructions in connection with legal services. A firm that does only family-law litigation, for example, might escape providing designated services — but a single activity in scope can change that. There is no de minimis exemption: providing even one designated service on one occasion brings the firm into both regulatory systems.
While the core designated service classes and exemptions are clearly defined, there are many uncertainties in the edge cases. A quick analysis of the basics and assumption that your firm is not regulated may prove to be an expensive mistake.
The changes are modest but important
Privacy compliance does not fundamentally change anything you currently do. It sits alongside a solicitor’s established duties of confidentiality and the rules protecting legal professional privilege. A firm that has always maintained strict confidentiality is not automatically privacy-compliant: privacy law has a different focus and imposes proactive duties (notification, security, individual access rights) that confidentiality does not. It also involves duties to non-clients. It is likely that existing policies (how long you keep files, for example) may need to be updated.
The seven core documents and policies
A basic compliance program is built around seven template documents in the Privacy Toolkit. Each is keyed to a specific obligation under the APPs or the Notifiable Data Breaches scheme, and each is explained in detail in the corresponding chapter of the Compendium.
Important note
It is important to note that simply putting your firm’s name on a template policy is not sufficient. The policy must reflect and guide your actual real world data collection and handling practices. This requires both establishing the compliance program and maintaining it over time. A system for dealing with access requests and privacy complaints is mandatory, for example. The Privacy Policy needs careful review. It must both guide and reflect your actual processes, and it should not bind your firm to deal with all personal information as if it were regulated personal information. A poorly drafted policy can extend your regulatory obligations beyond what the law requires by making general promises you will then be held to.
| Doc | Document | Purpose | Compendium ref. |
01 | Privacy Policy | Reflects and explains how the firm handles regulated personal information. | Ch. 10 |
02 | Collection Notice | Tells individuals what you collect and why. | Ch. 11 |
03 | PI Inventory | Register of regulated information you hold. | Ch. 12.1 |
04 | Retention Schedule | What you keep, and for how long. | Ch. 12.2 |
05 | Breach Response Plan | Four-step procedure under the NDB scheme. | Ch. 15 |
06 | PIA Framework | Checklist to assess the privacy impact of new systems or processes. | Ch. 5.2 |
07 | Training Framework | Staff training program and records. | Ch. 17 |
The templates are starting points — each contains bracketed placeholders that must be replaced, and each will need at least some firm-specific tailoring. Drafting notes included in the documents should be deleted once appropriate selections are made.
What are APPs and what do they require us to do?
The Australian Privacy Principles are thirteen rules in Schedule 1 of the Privacy Act 1988 (Cth) that cover the complete lifecycle of personal information — from how it is collected, through how it is used, stored, and destroyed, to how individuals can access and correct it. All thirteen apply to an APP entity, but six will do most of the day-to-day work in a small or medium law firm context:
APP | What it asks the firm to do |
APP 1 — Open and transparent management | Have a clearly expressed, up-to-date privacy policy and documented practices, procedures and systems to ensure compliance. |
APP 3 — Collection | Collect personal information only where reasonably necessary for the firm's functions; sensitive information requires consent or a specific exception. |
APP 5 — Notification | Tell individuals what you are collecting, why, who you might disclose it to, and how to access or complain — at or before the time of collection. |
APP 6 — Use and disclosure | Use the information only for the primary purpose for which it was collected, unless an exception applies. |
APP 11 — Security | Take reasonable steps to protect information from misuse, loss and unauthorised access; destroy or de-identify it when it is no longer needed. |
APPs 12 & 13 — Access and correction | On request, give individuals (including non-clients) access to their personal information, and correct it where it is inaccurate, out of date, incomplete or misleading. (Subject to important exceptions) |
Honourable mention: APP 8 requires disclosure where regulated personal information will be sent overseas. (If you use a Virtual Assistant or software which processes data outside of Australia, for example.)
Some of these obligations are framed in terms of ‘reasonable steps’ — a proportionate standard that takes into account the size of the firm, the sensitivity of the information held, and the practicability of the measure. A small firm is not expected to operate like a major institution, but it is expected to take steps that are genuine and proportionate to the risks posed and the resources available.
The four step roadmap
If you set aside time to give the issue your undivided attention, a few hours a week for four weeks should be enough, provided you have an existing reasonable standard of cybersecurity. If you do not, expand Phase 3 and start the cybersecurity workstream in Phase 1.
- Confirm whether the firm provides designated services
- Appoint a Privacy Officer (usually a Principal)
- List the regulated personal information you collect
- Block calendar time to get the basics in place by 1 July 2026
- Customise Privacy Policy (link to new page).
- Customise Collection Notice(s) (link to new page).
- Finalise the PI Inventory (link to new page) and Retention Schedule (link to new page).
- Develop the Breach Response Plan (link to new page) and run the threshold PIA (link to new page).
- Publish the Privacy Policy to the firm website.
- Roll out collection notices via engagement letters and ID requests.
- Update intake forms, file-destruction protocols and onboarding.
- Deliver a short training session — record attendance (link to new page).
- Review cybersecurity; consider SMB1001 certification.
- Identify and diarise any residual gaps.
- Principal sign-off on readiness.
- Schedule cybersecurity improvement work and an IT review.
- Diarise an annual privacy review.
A law firms achilles heel - cybersecurity
APP 11 requires reasonable steps to protect regulated personal information. For a law firm holding identity documents[*] and highly sensitive information, ‘reasonable’ sets a high bar.
The cost and damage of a cyber-attack also make an investment in information security a very good idea irrespective of regulatory obligations.
Most firms benefit from working towards SMB1001 certification, or using recognized frameworks such as NIST or the ACSC Essential Eight. Obtaining certification not only allows firm Principals to be satisfied that their firm is moving the right direction but demonstrates objective proof of your cyber-readiness to clients and regulators if called upon to do so.
[*] Ideally, you should not keep full copies of ID documents. Only if your safe harbour obligations for ARNECC/PEXA VOI require it should you do so.
Common questions
No. A general intention not to do so must be backed by a strong guardrail ensuring that your firm does not accidentally move into the AML sphere. This requires both firm Principals and all staff to have a very good understanding of what is and is not regulated, and a comprehensive onboarding system to screen out provision of designated services. Also ensure that a request to expand your scope of work in a matter is carefully considered (signing a Guarantor’s Certificate, for example).
Larger firms are already Privacy Act–regulated and have been since the Act came into force. For those firms, all personal information is in scope (not only AML/CTF information), and the templates in this toolkit are not appropriate. The structure of the implementation roadmap is the same; but the scope of what each document covers is wider and the “reasonable steps” required to comply with obligations will be higher.
Possibly — but the decision should be deliberate. Running parallel regimes for ‘regulated’ and ‘unregulated’ personal information can be administratively painful, and some firms will sensibly apply privacy-grade security and retention practices to everything.
What you must avoid is accidentally opting in by publishing a Privacy Policy or Collection Notice that does not make the scope clear. The template Privacy Policy is drafted with the partial exemption in mind; do not strike out the scope clause without thinking about the consequences. (See Compendium Chapter 2.1, p. 9.)
A particular focus of the OAIC is that businesses (particularly professional firms) do not collect potentially damaging data they do not need and do not keep it any longer than they have to. This is hard to reconcile with the expectations on solicitors to collect and retain evidence that might be needed later, potentially much longer than the usual minimum mandatory retention period of 7 years. For this reason, a balance must be struck , your decision documented and system to get rid of excess information implemented.