Free — no signup required

Are you ready for the Privacy Act?

From 1 July 2026, Tranche 2 reporting entities lose the small business exemption. Answer a few quick questions to see where you stand.

1. What is your industry?

Why Tranche 2 firms are now under the Privacy Act

The same law that made accountants, lawyers, conveyancers, real estate professionals and jewellers AML/CTF reporting entities also removed their Privacy Act small business exemption. Under section 6E(1A) of the Privacy Act 1988 (inserted by the AML/CTF Amendment Act 2024), a reporting entity is bound by the Australian Privacy Principles for personal information handled in connection with its AML/CTF obligations, regardless of turnover. For Tranche 2 firms that applies from 1 July 2026. The OAIC estimates this brings more than 100,000 small businesses under the Privacy Act for the first time.

In practice that means four documents most small firms have never needed before:

APP 1

Privacy Policy

A clearly expressed, up-to-date policy describing what personal information you collect, why, how it is held, and how clients can access or correct it or complain.

APP 5

Privacy Collection Notice

What you tell a client at or before collecting their identity information for customer due diligence. The OAIC publishes a template written for reporting entities.

NDB scheme

Data Breach Response Plan

Your prepared steps to contain, assess, notify and review if client identity data is lost or exposed, including the 30-day assessment window under the Notifiable Data Breaches scheme.

APP 11

Retention and Destruction Schedule

How long you keep records (seven years for AML records under the AML/CTF Act) and when you destroy or de-identify personal information you no longer need.

For the full background, read 1 July didn't just add AML: it removed your Privacy Act exemption. AML Mate subscribers can generate starting-point drafts of all four documents from their existing setup, included in every paid plan.

Privacy Act and Tranche 2: common questions

Does becoming an AML/CTF reporting entity remove the Privacy Act small business exemption?

Yes. Under section 6E(1A) of the Privacy Act 1988, inserted by the AML/CTF Amendment Act 2024, a small business that becomes a reporting entity is treated as an organisation bound by the Australian Privacy Principles in connection with its AML/CTF activities, regardless of turnover. The OAIC states this includes small businesses with annual turnover under $3 million.

When did this start for Tranche 2 firms?

Existing reporting entities were covered from 31 March 2026. Tranche 2 entities (accountants, tax agents, lawyers, conveyancers, real estate professionals, and dealers in precious metals and stones) are covered from 1 July 2026, the same day their AML/CTF obligations began.

Does the Privacy Act now cover my whole business?

Not automatically. The exemption is lifted for personal information you handle for, or in connection with, your AML/CTF obligations, such as customer due diligence and record keeping. Handling outside that connection is a separate question, although many firms find one privacy program across the whole business simpler in practice.

What privacy documents does a Tranche 2 firm need?

The core set is a privacy policy (APP 1), a collection notice given when you collect ID for customer due diligence (APP 5), a data breach response plan for the Notifiable Data Breaches scheme, and a retention and destruction schedule (APP 11). This free check tells you which ones you are missing.

Do I have to keep copies of client ID documents for seven years?

No. The AML/CTF Act requires you to keep records of the information taken from the document and the verification outcome for seven years, not copies of the identity documents themselves. Under APP 11.2 you should destroy or de-identify copies once they are no longer needed.

Are the documents AML Mate generates legal advice?

No. The Privacy Pack prepares starting-point drafts built on OAIC and AUSTRAC published guidance, prefilled from your AML Mate setup. They are general information, not legal advice, and you should review and adapt them with a qualified adviser before relying on them.

General information about the reforms, not legal advice. Confirm how the Australian Privacy Principles apply to your specific practice with a qualified adviser.

Free Privacy Act Readiness Check — AML Mate