The anti-money laundering reforms will draw many small practices into the Privacy Act for the first time.
The Queensland Law Society has produced materials to help practitioners with the changes from 1 July 2026.
What has changed?
Until now, many small law firms have not needed to comply with the Privacy Act 1988 (Cth) (Privacy Act). As businesses with annual turnover of less than $3 million, they were largely exempt.
That changes on 1 July 2026 for any firm that supplies one or more “designated services” within the meaning of the AML/CTF regime.
Not all data will be regulated
The Privacy Act generally regulates dealings with “personal information”. For small law firms under the turnover threshold, the regulated information will be limited to personal information collected for the purposes of, or in connection with, their AML/CTF obligations.
In practical terms this means that the AML-related subset of the personal information a firm holds becomes regulated by the Australian Privacy Principles (see below); the rest does not.
Personal information collected both for AML purposes and for another reason (such as client identity documents) is also regulated.
Designated services – remind me about those again?
Designated services are defined in the AML/CTF legislation. In broad terms, they include assisting with the purchase or sale of real estate, the sale or transfer of a business or shares, managing a client’s money or property, helping to create or manage trusts and companies, and assisting with the appointment of directors and trustees.
Several common activities are excluded, including giving legal advice, representing a client in proceedings, and certain trust-account disbursements made on instructions. For more information see Anti-Money Laundering frequently asked questions – Queensland Law Society and the AUSTRAC website.
What does the Privacy Act require?
The Privacy Act requires any business that collects or holds regulated information to do so in accordance with the Australian Privacy Principles (“APPs”). For a small law firm, the most relevant APPs are:
Collection:
- APP 1 (a clear, current privacy policy and documented practices)
- APP 3 (collect only what is reasonably necessary)
- APP 5 (tell people what you collect and why)
Use:
- APP 6 (use it only for the purpose for which it was collected)
- APP 11 (keep it secure, and destroy or de-identify it when it is no longer needed)
Access and correction:
- APP 12 (give people access to the personal information you hold about them) and
- APP 13 (correct personal information on request, including for non-clients).
To support compliance, the business should appoint a Privacy Officer, adopt appropriate policies, and train staff in what is expected of them. It must also take “reasonable steps” to protect information through appropriate cybersecurity measures. Substantial penalties apply for non-compliance.
AML/CTF Privacy compliance video
QLS Privacy, Data, Technology and Intellectual Property Committee Chair Anna Sharpe provides an overview of the key issues.
To complement this video, the following overview outlines key concepts and where to find further guidance.
QLS AML/CTF Privacy Toolkit
QLS has prepared a privacy toolkit with all the elements needed to put a basic compliance system in place:
For an outline of the changes and what needs to be done, see the Privacy Program Overview – Queensland Law Society, which sets out a basic four-step implementation program.
The toolkit also includes the template documents you will need. Together, they help you implement each part of the process: a privacy policy, a collection notice, a personal information inventory, a retention schedule, a breach response plan, a privacy impact assessment framework, and a staff training framework.
While the work needed to adapt the templates to your practice needs is not onerous, you should still read them carefully to ensure that what you do on the ground matches what you say you will do on paper.
Supporting these resources is a compendium that walks you through each step in detail.
Cybersecurity
Security deserves particular attention. APP 11 requires “reasonable steps” to protect confidential information, as do our ethical obligations to clients. The cost and disruption associated with data loss or intrusion also make a basic investment in cybersecurity a sound business decision.
To get started, consider the SMB 1001 program designed for small businesses. If your cybersecurity is already strong, you may also wish to consider other frameworks, such as the ACSC’s Essential Eight.
What to do now
- Read the starter guide;
- Decide who your Privacy Officer will be;
- Download the templates;
- If you need further information, refer to the compendium;
- If you still have questions, contact the QLS Ethics Centre.
Further resources
- OAIC, Privacy guidance for reporting entities under the AML/CTF Act (February 2026): Privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act | OAIC
- OAIC, Australian Privacy Principles: OAIC – Privacy Principles
- OAIC, Notifiable Data Breaches scheme: OAIC – NDB Scheme
- QLS Cybersecurity hub: qls.com.au
Share this article