Phone icon +61 8 9322 3842 Mail icon admin@bmlegaladvisors.com.au

1. BALFOUR MEAGHER PRIVACY POLICY Version 2.0 — Last Updated: 2 June 2026

1.1 Balfour Meagher Pty Ltd (ACN 621 980 523) (“Balfour Meagher”, “we”, “us”, “our”) understands that privacy and how we collect, use, disclose, store and protect your personal information is important to you. We are committed to ensuring the privacy of your information and to complying with:

  1. the Privacy Act 1988 (Cth) (“Privacy Act”), including the Australian Privacy Principles (“APPs”);
  2. the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth);
  3. the Privacy and Other Legislation Amendment (Data Breaches) Act 2017 (Cth), including the Notifiable Data Breaches Scheme (Part IIIC of the Privacy Act);
  4. the Privacy and Other Legislation Amendment Act 2026 (Cth), including the provisions relating to ‘automated decision-making’;
  5. the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”), to the extent it governs the collection and retention of personal information;
  6. the ‘Model Participation Rules’ developed by the Australian Registrars’ National Electronic Conveyancing Council (“ARNECC”);
  7. the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth); and
  8. our professional obligations under the Legal Profession Uniform Law (WA) and the rules of the Legal Practice Board of Western Australia.

1.2 In this Privacy Policy, “personal information” has the meaning given to it in section 6 of the Privacy Act — that is, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

“Sensitive information” is a subset of personal information and includes information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information, genetic information, biometric information or biometric templates.

2. What Personal Information Does Balfour Meagher Collect and Hold?

2.1 Balfour Meagher is an independent, Australian commercial and corporate law firm. The types of personal information that we collect will depend on the nature of your dealings with us. We may collect personal information from you when you:

  1. instruct us to act on your behalf in a legal matter;
  2. engage us to provide conveyancing or property settlement services;
  3. visit our website at www.bmlegaladvisors.com.au;
  4. subscribe to our publications, newsletters, alert services or mailing lists;
  5. attend our seminars, CPD events or networking functions;
  6. apply for employment with us;
  7. interact with us as a supplier, contractor, or business contact; or
  8. communicate with us by telephone, email, post, social media or in person.

2.2 The personal information we may collect includes:

  1. your name, title, date of birth, gender and contact details (including residential and postal address, email address and telephone numbers);
  2. your financial details (including bank account details, credit card details, tax file numbers and superannuation details) where necessary for the provision of our services;
  3. identification documents (including driver’s licence, passport, Medicare card) as required for identity verification (“VoI”):
    1. under the AML/CTF Act; and/or
    2. in accordance with ARNECC requirements for VoI and client authorisation (note: verifying the identity of the client is a strict requirement for legal practitioners and conveyancers when handling real property transactions);
  4. information about your legal matter, including documents, correspondence and instructions;
  5. information about beneficial ownership structures, politically exposed persons status, and source of funds, as required under the AML/CTF Act;
  6. your employment history, qualifications and professional memberships;
  7. your IP address, browser type, device information and website usage data collected via cookies and analytics tools (see Section 9 below); and
  8. any other information you voluntarily provide to us.

2.3 Sensitive Information

We will not collect sensitive information about you unless:

  1. it is reasonably necessary for the provision of legal advice or services;
  2. you have consented to the collection; or
  3. we are required or authorised by law to collect it (for example, under the AML/CTF Act).

Examples of sensitive information we may collect include health information (in personal injury or estate matters), criminal history (in criminal law or employment matters), and information about racial or ethnic origin (in discrimination matters).

2.4 How We Collect Personal Information

We collect personal information:

  1. directly from you — when you provide instructions, complete forms, sign our Client Services Agreement, or communicate with us;
  2. from third parties — including recruitment agencies, referees, government agencies (such as ASIC, Landgate, AUSTRAC), transaction platforms (such as InfoTrack/IDfy, PEXA, Revenue Online, Securexchange), credit reporting bodies, and opposing parties or their legal representatives; and
  3. automatically — when you visit our website, through the use of cookies, web beacons and analytics tools (see Section 9 below).

1. How Does Balfour Meagher Use Personal Information?

1.1 We collect and use personal information for the following purposes:

  1. to provide legal and business advisory services to you, including conducting your matter, providing legal advice, preparing documents and representing you;
  2. to comply with our legal and regulatory obligations, including under the AML/CTF Act, the Legal Profession Uniform Law (WA), and taxation legislation;
  3. to verify your identity and conduct customer due diligence as required by law;
  4. to manage our client relationship with you, including billing, trust account management and conflict checking;
  5. to communicate with you about your matter, our services, legal developments, seminars, publications and other information that may be of interest to you;
  6. to improve our services, website and business operations;
  7. to comply with court orders, subpoenas and other legal processes;
  8. to manage and resolve complaints;
  9. to assess applications for employment with us; and
  10. for any other purpose for which you have given your consent or which is permitted or required by law.

1.2 We will not use your personal information for a purpose other than the purpose for which it was collected (the “primary purpose”), unless:

  1. you would reasonably expect us to use the information for a secondary purpose and that secondary purpose is related to the primary purpose (or, in the case of sensitive information, directly related);
  2. you have consented to the secondary use; or
  3. the use is required or authorised by or under an Australian law or court/tribunal order.

2. Disclosure of Personal Information

Balfour Meagher does not sell, rent or trade personal information about you to or with third parties.

We may disclose your personal information to the following categories of recipients where reasonably necessary for the purposes described in Section 2:

2.1 External Service Providers

We may disclose personal information to external service providers who assist us in operating our business and providing services to you, including:

  1. legal technology and transaction platforms (e.g., InfoTrack/IDfy, PEXA, Revenue Online, Securexchange);
  2. cloud storage and IT infrastructure providers (e.g., LEAP, Microsoft 365);
  3. document management and archiving services;
  4. accounting and financial services providers (e.g., Xero, RapidPay);
  5. marketing and communications platforms;
  6. barristers, expert witnesses and mediators engaged on your matter; and
  7. research organisations and consultants.

Where we engage external service providers, we take reasonable steps to ensure they comply with the APPs and are authorised only to use personal information for the limited purposes specified in our agreement with them.

2.2 Regulatory and Government Bodies

We may disclose personal information to regulatory and government bodies where required or authorised by law, including:

  1. the Australian Transaction Reports and Analysis Centre (AUSTRAC);
  2. the Australian Securities and Investments Commission (ASIC);
  3. the Legal Practice Board of Western Australia (LPBWA);
  4. the Office of the Australian Information Commissioner (OAIC);
  5. the Australian Taxation Office (ATO);
  6. State Revenue (Revenue WA); and
  7. courts and tribunals.

2.3 Professional Indemnity and Cyber Insurers

We may disclose personal information to our professional indemnity insurer (Law Mutual WA) and our cyber liability insurer where required for the purposes of obtaining or maintaining insurance coverage, or in connection with a claim or potential claim.

2.4 Other Parties to Your Matter

In the course of acting on your instructions, we may disclose personal information to other parties involved in your matter, including opposing parties, their legal representatives, financial institutions, and settlement agents.

2.5 Disclosures Required or Permitted by Law

We will disclose personal information where required or permitted by law, including in response to court orders, subpoenas, statutory demands, or regulatory investigations.

2.6 Overseas Disclosure

Balfour Meagher stores all client data within Australian data centres. We do not transfer personal information overseas unless:

  1. you have provided your informed consent;
  2. we have taken reasonable steps to ensure the overseas recipient complies with the APPs (or a substantially similar privacy regime); or
  3. the disclosure is required by Australian law or a court/tribunal order.

As at the date of this policy, our primary data storage and cloud infrastructure providers maintain all servers within Australia, ensuring data sovereignty.

3. Security of Personal Information

Balfour Meagher takes the security of your personal information seriously. We have implemented comprehensive technical and organisational measures to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

3.1 Technical Controls — ‘Essential Eight’ Framework

We have implemented the Australian Cyber Security Centre’s (ACSC) Essential Eight cybersecurity framework at Maturity Level 2, which includes:

  1. Multi-Factor Authentication (MFA): MFA is enforced on all firm systems, including Microsoft 365, LEAP (practice management), PEXA and Revenue Online. Authentication utilises corporate authenticator applications rather than SMS verification.
  2. Application Whitelisting: Only approved applications may execute on firm systems, preventing unauthorised software from running.
  3. Patch Management: Critical security updates for operating systems and enterprise applications are deployed within 48 hours of vendor release.
  4. Restriction of Administrative Privileges: Daily workflows are never performed using accounts with administrative privileges. Administrative access is restricted to the IT Director with secondary MFA validation.
  5. Microsoft Office Macro Restrictions: All macros in files received from external internet sources are blocked by default.
  6. Application Hardening: Web browsers and email clients are configured to block known malicious content.
  7. Daily Backups: All data is backed up daily to secure, encrypted offsite servers within Australia.
  8. User Application Hardening: Flash, Java and other high-risk applications are disabled or restricted.

3.2 Encryption and Data Sovereignty

All electronic client data is stored within encrypted cloud infrastructure located exclusively in Australian data centres, ensuring full data sovereignty. Data is encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption).

3.3 Physical Security

Our office premises are secured with restricted access. Physical documents in safe custody are stored in fireproof vaults, logged electronically, and secured against fire and theft.

3.4 Personnel Controls

All Balfour Meagher employees are required, as a condition of employment, to treat personal information held by the firm as confidential. Staff are bound by contractual privacy obligations and must complete annual cybersecurity awareness training.

3.5 Endpoint Detection and Response (EDR)

EDR software is deployed on all endpoints across our network, monitored by our managed security services provider.

3.6 Email Security

We utilise advanced email filtering software to scan all inbound and outbound email messages, filtering spam and malicious content. We conduct regular simulated phishing exercises to test staff awareness.

3.7 Cyber Insurance

Balfour Meagher maintains comprehensive cyber liability insurance to provide financial protection in the event of a data breach or cyber incident.

3.8 Business Email Compromise (BEC) Protections

We operate a Two-Factor Verbal Verification Protocol for all payment instructions. Our trust account details will never be modified via email. Any change to banking details must be verified by direct telephone call to a known number.

4. Notifiable Data Breaches

In accordance with Part IIIC of the Privacy Act, Balfour Meagher is subject to the Notifiable Data Breaches (NDB) Scheme.

If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

  1. take immediate steps to contain the breach and, where possible, remediate any damage;
  2. conduct a reasonable and expeditious assessment of the breach within 30 days (or sooner where practicable);
  3. if the breach is assessed as an “eligible data breach” within the meaning of the Privacy Act, notify the Office of the Australian Information Commissioner (OAIC) within 72 hours of the breach being confirmed;
  4. notify all individuals whose personal information is involved in the eligible data breach, as soon as practicable, including:
    1. a description of the breach;
    2. the kinds of information involved;
    3. recommendations about the steps individuals should take in response; and
    4. our contact details for further information; and
  5. maintain a record of all data breaches (whether notifiable or not) in our internal Data Breach Register.

Our IT Compliance Officer is responsible for managing our data breach response in accordance with our Incident Response Plan.

5. Automated Decision-Making and Artificial Intelligence

Balfour Meagher uses technology, including artificial intelligence (AI) tools, to assist in the delivery of legal services.

In accordance with the Privacy and Other Legislation Amendment Act 2026 (Cth), we provide the following information about our use of automated decision-making:

5.1 How We Use AI

We may use AI-assisted tools for:

  1. preliminary legal research and analysis;
  2. initial drafting of generic correspondence and document templates;
  3. summarising legislation, case law or regulatory guidance; and
  4. administrative tasks such as document review and data extraction.

5.2 Human Oversight

No legal advice, legal document, or decision that significantly affects your rights or interests is generated solely by an automated system. All AI-assisted outputs are subject to independent review and verification by a qualified legal practitioner before being provided to you or relied upon in any way.

5.3 Data Protection in AI Usage

We maintain a Zero Client-Data Leakage policy. Raw client information, sensitive corporate structures, trade secrets, or confidential data are never uploaded into public AI platforms or non-enterprise tools where data may be ingested for model training. We only use enterprise-grade AI applications that feature guaranteed data sovereignty and zero-retention API configurations.

5.4 Hallucination Verification

AI models may generate inaccurate information (known as “hallucinations”). No AI-generated draft, research note or citation may be delivered to a client or used in any legal proceeding without every factual assertion and legal citation being independently verified against authorised primary sources.

5.5 Your Rights Regarding Automated Decisions

You have the right to:

  1. be informed if a decision that significantly affects you has been substantially based on automated processing;
  2. request meaningful information about the logic involved in any automated decision-making process that affects you; and
  3. request human review of any decision that has been made using automated processing.

To exercise these rights, please contact our Privacy Officer using the details in Section 16 below.

6. Access, Correction and Your Rights

Under the Privacy Act, you have the right to:

  1. access the personal information we hold about you;
  2. request that we correct your personal information where it is inaccurate, incomplete, out of date, irrelevant or misleading;
  3. opt out of receiving direct marketing communications from us at any time;
  4. request erasure of your personal information from our marketing databases and non-essential systems (subject to our statutory retention obligations — see Section 11 below);
  5. request information about whether any automated decision-making has been used in relation to your matter (see Section 6 above); and
  6. lodge a complaint about our handling of your personal information (see Section 9 below).

6.1 How to Request Access or Correction

  1. If you wish to access or correct the personal information we hold about you, please set out your request in writing and forward it to our Privacy Officer using the contact details in Section 16 below.
  2. We will respond to your request within 30 days of receipt. If we are unable to provide access or make the requested correction, we will provide you with written reasons for our decision.
  3. We will not charge you for making a request or for correcting your personal information. However, we may charge a reasonable fee for providing access to archived or historical records where retrieval involves significant time or resources. We will advise you of any applicable fee before proceeding.

6.2 Exceptions to Access

We may refuse to provide access to personal information in limited circumstances permitted by the Privacy Act, including where:

  1. providing access would pose a serious threat to the life, health or safety of any individual;
  2. providing access would have an unreasonable impact on the privacy of other individuals;
  3. the request is frivolous or vexatious;
  4. the information relates to existing or anticipated legal proceedings and would not be accessible through the discovery process; or
  5. providing access would be unlawful or would prejudice enforcement activities.

7. Website, Cookies and Online Privacy

7.1 Information Collected via Our Website

When you visit our website (www.bmlegaladvisors.com.au), we may automatically collect the following information:

  1. your IP address and approximate geographic location;
  2. your browser type, version and operating system;
  3. the pages you visit on our website and the duration of your visit;
  4. the website from which you were referred to our site;
  5. your device type and screen resolution; and
  6. the date and time of your visit.

7.2 Cookies

A “cookie” is a small data file stored on your computer or mobile device by our web server. We use cookies to:

  1. maintain user sessions (e.g., if you subscribe to access publications);
  2. analyse website traffic and usage patterns;
  3. improve website functionality and user experience; and
  4. deliver targeted advertising (including remarketing) based on your previous visits to our website.

7.3 Types of Cookies We Use

Cookie TypePurpose
Strictly NecessaryRequired for the website to function (e.g., session management)
AnalyticsHelp us understand how visitors use our website (e.g., Google Analytics)
FunctionalRemember your preferences and settings
Marketing/AdvertisingDeliver relevant advertisements and track campaign effectiveness

7.4 Third-Party Analytics

We use Google Analytics (and similar tools) to collect anonymised data about website usage. Google Analytics uses cookies to generate statistical information. Google’s privacy policy is available at https://policies.google.com/privacy.

7.5 Managing Cookies

You may manage or disable cookies through your browser settings. Most browsers allow you to:

  1. view what cookies are stored and delete them individually;
  2. block third-party cookies;
  3. block cookies from particular sites; and
  4. block all cookies.

Please note that if you disable all cookies, some features of our website may not function correctly.

7.6 Do Not Track

Our website currently does not respond to “Do Not Track” browser signals. However, you may opt out of targeted advertising by adjusting your cookie preferences.

7.7 Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and recommend that you review their privacy policies independently.

8. Complaints

If you believe that we have breached the APPs or otherwise mishandled your personal information, you may lodge a complaint with us.

8.1 How to Complain

Please set out your complaint in writing, including:

  1. your name and contact details;
  2. a description of the conduct you are complaining about;
  3. the outcome you are seeking; and
  4. any supporting documentation.

Forward your complaint to our Privacy Officer using the contact details in Section 16 below.

8.2 Our Complaints Process

  1. We will acknowledge receipt of your complaint within 5 business days.
  2. We will investigate your complaint and endeavour to respond to you within 30 days of receipt.
  3. If we require additional time to investigate, we will notify you of the delay and the reasons for it.
  4. We will advise you of the outcome of our investigation in writing, including any steps we have taken or propose to take to resolve the complaint.

8.3 Escalation to the OAIC

If you are not satisfied with our response, or if we have not responded within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

8.4 Legal Practice Board of Western Australia

If your complaint relates to our conduct as legal practitioners, you may also contact the Legal Practice Board of Western Australia:

9. Job Applicants

Balfour Meagher collects personal information about individuals who apply for employment with us. The information we collect includes:

  1. personal contact details, name, title and gender;
  2. educational and employment history, qualifications and professional memberships;
  3. eligibility to work in Australia (including visa status and citizenship documentation);
  4. referees’ contact details;
  5. information obtained from referees and professional networking sites (e.g., LinkedIn);
  6. performance information from interviews and assessments; and
  7. whether the applicant identifies as Aboriginal or Torres Strait Islander (collected solely for the purpose of monitoring our equal employment opportunity policy).

We may collect this information directly from you or indirectly from recruitment agencies, referees, or publicly available professional profiles.

We use this information to assess your eligibility and suitability for employment. We may retain your information to assess your suitability for future roles, unless you request otherwise.

We do not disclose job applicant personal information to any third party, except:

  1. to referees (for the purpose of obtaining a reference);
  2. to background check providers (with your consent); or
  3. as required by law.

All job applicant personal information is stored in Australia and is not accessible to third parties located outside Australia.

10. Data Retention and Destruction

We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law.

10.1 Retention Periods

CategoryMinimum Retention Period
Client matter files (general)7 years from matter closure
AML/CTF records7 years from the end of the client relationship
Trust account records7 years from the date of the transaction
Wills, Powers of Attorney, original deedsIndefinitely (safe custody)
Job applicant records (unsuccessful)12 months from decision
Marketing and subscription dataUntil consent is withdrawn
Website analytics data26 months (anonymised)

These retention periods are prescribed by the Law Society of Western Australia, the Legal Profession Uniform Law (WA), the AML/CTF Act, and the Taxation Administration Act 1953 (Cth).

10.2 Destruction

Once the applicable retention period has expired:

  1. digital data is permanently purged using secure cryptographic sanitisation protocols; and
  2. physical documents are destroyed via verified industrial shredding by an accredited secure document destruction provider, with a formal Certificate of Destruction filed in our practice management archives.

10.3 Your Right to Request Erasure

You may request the destruction of your personal information from our marketing databases and non-essential systems at any time. However, we cannot delete data that:

  1. is connected to active or closed legal matters within the mandatory 7-year retention window;
  2. is required to be retained under the AML/CTF Act;
  3. is subject to a legal hold, court order or regulatory investigation; or
  4. is held in safe custody (e.g., original Wills, deeds or titles) unless you provide a signed release.

11. Direct Marketing

We may use your personal information to send you communications about legal developments, seminars, publications, and services that may be of interest to you. We will only do so where:

  1. you have consented to receiving such communications;
  2. you would reasonably expect to receive such communications given your existing relationship with us; or
  3. we provide a simple mechanism for you to opt out of each communication.

11.1 Opting Out

You may opt out of receiving direct marketing communications at any time by:

  1. clicking the “unsubscribe” link in any electronic communication;
  2. contacting our Privacy Officer using the details in Section 16 below; or
  3. replying to any communication with the word “UNSUBSCRIBE”.

We will process your opt-out request within 5 business days. Opting out of marketing communications will not affect communications that are necessary for the conduct of your legal matter.

We comply with the Spam Act 2003 (Cth) in relation to all commercial electronic messages and the Do Not Call Register Act 2006 (Cth) in relation to telemarketing.

12. Anti-Money Laundering and Counter-Terrorism Financing

As a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), Balfour Meagher is required to collect, verify and retain certain personal information for the purposes of:

  1. customer identification and verification (Know Your Customer / KYC);
  2. ongoing customer due diligence;
  3. transaction monitoring;
  4. reporting suspicious matters to AUSTRAC; and
  5. record-keeping as required by the AML/CTF Act and Rules.

Personal information collected solely for AML/CTF purposes will be:

  1. held securely and used exclusively for AML/CTF Act compliance;
  2. retained for a minimum of 7 years from the end of the client relationship or the date of the transaction (whichever is later); and
  3. not used for marketing or any purpose unrelated to AML/CTF compliance.

We may disclose AML/CTF-related personal information to AUSTRAC without your knowledge or consent where required by law. We are prohibited by law from informing you if a suspicious matter report has been made.

13. Children’s Privacy

Balfour Meagher does not knowingly collect personal information from individuals under the age of 18 without the consent of a parent or legal guardian, except where:

  1. the collection is necessary for the provision of legal services (e.g., in family law, estate or guardianship matters); and
  2. the collection is authorised or required by law.

Where we collect personal information about a child, we will take reasonable steps to ensure that a parent or legal guardian is informed and has provided consent (where required).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors.

When we make material changes to this Privacy Policy, we will:

  1. update the “Last Updated” date at the top of this policy;
  2. publish the updated policy on our website at www.bmlegaladvisors.com.au/privacy-policy/; and
  3. where practicable, notify you directly (e.g., by email) if the changes are likely to significantly affect how we handle your personal information.

We encourage you to review this Privacy Policy periodically. The current version will always be available on our website.

15. How to Contact Us

If you have any questions, comments or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

This Privacy Policy applies to Balfour Meagher Pty Ltd (ACN 621 980 523, ABN 85 621 980 523).

16. Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Australia and the State of Western Australia. Any disputes arising in connection with this Privacy Policy are subject to the exclusive jurisdiction of the courts of Western Australia and the Federal Court of Australia.

Copyright © 2025 | Balfour Meagher