Book Appointment Book Appointment

Privacy Policy

ELLISON-WHYTE LAW PTY LTD

ABN 84 491 886 866

Privacy Policy

Effective date: 1 July 2026  |  Last reviewed: June 2026

 

Ellison-Whyte Law Pty Ltd (ABN 84 491 886 866) (we, us, our) is an Australian legal practice based on the Mornington Peninsula, Victoria, admitted to practise in the Supreme Court of Victoria and the High Court of Australia. We are committed to protecting the privacy of our clients, prospective clients, website visitors, and all individuals whose personal information we handle.

 This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information, and sets out the rights you have in relation to that information. It should be read together with our Costs Agreement and Complaints Handling Policy.

 By engaging our services or using our website at ellisonwhytelaw.com.au, you acknowledge that you have read this Policy and agree to the collection and use of information in accordance with it.

 1. Legal Framework and Governing Laws

The collection, use, and handling of personal information by Ellison-Whyte Law Pty Ltd is governed by, or subject to, the following legislation:

      

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act
  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), as amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (Tranche 2 reforms, operative 1 July 2026)
  • Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Cth) (AML/CTF Rules)
  •  Legal Profession Uniform Law (Victoria) and the Legal Profession Uniform Conduct (Solicitors) Rules 2015
  •  Spam Act 2003 (Cth)
  •  Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth)

 

Where we hold or process personal data of individuals who are nationals of, or physically located in, the European Union or United Kingdom, we acknowledge the potential application of the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK General Data Protection Regulation (UK GDPR) as applicable. Please see Section 10 of this Policy for further information.

 2. Information We Collect

We collect personal information that is reasonably necessary for the provision of legal services and the operation of our practice. The type of information we collect depends on the nature of your matter.

2.1 Identity and Contact Information

       Full legal name, date of birth, and gender

       Residential and postal addresses

       Email addresses and telephone numbers

       Government-issued identification documents (driver's licence, passport, Medicare card)

2.2 Matter-Specific Information

       

  • Details of the legal matter for which you are engaging us
  • Financial information relevant to your matter (including property values, loan details, trust and company structures, superannuation balances, and income and asset information)
  • Family circumstances (where relevant to family law, estate planning, or SMSF matters)
  • Business structures, company and trust documentation, ABNs and ACNs
  • Health or disability information, or information relating to family violence or financial hardship, where relevant to your matter and collected with your knowledge

2.3 Sensitive Information

In the course of providing family law, estate planning, and other legal services, we may collect information that is classified as sensitive information under the Privacy Act 1988 (Cth). This includes health information, information about family violence, and financial hardship information. We collect sensitive information only where it is reasonably necessary for your matter and, where required by law, with your consent. We take additional care in handling and protecting sensitive information.

2.4 Identity Verification Information (AML/CTF)

As required by the AML/CTF Act, we collect and verify identity information for clients before commencing designated services. Please see Section 6 of this Policy for full details of our AML/CTF obligations and procedures.

2.5 Website and Communication Data

       Name and contact details submitted via our website contact forms or online booking system

       IP address, browser type, and website usage data collected via cookies and analytics tools (see Section 9)

       Records of communications with us by email, telephone, or online platforms

3. How We Collect Your Information

We collect personal information in the following ways:

  1. Directly from you — through intake forms, our online booking system (Settify), client portals, email, telephone, video conference, or in-person consultation
  2. From third parties — including other lawyers, real estate agents, financial institutions, mortgage brokers, PEXA, Land Use Victoria, the Australian Taxation Office, ASIC, and other government agencies where relevant to your matter
  3. From publicly available sources — including ASIC registers, land title registries, court records, and other public registers
  4. Automatically — through cookies and analytics tools when you visit our website (see Section 9)

 Where it is lawful and practicable, you may interact with us anonymously or using a pseudonym — for example, when making a general enquiry. However, we are unable to provide legal services without confirming your identity, and our AML/CTF obligations require us to verify your identity before commencing certain services.

4. How We Use Your Information

We use personal information collected for the following purposes:

  1. Providing legal services to you across our practice areas, including conveyancing and property law, wills and estate planning, family law, SMSF establishment and compliance, private lending, and business law
  2. Verifying your identity and satisfying our obligations under the AML/CTF Act, including conducting customer due diligence and ongoing monitoring
  3. Issuing costs agreements, invoices, and managing billing, payments, and trust accounting
  4. Communicating with you about your matter through secure platforms
  5. Complying with our professional obligations as legal practitioners, including our obligations to the courts, the Victorian Legal Services Board, and the LIV
  6. Complying with mandatory reporting obligations to AUSTRAC, the Victorian Legal Services Board, the Australian Taxation Office, and other regulatory bodies
  7. Improving our services, systems, and client experience
  8. Sending you updates or information about our services where you have consented, with a clear right to opt out at any time (see Section 4.1)

 
We will not use your personal information for any purpose other than those described in this Policy or disclosed to you at the time of collection, without your consent or as otherwise permitted or required by law.

4.1 Direct Marketing and Opt-Out

Where you have consented to receive marketing communications from us — such as newsletters, legal updates, or service information — we may contact you by email or other electronic means. You may withdraw your consent and opt out of receiving marketing communications at any time by:

  1.        Clicking the unsubscribe link in any marketing email we send you
  2.        Contacting us directly using the details in Section 13

 We will process opt-out requests promptly. Opting out of marketing communications will not affect our ability to contact you in relation to your legal matter.

 5. Disclosure of Your Information

We may disclose your personal information to third parties in the following circumstances:

  1. To parties involved in your matter — including the other party's solicitor, real estate agents, financial institutions, mortgage brokers, valuers, and electronic settlement platform PEXA
  2. To government bodies and regulators — including Land Use Victoria, the Australian Taxation Office, ASIC, the Victorian Legal Services Board, the Victorian Legal Services Commissioner, the Family Court of Australia, and AUSTRAC (see Section 6)
  3. To our third-party service providers — who assist us in delivering legal services and operating our practice. These include: LEAP (practice management software); Xero (accounting and billing); PEXA (electronic property settlements); Settify (online client intake and matter scoping); InfoTrack (searches, property certificates, ASIC searches, and identity verification); LawConnect (secure client portal and document sharing); and Microsoft 365 (email, document creation, cloud storage, and video conferencing via Microsoft Teams and OneDrive). Each of these providers is bound by confidentiality obligations and contractual data handling requirements, and is required to handle your information in a manner consistent with this Policy and applicable privacy law
  4. To courts and tribunals — where required in the course of legal proceedings or in compliance with a court order or subpoena
  5.  With your consent — where you have authorised us to share your information with a specific third party
  6.  Where required or permitted by law — including under the AML/CTF Act, the Privacy Act, or court order

 We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

6. Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF)

6.1 Our Status as a Reporting Entity

Ellison-Whyte Law Pty Ltd is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), as amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth). The Tranche 2 reforms, which extended the AML/CTF regime to legal practitioners, became operative on 1 July 2026. We enrolled with AUSTRAC in accordance with our obligations.

 

As a reporting entity, we are regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and are required to maintain a written AML/CTF Program, appoint an AML/CTF Compliance Officer at management level, conduct customer due diligence, monitor client relationships on an ongoing basis, and report certain transactions and suspicious matters to AUSTRAC.

6.2 Designated Services We Provide

The AML/CTF Act does not regulate legal practitioners as a profession — it regulates specific designated services. Based on our practice areas, the designated services provided by Ellison-Whyte Law Pty Ltd that trigger AML/CTF obligations include:

  1. Assisting clients with property transactions — including the purchase, sale, transfer, or mortgage of real property (conveyancing)
  2. Receiving, holding, controlling, or managing client money or property in connection with a transaction
  3. Assisting clients in planning or executing transactions involving the creation, operation, or restructure of companies, trusts, or other legal arrangements — including SMSF establishment and trust deed preparation
  4. Assisting clients with equity or debt financing transactions — including private lending and Bank of Mum and Dad arrangements
  5. Acting as, or arranging for another person to act as, a trustee, director, attorney, or in a similar capacity in connection with a legal arrangement

 AML/CTF obligations can arise before a transaction is completed, including during preparatory and organisational steps. If you are unsure whether a particular service we are providing triggers these obligations, please ask us.

6.3 Customer Due Diligence (CDD)

Before we commence work on your matter involving a designated service, we are required by law to verify your identity. This process is known as Customer Due Diligence (CDD). We cannot commence work until CDD is satisfied — this requirement applies to all clients regardless of the nature or value of their matter or their prior relationship with us.

 
As part of our CDD process, we will ask you to provide:

  1. Individuals: a current government-issued photo ID (passport or Australian driver's licence) and proof of current address (utility bill or bank statement dated within the last 3 months)
  2. Companies: current ASIC company extract, constitution (if applicable), and identity verification for all directors and beneficial owners holding 25% or more of the entity
  3. Trusts and SMSFs: a copy of the trust deed or SMSF deed, and identity verification for all trustees and, where required, beneficiaries
  4. Partnerships and associations: relevant constituent documents and identity verification for all controlling persons

We may use a third-party electronic identity verification service to assist with this process. Information collected for CDD purposes is handled securely and used only for the purposes of identity verification and AML/CTF compliance.

6.4 Our AML/CTF Program

We maintain a written AML/CTF Program as required by the AML/CTF Act. The Program consists of:

  1. Part A (Risk-Based Framework) — our policies, procedures, and controls for identifying, assessing, and managing the money laundering and terrorism financing risks associated with our services, client base, and delivery channels, including staff training and ongoing program review
  2. Part B (Customer Identification Procedure) — our procedures for verifying the identity of clients before providing designated services

Our AML/CTF Program has been approved by the Principal of the firm and is reviewed and updated regularly to reflect changes in our risk environment and regulatory guidance.

6.5 Ongoing Monitoring

We are required to monitor our client relationships on an ongoing basis to identify any changes in risk profile, or transactions or patterns of behaviour that are inconsistent with the nature of the matter or the client's known profile. This may involve requesting updated identification or additional information during the course of your matter. We appreciate your cooperation with these requests.

6.6 Reporting Obligations to AUSTRAC

In certain circumstances, we are required by law to submit reports to AUSTRAC. These obligations are mandatory and cannot be waived by client consent. They include:

  1. Suspicious Matter Reports (SMRs) — where we form a suspicion on reasonable grounds that a transaction or matter may relate to money laundering, terrorism financing, proliferation financing, or other serious criminal activity
  2. Threshold Transaction Reports (TTRs) — where we receive or transfer physical currency (cash) of AUD 10,000 or more in a single transaction, or two or more related transactions
  3.  International Funds Transfer Instructions (IFTIs) — where we are involved in the instruction of certain international funds transfers into or out of Australia

 Where we submit a report to AUSTRAC, we are legally prohibited under the tipping-off provisions of the AML/CTF Act from disclosing to you that a report has been made, or providing any information that would identify that a report has been or may be made. This prohibition is absolute — it applies regardless of your relationship with us.

 The making of a report to AUSTRAC does not constitute an accusation of wrongdoing. Our reporting obligations are a mandatory feature of the regulatory framework that applies to all legal practitioners providing designated services from 1 July 2026.

6.7 Refusal or Cessation of Engagement

In circumstances where we are unable to complete our CDD process, where you decline to provide information required for CDD, or where we form the view that proceeding with a matter would place us in breach of our AML/CTF obligations or other legal duties, we reserve the right to decline to act or to cease acting for you. Where possible, we will advise you of this decision and, where appropriate, assist you to obtain alternative legal representation. In some circumstances our obligations may prevent us from explaining the reasons for our decision.

 7. Storage, Security, and Retention

We take the security of your personal information seriously. We store personal information in a combination of secure digital systems and, where required, physical records. Our security measures include:

  1.  Encryption of digital files and communications
  2.  Password-protected and multi-factor authenticated access to our systems
  3.  Secure cloud storage — where possible, we endeavour to ensure that data is stored on servers located in Australia; please see Section 8 for details of our named service providers and their data storage arrangements
  4.   Restricted access — only staff members and contractors who require access to your information for the purposes of your matter will be permitted to access it
  5.   Regular review of our data security practices

 We retain personal information for as long as required by law, our professional obligations as legal practitioners, or the nature of your matter — generally a minimum of 7 years following the conclusion of a matter, in accordance with professional obligations under the Legal Profession Uniform Law (Victoria).

 AML/CTF records (including identity verification documents and transaction records) are retained for a minimum of 7 years from the date the relevant designated service was last provided, as required by the AML/CTF Act.

 When personal information is no longer required, we take reasonable steps to destroy or permanently de-identify it securely.

 In the event of a data breach that is likely to result in serious harm to any individual, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

 8. Cross-Border Disclosure of Personal Information

We primarily hold and process personal information in Australia, and where possible we endeavour to ensure that data is stored on servers located in Australia. In limited circumstances, personal information may be held on or transmitted through servers located overseas — for example, where we use cloud-based services or software with infrastructure that spans multiple jurisdictions, or where a matter involves a party or institution located overseas.

 
Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure that the recipient handles that information in a manner consistent with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), in accordance with our obligations under APP 8. In some circumstances, we may seek your consent to a specific cross-border disclosure.

 
Our third-party service providers and their known data storage positions are set out below. We note that server locations and data storage arrangements can change, and we take reasonable steps to monitor and review these arrangements: 

LEAP (practice management) — data is hosted in Australia by LEAP Legal Software Pty Ltd; LEAP maintains ISO 27001 certification and stores Australian client data on Australian servers where available.
Xero (accounting) — data may be stored on servers in Australia, the United States, or other jurisdictions depending on the service tier; Xero is subject to the New Zealand Privacy Act 2020 and applicable Australian privacy law.
PEXA (electronic settlements) — operates as an Australian-regulated electronic conveyancing network; data is held in Australia.
Settify (client intake) — an Australian-based legal technology platform; data is held in Australia. InfoTrack (searches and identity verification) — an Australian company; data is held and processed in Australia.
LawConnect (client portal) — an Australian legal technology platform operated by InfoTrack; data is held in Australia.
InfoTrack (legal technology and SaaS company) - that provides integrated e-conveyancing, e-filing, and compliance solutions for legal, property, accounting, and financial professionals.
Microsoft 365 (email, documents, Teams, OneDrive) — Microsoft may store and process data across multiple jurisdictions including Australia, the United States, and other regions depending on the Microsoft 365 tenancy configuration and the specific service used. Microsoft is subject to the EU-US Data Privacy Framework and provides standard contractual clauses for cross-border data transfers.  We take reasonable steps to ensure these providers maintain appropriate security and privacy standards. Where we become aware of a material change to a provider’s data storage arrangements that may affect your personal information, we will update this Policy accordingly.

 9. Website, Cookies, and Analytics

Our website at ellisonwhytelaw.com.au may use cookies and similar tracking technologies to improve your user experience and collect analytics data about how visitors use our site. This may include:

  1.  Session cookies — which allow the website to function correctly during your visit and expire when you close your browser
  2.  Analytics cookies — which help us understand traffic patterns and user behaviour (for example, via Google Analytics). Where Google Analytics is used, data may be processed on servers outside Australia
  3.  Functional cookies — which remember your preferences to improve your experience on return visits

 You can disable or manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of some features of our website.

 Our website may contain links to third-party websites, including booking systems and legal information platforms. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies independently before providing any personal information.

 10. International Clients — GDPR and UK GDPR

10.1 Scope and Application

This section applies where we hold or process personal data of individuals who are nationals of, or physically located in, a European Union member state or the United Kingdom at the time their personal data is collected or processed. The General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK General Data Protection Regulation (UK GDPR) may apply to the processing of such personal data by Ellison-Whyte Law Pty Ltd, including where that processing occurs in Australia.

 This section supplements — and does not replace — the remainder of this Privacy Policy. Where there is any inconsistency between this section and the rest of this Policy in relation to EU or UK individuals, this section prevails.

 
We may provide legal services to European or UK nationals who are living in, visiting, or conducting transactions in Australia. We may also act in matters that involve counterparties, beneficiaries, or entities located in the EU or UK. In each of these circumstances, GDPR or UK GDPR obligations may be engaged, and we handle that personal data accordingly.

10.2 Our Role

For the purposes of the GDPR and UK GDPR, Ellison-Whyte Law Pty Ltd acts as a data controller in respect of personal data we collect directly from you or determine the purposes and means of processing for your matter. Where we engage third-party service providers to process personal data on our behalf, those providers act as data processors and are required to comply with our instructions and applicable data protection obligations.

10.3 Legal Basis for Processing

Where the GDPR or UK GDPR applies, we process personal data on one or more of the following lawful bases:

  1. Performance of a contract (Article 6(1)(b)) — where processing is necessary to provide the legal services you have engaged us for
  2. Compliance with a legal obligation (Article 6(1)(c)) — where processing is required to comply with our obligations under Australian law, including the AML/CTF Act, tax laws, and our professional obligations as legal practitioners
  3.  Legitimate interests (Article 6(1)(f)) — where processing is necessary for the legitimate interests of our practice, including the provision of legal services, business administration, security, and fraud prevention, and those interests are not overridden by your fundamental rights and freedoms
  4.  Consent (Article 6(1)(a)) — where you have given freely given, specific, informed, and unambiguous consent to a specific use of your personal data, such as marketing communications
  5.  For special category data (Article 9(2)) — where we process sensitive personal data (such as health information in family law or estate matters), we rely on the explicit consent of the data subject, or processing necessary for the establishment, exercise, or defence of legal claims

10.4 Your Rights Under GDPR / UK GDPR

Subject to applicable conditions and exemptions, individuals covered by this section may exercise the following rights by contacting us using the details in Section 13:

  1.  Right of access (Article 15) — to obtain confirmation that we process your personal data and to receive a copy of that data
  2. Right to rectification (Article 16) — to request correction of personal data that is inaccurate or incomplete
  3. Right to erasure (Article 17) — to request deletion of your personal data in certain circumstances (note: this right may be limited by our legal retention obligations under Australian law and our professional duties)
  4. Right to restriction of processing (Article 18) — to request that we limit the way we process your personal data in certain circumstances
  5. Right to data portability (Article 20) — to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where processing is based on consent or contract
  6.  Right to object (Article 21) — to object to processing based on legitimate interests or to processing for direct marketing purposes
  7. Rights related to automated decision-making (Article 22) — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects

 We will respond to rights requests within 30 days of receipt. Where a request is complex or numerous, we may extend this period by a further two months and will notify you accordingly. We will not charge a fee for responding to a request unless it is manifestly unfounded or excessive.

 Some rights are subject to limitations. In particular, our obligations to retain records under the AML/CTF Act and as legal practitioners under the Legal Profession Uniform Law (Victoria) may limit your right to erasure in relation to matter files and identity verification records. We will advise you where any such limitation applies.

10.5 Data Transfers Outside the UK/EU

Where we process personal data of EU or UK individuals, that data will ordinarily be transferred to and processed in Australia. Australia has not received a formal adequacy decision under the EU GDPR framework. Where such a transfer occurs, we implement appropriate safeguards, which may include:

  1. Standard contractual clauses (SCCs) approved by the European Commission, or the International Data Transfer Agreement (IDTA) approved by the UK ICO, where applicable
  2. Your explicit consent to the specific transfer, where we have sought and obtained that consent

 We take reasonable steps to ensure that transfers of personal data to third-party service providers are subject to appropriate safeguards consistent with our obligations under the GDPR and UK GDPR. Please refer to Section 8 of this Policy for details of our named service providers and their known data storage arrangements.

10.6 Right to Lodge a Complaint with a Supervisory Authority

If you are located in the EU and consider that we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence or the member state where the alleged infringement occurred.

 If you are located in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk or by telephone on 0303 123 1113.

 We would always prefer the opportunity to address your concerns directly before you contact a supervisory authority. Please contact us first using the details in Section 13.

 11. Access to and Correction of Your Personal Information

You have the right to request access to the personal information we hold about you, and to request correction of any information that is inaccurate, incomplete, or out of date. To make a request, please contact us in writing using the details in Section 13.

 We will respond to access and correction requests within 30 days. We will not charge a fee for making a request, but may charge a reasonable fee to cover the administrative cost of providing access in complex cases — we will advise you of any such fee before proceeding.

 In limited circumstances, we may decline to provide access or refuse to make a correction — for example, where doing so would be contrary to our professional obligations or legal duties, would reveal confidential information about a third party, or where an exemption applies under the Privacy Act 1988 (Cth). Where we decline, we will advise you in writing and explain the applicable reason or exemption.

 12. Privacy Complaints

If you have a concern about how we have handled your personal information, we encourage you to contact us directly in the first instance using the details in Section 13. Please also see our Complaints Handling Policy for our full complaints process.

 We will acknowledge your privacy concern within two business days and aim to provide a substantive response within 10 business days.

 If you remain dissatisfied after raising your concern with us, you may contact:

       Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992

       Victorian Legal Services Commissioner (VLSC): lsc.vic.gov.au | 1300 796 344

       For EU individuals: the supervisory authority in your EU member state of residence

       For UK individuals: the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113

 13. Contact Us

For any privacy-related enquiries, rights requests, or concerns, please contact:

 
Sue Ellison-Whyte

Principal and AML/CTF Compliance Officer

Ellison-Whyte Law Pty Ltd  |  ABN 84 491 886 866

Shop 2, 3056 Frankston-Flinders Road, Balnarring VIC 3926

Email: sue@ellisonwhytelaw.com.au

Phone: 03 5908 3732

Website: ellisonwhytelaw.com.au

14. Use of Artificial Intelligence

14.1 Our Approach to AI in Legal Practice

Ellison-Whyte Law Pty Ltd uses artificial intelligence (AI) tools selectively to support the delivery of legal services, improve the efficiency of our practice operations, and enhance the quality of our work. We are committed to using AI responsibly, in accordance with our professional obligations, and in a manner that protects the confidentiality and privacy of our clients at all times.

Our use of AI tools is consistent with the joint statement on the use of artificial intelligence in Australian legal practice issued on 6 December 2024 by the Law Society of New South Wales, the Legal Practice Board of Western Australia, and the Victorian Legal Services Board and Commissioner (Joint AI Statement), and the LIV’s Guideline on Ethical and Responsible Use of Artificial Intelligence. Human oversight and professional judgment remain central to everything we do. AI does not replace the legal advice or professional responsibility of our practitioners — it supports it.

14.2 How We Use AI Tools

AI tools may be used in our practice for the following purposes:

  1. Drafting assistance — AI tools may assist in the preparation of first drafts of correspondence, documents, and legal instruments, which are always reviewed, verified, and approved by a qualified practitioner before use
  2. Legal research and summarisation — AI may be used to assist with identifying relevant legislation, case law, and regulatory material, subject always to independent verification by a practitioner
  3. Practice administration — AI tools may support internal operations including document management, scheduling, precedent development, and business planning, where client personal information is not used
  4. Client education and digital platforms — AI tools may support the development of educational content and digital legal resources, including through our associated platforms, where content is reviewed and approved by a qualified practitioner

AI is not used by Ellison-Whyte Law to make decisions that significantly affect your legal rights or interests without human review. All AI-assisted outputs used in connection with your matter are reviewed and take responsibility for by a qualified legal practitioner before being acted upon or provided to you.

14.3 Confidentiality and Data Protection

The protection of client confidentiality is our highest obligation. We do not input confidential, sensitive, privileged, or personally identifiable client information into publicly available or consumer-grade AI tools (such as the publicly accessible versions of ChatGPT, Google Gemini, or similar platforms) where that information could be retained, used for model training, or accessed by third parties.

Where we use AI tools that may process client-related information, we take the following steps to protect your privacy:

  1. We assess each AI tool we use for its data handling practices, including whether it retains, trains on, or shares submitted data, and whether it provides appropriate contractual data protection commitments
  2. We use enterprise or API-tier versions of AI platforms where available, which typically provide stronger data isolation, confidentiality commitments, and assurances that submitted data is not used for model training
  3. Where practicable, we de-identify or anonymise information before it is used in an AI process, so that it cannot be linked back to an individual client
  4.  We review our AI tools and their data handling arrangements periodically, and update our practices as guidance from the Victorian Legal Services Board and Commissioner, the LIV, and the OAIC develops

14.4 AI Tools We Currently Use

In the interests of transparency, the AI tools currently used in our practice include:

Claude (Anthropic) — a large language model AI assistant used for drafting, research support, document preparation, and practice operations. We use Claude via the API or claude.ai, which provides data handling commitments. Client information used with this tool is subject to Anthropic’s privacy policy and data processing terms

Microsoft Copilot — where integrated into our Microsoft 365 environment, Copilot may assist with document drafting, summarisation, and email management within our existing Microsoft 365 tenancy. Microsoft’s enterprise data protection commitments apply to the use of Copilot within a commercial Microsoft 365 subscription

AI features within existing platforms — some of the platforms we use (including LEAP, Settify, and Canva) incorporate AI-assisted features within their existing products. Where we use those features, they are subject to the data handling terms of the relevant platform provider

We will update this section as our AI tool use evolves. If you have any questions about the specific AI tools used in connection with your matter, please ask us.

14.5 Automated Decision-Making — APP 1.7 Disclosure

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduces new obligations under APP 1.7–1.9, effective 10 December 2026, requiring APP entities to disclose where computer programs use personal information to make or substantially support decisions that could significantly affect an individual’s rights or interests.

In compliance with these obligations, we disclose the following:

  1. Ellison-Whyte Law does not currently use computer programs to make decisions that could significantly affect the rights or interests of clients without human review and professional oversight by a qualified practitioner
  2. AI tools used in our practice assist in drafting, research, and administration — the outputs of those tools are always reviewed, verified, and approved by a practitioner before any decision affecting a client is made or communicated
  3. If this position changes — for example, if we introduce any AI-assisted client intake triage, risk assessment tools, or automated matter processing that could significantly affect an individual’s rights — we will update this Policy and, where required, notify affected clients before implementing such tools

14.6 Our Professional Obligations

Our use of AI in legal practice is at all times subject to the Legal Profession Uniform Law (Victoria), the Legal Profession Uniform Conduct (Solicitors) Rules 2015, and our duties to our clients, to the courts, and to the administration of justice. In particular:

  1. Confidentiality — our duty of confidentiality under Rule 9 of the Solicitors’ Conduct Rules applies fully to AI tool use. We take reasonable steps to ensure that AI tools we use do not breach client confidentiality
  2. Competence — AI tools are used only where we understand how they work and can verify their outputs. AI-generated content is never used without independent review by a practitioner with sufficient knowledge to assess its accuracy and appropriateness for the specific matter
  3. Costs — any efficiency gained through the use of AI is reflected in our costs to clients. We will not charge for time that was not genuinely spent, and AI-assisted work is costed fairly and proportionately in accordance with our obligations under the Legal Profession Uniform Law
  4. Transparency — consistent with the Joint AI Statement, we are transparent with our clients about our use of AI. If you wish to know whether AI was used in the preparation of documents or advice provided to you, you may ask us at any time

14.7 Your Right to Enquire or Object

You may ask us at any time whether AI was used in the preparation of advice, documents, or correspondence relating to your matter. We will answer that question honestly and promptly.

If you have concerns about the use of AI in connection with your matter, or you wish to request that AI tools not be used in the preparation of documents or advice for you, please contact us using the details in Section 13. We will discuss your concerns with you and, where it is practicable to do so, accommodate your request. Please note that certain AI-assisted features embedded within our practice management and other platforms may not be capable of being disabled on a per-client basis.

15. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory requirements — including changes arising from the ongoing implementation of the AML/CTF Tranche 2 reforms or updates to AUSTRAC guidance for legal practitioners.

 The current version of this Policy will always be available at ellisonwhytelaw.com.au/privacy-policy. The version number and review date at the top of this document indicate when the Policy was last updated.

 Where changes are material, we will take reasonable steps to notify affected clients. We encourage you to review this Policy periodically.

 

Ellison-Whyte Law Pty Ltd  |  ABN 84 491 886 866  |  Balnarring, Mornington Peninsula VIC  |  ellisonwhytelaw.com.au  |  03 5908 3732

.