Ellison-Whyte Law Pty Ltd (ABN 84 491 886 866) (we, us, our) is an Australian legal practice based on the Mornington Peninsula, Victoria, admitted to practise in the Supreme Court of Victoria and the High Court of Australia. We are committed to protecting the privacy of our clients, prospective clients, website visitors, and all individuals whose personal information we handle.
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information, and sets out the rights you have in relation to that information. It should be read together with our Costs Agreement and Complaints Handling Policy.
By engaging our services or using our website at ellisonwhytelaw.com.au, you acknowledge that you have read this Policy and agree to the collection and use of information in accordance with it.
The collection, use, and handling of personal information by Ellison-Whyte Law Pty Ltd is governed by, or subject to, the following legislation:
Where we hold or process personal data of individuals who are nationals of, or physically located in, the European Union or United Kingdom, we acknowledge the potential application of the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK General Data Protection Regulation (UK GDPR) as applicable. Please see Section 10 of this Policy for further information.
We collect personal information that is reasonably necessary for the provision of legal services and the operation of our practice. The type of information we collect depends on the nature of your matter.
Full legal name, date of birth, and gender
Residential and postal addresses
Email addresses and telephone numbers
Government-issued identification documents (driver's licence, passport, Medicare card)
In the course of providing family law, estate planning, and other legal services, we may collect information that is classified as sensitive information under the Privacy Act 1988 (Cth). This includes health information, information about family violence, and financial hardship information. We collect sensitive information only where it is reasonably necessary for your matter and, where required by law, with your consent. We take additional care in handling and protecting sensitive information.
As required by the AML/CTF Act, we collect and verify identity information for clients before commencing designated services. Please see Section 6 of this Policy for full details of our AML/CTF obligations and procedures.
Name and contact details submitted via our website contact forms or online booking system
IP address, browser type, and website usage data collected via cookies and analytics tools (see Section 9)
Records of communications with us by email, telephone, or online platforms
We collect personal information in the following ways:
Where it is lawful and practicable, you may interact with us anonymously or using a pseudonym — for example, when making a general enquiry. However, we are unable to provide legal services without confirming your identity, and our AML/CTF obligations require us to verify your identity before commencing certain services.
We use personal information collected for the following purposes:
We will not use your personal information for any purpose other than those described in this Policy or disclosed to you at the time of
collection, without your consent or as otherwise permitted or required by law.
Where you have consented to receive marketing communications from us — such as newsletters, legal updates, or service information — we may contact you by email or other electronic means. You may withdraw your consent and opt out of receiving marketing communications at any time by:
We will process opt-out requests promptly. Opting out of marketing communications will not affect our ability to contact you in relation to your legal matter.
We may disclose your personal information to third parties in the following circumstances:
We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.
Ellison-Whyte Law Pty Ltd is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), as amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth). The Tranche 2 reforms, which extended the AML/CTF regime to legal practitioners, became operative on 1 July 2026. We enrolled with AUSTRAC in accordance with our obligations.
As a reporting entity, we are regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and are required to maintain a written AML/CTF Program, appoint an AML/CTF Compliance Officer at management level, conduct customer due diligence, monitor client relationships on an ongoing basis, and report certain transactions and suspicious matters to AUSTRAC.
The AML/CTF Act does not regulate legal practitioners as a profession — it regulates specific designated services. Based on our practice areas, the designated services provided by Ellison-Whyte Law Pty Ltd that trigger AML/CTF obligations include:
AML/CTF obligations can arise before a transaction is completed, including during preparatory and organisational steps. If you are unsure whether a particular service we are providing triggers these obligations, please ask us.
Before we commence work on your matter involving a designated service, we are required by law to verify your identity. This process is known as Customer Due Diligence (CDD). We cannot commence work until CDD is satisfied — this requirement applies to all clients regardless of the nature or value of their matter or their prior relationship with us.
As part of our CDD process, we will ask you to provide:
We may use a third-party electronic identity verification service to assist with this process. Information collected for CDD purposes is handled securely and used only for the purposes of identity verification and AML/CTF compliance.
We maintain a written AML/CTF Program as required by the AML/CTF Act. The Program consists of:
Our AML/CTF Program has been approved by the Principal of the firm and is reviewed and updated regularly to reflect changes in our risk environment and regulatory guidance.
We are required to monitor our client relationships on an ongoing basis to identify any changes in risk profile, or transactions or patterns of behaviour that are inconsistent with the nature of the matter or the client's known profile. This may involve requesting updated identification or additional information during the course of your matter. We appreciate your cooperation with these requests.
In certain circumstances, we are required by law to submit reports to AUSTRAC. These obligations are mandatory and cannot be waived by client consent. They include:
Where we submit a report to AUSTRAC, we are legally prohibited under the tipping-off provisions of the AML/CTF Act from disclosing to you that a report has been made, or providing any information that would identify that a report has been or may be made. This prohibition is absolute — it applies regardless of your relationship with us.
The making of a report to AUSTRAC does not constitute an accusation of wrongdoing. Our reporting obligations are a mandatory feature of the regulatory framework that applies to all legal practitioners providing designated services from 1 July 2026.
In circumstances where we are unable to complete our CDD process, where you decline to provide information required for CDD, or where we form the view that proceeding with a matter would place us in breach of our AML/CTF obligations or other legal duties, we reserve the right to decline to act or to cease acting for you. Where possible, we will advise you of this decision and, where appropriate, assist you to obtain alternative legal representation. In some circumstances our obligations may prevent us from explaining the reasons for our decision.
We take the security of your personal information seriously. We store personal information in a combination of secure digital systems and, where required, physical records. Our security measures include:
We retain personal information for as long as required by law, our professional obligations as legal practitioners, or the nature of your matter — generally a minimum of 7 years following the conclusion of a matter, in accordance with professional obligations under the Legal Profession Uniform Law (Victoria).
AML/CTF records (including identity verification documents and transaction records) are retained for a minimum of 7 years from the date the relevant designated service was last provided, as required by the AML/CTF Act.
When personal information is no longer required, we take reasonable steps to destroy or permanently de-identify it securely.
In the event of a data breach that is likely to result in serious harm to any individual, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
We primarily hold and process personal information in Australia, and where possible we endeavour to ensure that data is stored on servers located in Australia. In limited circumstances, personal information may be held on or transmitted through servers located overseas — for example, where we use cloud-based services or software with infrastructure that spans multiple jurisdictions, or where a matter involves a party or institution located overseas.
Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure that the recipient handles that
information in a manner consistent with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), in accordance with our
obligations under APP 8. In some circumstances, we may seek your consent to a specific cross-border disclosure.
Our third-party service providers and their known data storage positions are set out below. We note that server locations and data storage
arrangements can change, and we take reasonable steps to monitor and review these arrangements:
LEAP (practice management) — data is hosted in Australia by LEAP Legal Software Pty Ltd; LEAP maintains ISO 27001
certification and stores Australian client data on Australian servers where available.
Xero (accounting) — data may be stored on servers in Australia, the United States, or other jurisdictions depending on the
service tier; Xero is subject to the New Zealand Privacy Act 2020 and applicable Australian privacy law.
PEXA (electronic settlements) — operates as an Australian-regulated electronic conveyancing network; data is held in
Australia.
Settify (client intake) — an Australian-based legal technology platform; data is held in Australia. InfoTrack (searches and
identity verification) — an Australian company; data is held and processed in Australia.
LawConnect (client portal) — an Australian legal technology platform operated by InfoTrack; data is held in Australia.
InfoTrack (legal technology and SaaS company) - that provides integrated e-conveyancing, e-filing, and compliance
solutions for legal, property, accounting, and financial professionals.
Microsoft 365 (email, documents, Teams, OneDrive) — Microsoft may store and process data across multiple jurisdictions
including Australia, the United States, and other regions depending on the Microsoft 365 tenancy configuration and the specific service
used. Microsoft is subject to the EU-US Data Privacy Framework and provides standard contractual clauses for cross-border data
transfers. We take reasonable steps to ensure these providers maintain appropriate security and privacy standards. Where we become
aware of a material change to a provider’s data storage arrangements that may affect your personal information, we will update this Policy
accordingly.
Our website at ellisonwhytelaw.com.au may use cookies and similar tracking technologies to improve your user experience and collect analytics data about how visitors use our site. This may include:
You can disable or manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of some features of our website.
Our website may contain links to third-party websites, including booking systems and legal information platforms. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies independently before providing any personal information.
This section applies where we hold or process personal data of individuals who are nationals of, or physically located in, a European Union member state or the United Kingdom at the time their personal data is collected or processed. The General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK General Data Protection Regulation (UK GDPR) may apply to the processing of such personal data by Ellison-Whyte Law Pty Ltd, including where that processing occurs in Australia.
This section supplements — and does not replace — the remainder of this Privacy Policy. Where there is any inconsistency between this section and the rest of this Policy in relation to EU or UK individuals, this section prevails.
We may provide legal services to European or UK nationals who are living in, visiting, or conducting transactions in Australia. We may also
act in matters that involve counterparties, beneficiaries, or entities located in the EU or UK. In each of these circumstances, GDPR or UK
GDPR obligations may be engaged, and we handle that personal data accordingly.
For the purposes of the GDPR and UK GDPR, Ellison-Whyte Law Pty Ltd acts as a data controller in respect of personal data we collect directly from you or determine the purposes and means of processing for your matter. Where we engage third-party service providers to process personal data on our behalf, those providers act as data processors and are required to comply with our instructions and applicable data protection obligations.
Where the GDPR or UK GDPR applies, we process personal data on one or more of the following lawful bases:
Subject to applicable conditions and exemptions, individuals covered by this section may exercise the following rights by contacting us using the details in Section 13:
We will respond to rights requests within 30 days of receipt. Where a request is complex or numerous, we may extend this period by a further two months and will notify you accordingly. We will not charge a fee for responding to a request unless it is manifestly unfounded or excessive.
Some rights are subject to limitations. In particular, our obligations to retain records under the AML/CTF Act and as legal practitioners under the Legal Profession Uniform Law (Victoria) may limit your right to erasure in relation to matter files and identity verification records. We will advise you where any such limitation applies.
Where we process personal data of EU or UK individuals, that data will ordinarily be transferred to and processed in Australia. Australia has not received a formal adequacy decision under the EU GDPR framework. Where such a transfer occurs, we implement appropriate safeguards, which may include:
We take reasonable steps to ensure that transfers of personal data to third-party service providers are subject to appropriate safeguards consistent with our obligations under the GDPR and UK GDPR. Please refer to Section 8 of this Policy for details of our named service providers and their known data storage arrangements.
If you are located in the EU and consider that we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence or the member state where the alleged infringement occurred.
If you are located in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk or by telephone on 0303 123 1113.
We would always prefer the opportunity to address your concerns directly before you contact a supervisory authority. Please contact us first using the details in Section 13.
You have the right to request access to the personal information we hold about you, and to request correction of any information that is inaccurate, incomplete, or out of date. To make a request, please contact us in writing using the details in Section 13.
We will respond to access and correction requests within 30 days. We will not charge a fee for making a request, but may charge a reasonable fee to cover the administrative cost of providing access in complex cases — we will advise you of any such fee before proceeding.
In limited circumstances, we may decline to provide access or refuse to make a correction — for example, where doing so would be contrary to our professional obligations or legal duties, would reveal confidential information about a third party, or where an exemption applies under the Privacy Act 1988 (Cth). Where we decline, we will advise you in writing and explain the applicable reason or exemption.
If you have a concern about how we have handled your personal information, we encourage you to contact us directly in the first instance using the details in Section 13. Please also see our Complaints Handling Policy for our full complaints process.
We will acknowledge your privacy concern within two business days and aim to provide a substantive response within 10 business days.
If you remain dissatisfied after raising your concern with us, you may contact:
Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992
Victorian Legal Services Commissioner (VLSC): lsc.vic.gov.au | 1300 796 344
For EU individuals: the supervisory authority in your EU member state of residence
For UK individuals: the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113
For any privacy-related enquiries, rights requests, or concerns, please contact:
Sue Ellison-Whyte
Principal and AML/CTF Compliance Officer
Ellison-Whyte Law Pty Ltd | ABN 84 491 886 866
Shop 2, 3056 Frankston-Flinders Road, Balnarring VIC 3926
Email: sue@ellisonwhytelaw.com.au
Phone: 03 5908 3732
Website: ellisonwhytelaw.com.au
Ellison-Whyte Law Pty Ltd uses artificial intelligence (AI) tools selectively to support the delivery of legal services, improve the efficiency of our practice operations, and enhance the quality of our work. We are committed to using AI responsibly, in accordance with our professional obligations, and in a manner that protects the confidentiality and privacy of our clients at all times.
Our use of AI tools is consistent with the joint statement on the use of artificial intelligence in Australian legal practice issued on 6 December 2024 by the Law Society of New South Wales, the Legal Practice Board of Western Australia, and the Victorian Legal Services Board and Commissioner (Joint AI Statement), and the LIV’s Guideline on Ethical and Responsible Use of Artificial Intelligence. Human oversight and professional judgment remain central to everything we do. AI does not replace the legal advice or professional responsibility of our practitioners — it supports it.
AI tools may be used in our practice for the following purposes:
AI is not used by Ellison-Whyte Law to make decisions that significantly affect your legal rights or interests without human review. All AI-assisted outputs used in connection with your matter are reviewed and take responsibility for by a qualified legal practitioner before being acted upon or provided to you.
The protection of client confidentiality is our highest obligation. We do not input confidential, sensitive, privileged, or personally identifiable client information into publicly available or consumer-grade AI tools (such as the publicly accessible versions of ChatGPT, Google Gemini, or similar platforms) where that information could be retained, used for model training, or accessed by third parties.
Where we use AI tools that may process client-related information, we take the following steps to protect your privacy:
In the interests of transparency, the AI tools currently used in our practice include:
Claude (Anthropic) — a large language model AI assistant used for drafting, research support, document preparation, and practice operations. We use Claude via the API or claude.ai, which provides data handling commitments. Client information used with this tool is subject to Anthropic’s privacy policy and data processing terms
Microsoft Copilot — where integrated into our Microsoft 365 environment, Copilot may assist with document drafting,
summarisation, and email management within our existing Microsoft 365 tenancy. Microsoft’s enterprise data protection commitments apply to
the use of Copilot within a commercial Microsoft 365 subscription
AI features within existing platforms — some of the platforms we use (including LEAP, Settify, and Canva) incorporate
AI-assisted features within their existing products. Where we use those features, they are subject to the data handling terms of the
relevant platform provider
We will update this section as our AI tool use evolves. If you have any questions about the specific AI tools used in connection with your matter, please ask us.
The Privacy and Other Legislation Amendment Act 2024 (Cth) introduces new obligations under APP 1.7–1.9, effective 10 December 2026, requiring APP entities to disclose where computer programs use personal information to make or substantially support decisions that could significantly affect an individual’s rights or interests.
In compliance with these obligations, we disclose the following:
Our use of AI in legal practice is at all times subject to the Legal Profession Uniform Law (Victoria), the Legal Profession Uniform Conduct (Solicitors) Rules 2015, and our duties to our clients, to the courts, and to the administration of justice. In particular:
You may ask us at any time whether AI was used in the preparation of advice, documents, or correspondence relating to your matter. We will answer that question honestly and promptly.
If you have concerns about the use of AI in connection with your matter, or you wish to request that AI tools not be used in the preparation of documents or advice for you, please contact us using the details in Section 13. We will discuss your concerns with you and, where it is practicable to do so, accommodate your request. Please note that certain AI-assisted features embedded within our practice management and other platforms may not be capable of being disabled on a per-client basis.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory requirements — including changes arising from the ongoing implementation of the AML/CTF Tranche 2 reforms or updates to AUSTRAC guidance for legal practitioners.
The current version of this Policy will always be available at ellisonwhytelaw.com.au/privacy-policy. The version number and review date at the top of this document indicate when the Policy was last updated.
Where changes are material, we will take reasonable steps to notify affected clients. We encourage you to review this Policy periodically.
Ellison-Whyte Law Pty Ltd | ABN 84 491 886 866 | Balnarring, Mornington Peninsula VIC | ellisonwhytelaw.com.au | 03 5908 3732
.