Where we provide designated services under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), we are required to collect identification information to verify the identity of our clients and, where applicable, beneficial owners of legal structures. This information may include:

• government-issued identification documents and details (such as passport, driver’s licence or Medicare card numbers);
  
• date of birth and residential address;
  
• information about the ownership and control of companies, trusts and partnerships, including the identity of beneficial owners, directors and officeholders;
  
• source of funds or source of wealth information (where enhanced due diligence is required); and
  
• politically exposed person (PEP) status.
  

How we collect personal information

Direct Collection

Where it is reasonable and practicable to do so, we collect personal information directly from you. This may occur when you:

• engage us to provide professional services;
  
• complete a client intake form, engagement letter or costs agreement;
  
• communicate with us by email, telephone, letter, video conference or in person;
  
• provide us with identification documents for AML/CTF verification;
  
• submit an enquiry through our website;
  
• apply for employment with us;
  
• register for a seminar, webinar or event hosted by us; or
  
• subscribe to our newsletters or publications.
  

Indirect Collection

In some circumstances, we may collect personal information about you from third parties, including:

• referral partners or other professional advisers who refer you to us;
• barristers, expert witnesses or other professionals engaged in connection with your matter;
  
• public registers and government agencies (such as ASIC, land titles offices, courts and tribunals);
  
• third-party electronic identity verification services used for AML/CTF compliance;
  
• your employer or business associates (where you are a contact person for a client entity); and
  
• credit check providers.
  

We will only collect personal information from third parties where it is unreasonable or impracticable to collect the information directly from you, you consent, or where the collection is required or authorised by law.

Purposes for which we collect, hold, use and disclose personal information

We collect, hold, use and disclose personal information for the following purposes:

Providing professional services

• providing you with legal services;
  
• managing your matter or engagement, including opening and maintaining client files;
• conducting conflict of interest checks;
  
• communicating with you about your matter or engagement;
  
• preparing and issuing invoices and managing trust account transactions; and
  
• engaging third parties (such as barristers, expert witnesses and other professional advisers) in connection with your matter.
  

Legal and regulatory compliance

• complying with our obligations under the AML/CTF Act, including carrying out customer identification procedures, conducting ongoing customer due diligence, monitoring transactions and fulfilling our reporting obligations to AUSTRAC;
  
• complying with our obligations under the Privacy Act and other applicable legislation;
  
• complying with our professional and ethical obligations, including under the Legal Profession Uniform Law; and
  
• responding to requests or directions from courts, tribunals, regulatory bodies and government agencies.

Business Operations

• internal administration, management and planning;
  
• quality assurance, auditing and risk management;
  
• staff training and professional development;
  
• business development, marketing and communications; and
  
• recruitment and human resources management.
  

Other Purposes

• any other purpose for which you have given your consent; and
• any directly related purpose that you would reasonably expect.

Disclosure of personal information

We may disclose your personal information to the following types of third parties:

• barristers, expert witnesses, mediators and other professional advisers engaged in connection with your matter;
• courts, tribunals, regulatory bodies and government agencies (including AUSTRAC);
  
• opposing parties and their legal representatives (in the course of legal proceedings or negotiations); 
  
• our IT service providers, practice management and document management platform providers; 
  
• our insurers and insurance brokers; 
  
• banks and super funds;
  
• external accountants and auditors; 
  
• debt recovery agents (where relevant to the recovery of outstanding fees); 
  
• third-party electronic identity verification service providers used for AML/CTF compliance; and
  
• referral partners.
  

We will only disclose your personal information for a purpose for which it was collected (primary purpose) or for a related secondary purpose that you would reasonably expect, or where an exception under the APPs applies (including where disclosure is required or authorised by law).

Cross-border disclosure of personal information

In order to provide necessary legal services and for administrative or other business management purposes we disclose personal information to third parties located outside Australia.  Countries in which our overseas recipients may be located include India and USA. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. 

These steps may include entering into contractual arrangements with the recipient that require it to handle your personal information in accordance with the APPs, or satisfying ourselves that the recipient is subject to laws or a binding scheme that provides substantially similar protection to the APPs.

Direct Marketing

We may use your personal information to send you information about our services, events, publications and other matters that we consider may be of interest to you, including newsletters, client alerts, seminar invitations, legal updates.

We will only use your personal information for direct marketing where:

• we collected the information directly from you and you would reasonably expect us to use it for that purpose; or
  
• you have consented to receiving direct marketing communications from us.
  

We will not use sensitive information for direct marketing purposes unless you have consented. Each direct marketing communication will include a simple way for you to opt out of receiving further communications. You may also opt out at any time by contacting us using the details set out below.

Data quality

We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up to date, complete and relevant. We encourage you to contact us to update your personal information if it changes or if you believe it is inaccurate.

Government-related identifiers 

We may collect government-related identifiers (such as your TFN, ABN, driver’s licence number, passport number or Medicare number) where it is reasonably necessary for our functions or activities, or where we are required or authorised by law to do so (including for AML/CTF customer identification purposes).

We do not adopt government-related identifiers as our own identifiers for clients or other individuals. We will only use or disclose government-related identifiers in the limited circumstances permitted by the APPs, including where the use or disclosure is required or authorised by law.

Security of personal information

Reasonable steps to protect personal information

We take reasonable technical and organisational measures to protect the personal information we hold from misuse, interference, loss and unauthorised access, modification or disclosure. These measures include:

• encryption of data in transit and at rest;
  
• access controls and role-based permissions on IT systems;
  
• multifactor authentication for access to systems containing personal information;
  
• firewalls, intrusion detection and antivirus software;
  
• physical security measures, including restricted access to offices and secure disposal of physical records;
  
• regular staff training on privacy and information security obligations;
  
• contractual requirements on third-party service providers to protect personal information;
  
• regular review and testing of information security practices; and
  
• any other security measures specific to the firm.
  

Retention and destruction

We retain personal information for as long as it is needed for the purposes for which it was collected, or as required by law. When personal information is no longer needed for any purpose for which it may be used or disclosed, and we are not required by law to retain it, we will take reasonable steps to destroy it or ensure it is de-identified.

Access to and correction of personal information

Requesting Access

You may request access to personal information we hold about you by contacting us using the details below. We will respond to your request within a reasonable period. We will provide access in the manner you request where it is reasonable and practicable to do so. We may charge a reasonable fee for providing access to cover our costs in locating and providing the information, but we will not charge you for making the request.

When we may refuse access

In limited circumstances, we may refuse to provide access to personal information. These circumstances include where:

• providing access would pose a serious threat to the life, health or safety of any individual or to public health or safety;
  
• providing access would have an unreasonable impact on the privacy of other individuals;
  
• the request is frivolous or vexatious;
  
• the information relates to existing or anticipated legal proceedings and would not be accessible through the discovery process;
  
• providing access would reveal our intentions in negotiations with you in a way that would prejudice those negotiations;
  
• providing access would be unlawful (for example, where disclosing the information would breach the tipping-off provisions of the AML/CTF Act);
  
• denying access is required or authorised by law;
  
• we have reason to suspect unlawful activity or serious misconduct and providing access would prejudice our ability to take appropriate action; or
  
• providing access would prejudice enforcement-related activities conducted by or on behalf of an enforcement body.
  

If we refuse access, we will provide you with a written notice setting out the reasons for the refusal (to the extent it is reasonable to do so) and the mechanisms available to you to make a complaint.

Requesting correction

You may request that we correct personal information we hold about you if you believe it is inaccurate, out of date, incomplete, irrelevant or misleading. We will respond to your request within a reasonable period. There is no charge for requesting a correction or for us to make the correction.  If we refuse to correct your personal information, we will provide you with a written notice setting out the reasons for the refusal and the complaint mechanisms available to you. If you request it, we will take reasonable steps to attach a statement to the information noting that you believe it to be inaccurate, out of date, incomplete, irrelevant or misleading.

Website, cookies and analytics

When you visit our website, we may collect information about your visit, including:

• your IP address and browser type;
  
• the pages you access and the time spent on each page;
• the website from which you were referred to our site; and
  
• information collected through cookies and similar technologies.
  

We use cookies to improve your experience on our website, to analyse website traffic and to understand how visitors use our site. You can manage your cookie preferences through your browser settings. Disabling cookies may affect your ability to use certain features of our website. We use Google Analytics to collect and analyse information about how visitors use our website. Google Analytics uses cookies to collect information, which is transmitted to and stored by Google on servers that may be located outside Australia, including in the United States. For further information about how Google handles data collected through Google Analytics, see Google’s privacy policy here.

Automated decision-making

We do not currently use automated decision-making systems that make decisions or do things substantially and directly related to making decisions, that could reasonably be expected to significantly affect the rights or interests of individuals.

Notifiable Data Breach Response

If we become aware of a data breach involving your personal information that is likely to result in serious harm, we will comply with our obligations in accordance with the Privacy Act 1988, as well as any applicable obligations that arise from the Notifiable Data Breaches Scheme. 

How to make a complaint

Contacting us

If you have any questions about this privacy policy, or if you wish to request access to or correction of your personal information, please contact us: 

 Privacy contact: The Privacy Officer 

 Email: privacy@aitken.com.au 

 Telephone: +613 8600 6000 

 Postal address: Level 28, 140 William Street, Melbourne VIC 3000

Complaints

If you are dissatisfied with how we have dealt with your personal information, or you have a complaint about our compliance with the Privacy Act, please contact us on the details above. We will usually acknowledge your complaint within seven days and provide you with a substantive response to your complaint within 30 days. If you are dissatisfied with our response, you may make a complaint with the Office of the Australian Information Commissioner (OAIC) enquiries@oaic.gov.au or on 1300 363 992. Further information is available on the OAIC’s website at https://www.oaic.gov.au/.

Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements or business operations. The updated policy will be published on our website. We encourage you to review this policy periodically. This privacy policy was approved by the Aitken Partners Board on 10 June 2026.