APP 1
Privacy Policy
A clearly expressed, up-to-date policy describing what personal information you collect, why, how it is held, and how clients can access or correct it or complain.
From 1 July 2026, Tranche 2 reporting entities lose the small business exemption. Answer a few quick questions to see where you stand.
The same law that made accountants, lawyers, conveyancers, real estate professionals and jewellers AML/CTF reporting entities also removed their Privacy Act small business exemption. Under section 6E(1A) of the Privacy Act 1988 (inserted by the AML/CTF Amendment Act 2024), a reporting entity is bound by the Australian Privacy Principles for personal information handled in connection with its AML/CTF obligations, regardless of turnover. For Tranche 2 firms that applies from 1 July 2026. The OAIC estimates this brings more than 100,000 small businesses under the Privacy Act for the first time.
In practice that means four documents most small firms have never needed before:
APP 1
A clearly expressed, up-to-date policy describing what personal information you collect, why, how it is held, and how clients can access or correct it or complain.
APP 5
What you tell a client at or before collecting their identity information for customer due diligence. The OAIC publishes a template written for reporting entities.
NDB scheme
Your prepared steps to contain, assess, notify and review if client identity data is lost or exposed, including the 30-day assessment window under the Notifiable Data Breaches scheme.
APP 11
How long you keep records (seven years for AML records under the AML/CTF Act) and when you destroy or de-identify personal information you no longer need.
For the full background, read 1 July didn't just add AML: it removed your Privacy Act exemption. AML Mate subscribers can generate starting-point drafts of all four documents from their existing setup, included in every paid plan.
Yes. Under section 6E(1A) of the Privacy Act 1988, inserted by the AML/CTF Amendment Act 2024, a small business that becomes a reporting entity is treated as an organisation bound by the Australian Privacy Principles in connection with its AML/CTF activities, regardless of turnover. The OAIC states this includes small businesses with annual turnover under $3 million.
Existing reporting entities were covered from 31 March 2026. Tranche 2 entities (accountants, tax agents, lawyers, conveyancers, real estate professionals, and dealers in precious metals and stones) are covered from 1 July 2026, the same day their AML/CTF obligations began.
Not automatically. The exemption is lifted for personal information you handle for, or in connection with, your AML/CTF obligations, such as customer due diligence and record keeping. Handling outside that connection is a separate question, although many firms find one privacy program across the whole business simpler in practice.
The core set is a privacy policy (APP 1), a collection notice given when you collect ID for customer due diligence (APP 5), a data breach response plan for the Notifiable Data Breaches scheme, and a retention and destruction schedule (APP 11). This free check tells you which ones you are missing.
No. The AML/CTF Act requires you to keep records of the information taken from the document and the verification outcome for seven years, not copies of the identity documents themselves. Under APP 11.2 you should destroy or de-identify copies once they are no longer needed.
No. The Privacy Pack prepares starting-point drafts built on OAIC and AUSTRAC published guidance, prefilled from your AML Mate setup. They are general information, not legal advice, and you should review and adapt them with a qualified adviser before relying on them.
General information about the reforms, not legal advice. Confirm how the Australian Privacy Principles apply to your specific practice with a qualified adviser.