Why we built the AML Privacy Toolkit for Property Practices

On 1 July 2026, Australia's Tranche 2 AML/CTF reforms commenced. Law firms and conveyancing practices that carry out property transactions are now reporting entities under the AML/CTF regime and, for the first time, subject to the Privacy Act regardless of turnover.

For most small practices, that is two new compliance frameworks arriving at once, with no compliance team to absorb them. In a typical property practice, the principal wears the compliance hat alongside everything else.

Built with the profession, for the profession

Law & Cyber developed the AML Privacy Toolkit for Property Practices in consultation with the Australian Institute of Conveyancers NSW Division (AICNSW), to give its members a practical, ready-to-implement set of documents covering the privacy obligations that arrive with reporting entity status, built around the way property practices actually work.

Working through that process made something else clear: the compliance gap is not unique to conveyancing. Accountants and other newly regulated professions are facing the same obligations with the same limited resources. So we are extending the Toolkit, and the training that sits alongside it, into a series for regulated practices across professions.

Designed to be implemented, not filed

The Toolkit is written for sole practitioners and small practices, in plain language, with little assumed knowledge of privacy law. It contains eight ready-to-use templates, from a client-facing Privacy Collection Notice and website Privacy Policy through to a Data Breach Response Plan, disclosure register and destruction schedule, plus two plain-language guides explaining what the law requires and the order in which to put each document in place. Most of the priority steps can be completed within a working day.

It also deals squarely with the points where the two regimes intersect in daily practice, including the handling of identity documents, record-keeping and retention, and the strict confidentiality rules around Suspicious Matter Reports.

The Toolkit also covers ground most compliance packages ignore: overseas clients. Australian property transactions regularly involve buyers and sellers located in the United Kingdom or Europe, and UK and European privacy laws can apply to a practice acting for them. The pack includes a dedicated GDPR privacy notice for EU and EEA clients, and builds the question of a client's location into standard onboarding, so any additional obligations are identified at the start of the matter rather than discovered later.

A notice on its own is not compliance

Publishing a privacy policy and handing clients a collection notice is not, by itself, Privacy Act compliance. APP 1 requires the internal practices, procedures and systems that make the policy real, and APP 11 requires reasonable steps to protect personal information from misuse, loss and unauthorised access. A practice must also live up to what its documents say: privacy and collection notices that do not accurately reflect what the practice actually collects and retains, and why, could be a liability rather than a defence.

The Federal Court's first civil penalty decision under the Privacy Act, Australian Information Commissioner v Australian Clinical Labs Ltd (No 2), makes the point. The Court ordered that the company pay a $5.8 million penalty in circumstances where inadequate security controls and the absence of an appropriate, tested data breach response plan were found to have amounted to a failure to take reasonable steps under APP 11, alongside findings of failures to assess and notify a data breach promptly.

A penalty regime with real teeth

We are conscious of the burden these reforms place on small firms - but the Privacy Act now carries a three-tier penalty framework that small practices need to be aware of. Administrative failures, including not having a privacy policy that meets the Act's requirements, can attract infringement notices of up to $330,000 per contravention for a corporation, and the OAIC does not need to go to court to issue one. Interference with privacy carries civil penalties of up to $3.3 million for a corporation. Serious or repeated interference carries penalties of up to the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted annual turnover, with a maximum of $2.5 million for an individual. Documented, implemented privacy governance is the foundation of a defensible position.

What's next

A companion CPD-eligible online course, AML & Privacy Essentials for Property Practices, is in production. It will give every member of a practice, including administrative and support staff, a clear working understanding of the new obligations. Details will be announced when it goes live.

Access

Business owner members of AICNSW can access the Toolkit through their association. Access for AIC members in Tasmania and the Northern Territory is coming soon.

Full details of the Toolkit are here: AML Privacy Toolkit for Property Practices.

Next
Next

Privacy concerns for Tranche 2 entities