Important note
This information is part of our broader privacy program. You can learn more in our Privacy Program overview.
While the privacy policy provides general information about your firm's privacy practices, collection notices provide specific information to individuals at the point of collection. APP 5 requires notification at or before the time personal information is collected, or as soon as practicable afterwards.[1]
[1] Australian Privacy Principle 5.1.
When collection notices are required
Collection notices are required whenever you collect personal information unless the individual has already been made aware of the relevant matters. The trigger is collection, not the commencement of a formal retainer.
Given that many firms will conduct Client Due Diligence prior to costs disclosure and formal acceptance of the client and matter a separate notice may be required rather than leaving it to the retainers.
We may also need to give Collection notices if information is obtained from / about parties who are not clients.
For law firms, collection typically occurs when:
- A new client provides their details (initial enquiry or engagement);
- Identity documents are collected for AML/CTF purposes;
- Information about third parties (beneficial owners, witnesses, other parties) is collected;
- Someone completes a contact form on your website;
- Employee or job applicant information is collected.
Required content of collection notices
APP 5.2 specifies nine matters that must be notified at or before the time of collection:[2]
Required Matter (APP 5.2) | What This Means for Law Firms |
(a) Entity's identity and contact details | Your firm's name, address, and contact information |
(b) Collection from third party: facts and circumstances | If information is obtained from someone other than the individual (e.g., beneficial owner info from company director), explain this |
(c) Collection required by law: the law and fact of requirement | For AML/CTF collection, identify the AML/CTF Act as requiring the collection |
(d) Purposes of collection | Explain why you are collecting the information (legal services, AML/CTF compliance, etc.) |
(e) Consequences if not collected | Explain what happens if information is not provided (e.g., cannot provide services, cannot proceed with transaction) |
(f) Usual disclosure recipients | Categories of third parties who typically receive the information (courts, regulators, other parties, etc.) |
(g) Privacy policy contains access/correction information | Direct individuals to your privacy policy for information about access and correction rights |
(h) Privacy policy contains complaints information | Direct individuals to your privacy policy for information about making complaints |
(i) Overseas disclosure: countries if known | If information may be disclosed overseas, identify the countries (or state that countries are not known) |
[2] Australian Privacy Principle 5.2, lists the nine matters that must be notified.
Using the Collection Notice Template
The OAIC has a generic Collection Notice available: Template privacy collection notice for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act | OAIC
QLS has adapted a version of this in the form of a client focused brochure. It also provides more context for clients as to why your firm is collecting certain information.
Timing and delivery
Collection notices should be provided at or before the time of collection, or as soon as practicable afterwards.[3]
Practical delivery methods include:
- Include in first letter;
- Include in engagement letter/costs agreement;
- Provide with identity document request;
- Display on website forms;
- Send by email when requesting;
- Provide to corporate client for distribution to beneficial owners;
[3] OAIC, Chapter 5: APP 5 — Notification of the collection of personal information, APP Guidelines (October 2025), [5.1]-[5.5] (timing of notification).