Privacy Policy

Clelands Lawyers is committed to protecting your privacy and personal information. Clelands Lawyers is bound by the Australian Privacy Principles (APPs) as contained in the Privacy Act 1988 (Cth) (the Act). This Privacy Policy describes how Clelands Lawyers collects, uses, and discloses personal information about an individual and how we manage individual requests to access and correct it.

1 Collection of Personal Information

The collection of personal, sensitive and confidential information is fundamental to our relationship with our clients. All information received in connection with a client matter is subject to strict rules of confidentiality and, where applicable, legal professional privilege.

Personal information will not be disclosed except in accordance with our professional obligations, as specifically authorised by our client or as contemplated by this Privacy Policy.

We collect and process information specifically for identity verification purposes through the Document Verification Service (DVS) and other authorised verification systems. We will update this policy as required by new APP 1 obligations for automated decisions commencing on 10 December 2026.

Privacy Collection Notice: Upon first contact or engagement, we provide you with access to our Privacy Policy and explain how we collect, use and disclose your personal information.

2 What Kinds of Personal Information Do We Collect?

During the course of our business, we routinely collect the following types of personal information (including sensitive information):

Information routinely collected includes:

(a) name, address, age, sex, occupation and contact information including telephone numbers and email addresses;
(b) billing information, payment details and credit card information where required;
(c) government-issued identifiers such as Tax File Numbers, Australian Business Numbers and identity document details including passport numbers, driver licence numbers, Medicare numbers and Centrelink reference numbers;
(d) details relating to the purchase of products and payments for attendance at seminars, webinars and events;
(e) areas of legal practice of interest or events of interest; and
(f) information about people's dealings with us and our services.

Information collected only with explicit consent or where legally required includes:
(a) health information where relevant to personal injury, workers' compensation or insurance claims;
(b) biometric information including photographs for identification purposes;
(c) criminal history or court records where relevant to legal proceedings;
(d) financial records including bank statements, tax returns and asset information where relevant to family law, commercial or insolvency matters; and
(e) employment records and workplace documentation where relevant to employment or industrial relations matters.

3 Collection of Sensitive Information

Under the Australian Privacy Principles, Clelands Lawyers is entitled to collect sensitive information about you or others for several reasons, including where the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

Consent for sensitive information collection:
(a) where collection is required and practicable to obtain consent, we will seek your express written consent before collecting your sensitive information and inform you of the purpose at the same time;
(b) consent may be obtained through signed authority forms, email confirmation or documented verbal consent recorded in our file notes;
(c) in litigation or urgent circumstances, we may collect sensitive information where consent is impracticable but collection is necessary for legal proceedings, subject to our professional obligations of confidentiality; and
(d) you may withdraw your consent at any time by contacting us, though this may affect our ability to continue acting for you in certain matters.

4 How We Hold Personal Information

We treat the personal information (including sensitive information) that we receive and hold in accordance with strict professional obligations of confidentiality and legal professional privilege. We hold personal information in physical records and electronic files with appropriate security measures.

Storage and security measures:
(a) all electronic data is stored on secure servers with access restricted by password protection, multi-factor authentication and role-based access controls;
(b) data is backed up in accordance with our firm's policies with backups encrypted both in transit and at rest;
(c) physical records are retained securely on-site in locked filing systems with restricted access; and
(d) all staff and contractors are bound by confidentiality obligations and receive regular privacy and security training.
Retention periods:
(a) transactional and commercial matters: seven years after completion;
(b) property and conveyancing matters: fifteen years after settlement to account for potential latent defects claims;
(c) estate planning documents including wills: retained indefinitely or until superseded;
(d) litigation matters: seven years after final resolution including appeals;
(e) matters involving minors: seven years after the minor reaches majority; and
(f) regulatory and compliance records: as required by applicable professional conduct rules and legislation.

Secure destruction: When information is no longer required to be retained, we destroy or de-identify information through secure methods.

5 Purposes for Which We Collect, Hold, Use and Disclose Personal Information

We collect, hold and use personal information for the purposes for which it was collected and related purposes including to:

Primary purposes:
(a) provide legal services and fulfil professional obligations to clients;
(b) verify your identity through the DVS and other authorised verification systems;
(c) manage client relationships and internal operations;
(d) comply with legal, regulatory and audit requirements including anti-money laundering obligations;
(e) establish, exercise or defend legal or equitable claims; and
(f) facilitate our internal business operations and professional obligations.

Secondary purposes and disclosures:
We may disclose your personal information, subject to our professional obligations, to:
(a) you as our client and your authorised representatives;
(b) barristers, expert witnesses and other legal professionals engaged in your matter;
(c) courts, tribunals and regulatory authorities as required by law or legal proceedings;
(d) external service providers including document management services, electronic discovery providers, process servers, investigators and translators engaged on a confidential basis;
(e) our professional indemnity insurers and external auditors under confidentiality obligations;
(f) law enforcement agencies where required or authorised by law; and
(g) other parties as specifically authorised by you or required for the proper conduct of your legal matter.

Marketing communications: We do not use your information for marketing or profiling purposes without your express consent. Where consent is provided, you may unsubscribe at any time by contacting us directly.

6 Cross-Border Disclosure of Information

We may use and disclose your personal information in jurisdictions outside Australia where:

Permitted cross-border disclosures:
(a) it is necessary for your matter and your express consent has been obtained;
(b) required by law or court order, subject to our professional obligations;
(c) disclosure is to our offshore service providers who are bound by contractual obligations to maintain confidentiality and security standards equivalent to Australian requirements; or
(d) we have taken reasonable steps to ensure the overseas recipient will not breach the Australian Privacy Principles.

Safeguards for overseas disclosures:
(a) we conduct due diligence assessments of overseas recipients including their privacy and security practices;
(b) we require contractual commitments from overseas recipients to maintain confidentiality, implement appropriate security measures and comply with Australian privacy standards;
(c) we monitor compliance with contractual obligations and maintain audit rights where practicable;
(d) we typically disclose information to recipients in New Zealand, United Kingdom, Singapore and other jurisdictions with comparable legal systems and privacy protections; and
(e) we remain accountable for information disclosed to overseas recipients and will take reasonable steps to remedy any misuse.

7 Access and Correction of Personal Information

We take reasonable steps to ensure personal information we hold is accurate, up-to-date, complete, relevant and not misleading, having regard to the purposes for which it is held.

Requesting access or correction:
(a) you may request access to or correction of personal information we hold about you by contacting our Practice Manager using the details below;
(b) requests should be made in writing and include sufficient information to verify your identity;
(c) we will acknowledge your request within five business days and provide a substantive response within thirty days unless exceptional circumstances apply;
(d) we do not charge fees for correction requests, but may charge reasonable fees for access requests covering search and retrieval costs;

Grounds for refusal: We may refuse access or correction requests where:
(a) providing access would be unlawful or would breach client confidentiality or legal professional privilege;
(b) the request is frivolous or vexatious;
(c) providing access would pose a serious threat to the life, health or safety of any individual;
(d) the information relates to anticipated or existing legal proceedings;
(e) access would prejudice enforcement activities by a law enforcement agency; or
(f) other grounds permitted under the Privacy Act apply.

Review rights: If you are dissatisfied with our response to an access or correction request, you may submit a complaint directly to us. If you remain unsatisfied with the outcome then you may make a complain to the Office of the Australian Information Commissioner (OAIC).

8 Security of Information and Data Breaches

We take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. These reasonable steps include both technical and organisational measures.

Technical measures include:
(a) encryption of data both in transit and at rest;
(b) multi-factor authentication for system access;
(c) regular software updates and security patches;
(d) network security including firewalls and intrusion detection;
(e) secure backup systems with tested recovery procedures; and
(f) physical security controls including access controls, surveillance and secure disposal.

Organisational measures include:
(a) staff training on privacy and security obligations;
(b) role-based access controls and regular access reviews;
(c) incident response procedures and business continuity planning;
(d) regular risk assessments and security audits; and
(e) vendor due diligence and contractual security requirements.

All staff and contractors are bound by confidentiality obligations and receive regular training on privacy and security requirements.

Data breach response:

Under the Notifiable Data Breaches scheme, we must notify affected individuals and the Office of the Australian Information Commissioner when a data breach is likely to result in serious harm.

Our data breach response process:
(a) immediate containment and assessment within twenty-four hours of discovery;
(b) formal assessment within thirty days to determine if the breach constitutes an eligible data breach;
(c) notification to the OAIC as soon as practicable but no later than thirty days after we become aware of an eligible data breach;
(d) notification to affected individuals as soon as practicable, including recommendations for steps they should take;
(e) ongoing support and monitoring for affected individuals; and
(f) post-incident review and implementation of remedial measures.

9 Complaints

If you wish to make a complaint about this Privacy Policy or our collection, use or disclosure of personal information, please contact our Practice Manager in the first instance.

Complaint handling process:
(a) we will acknowledge your complaint within five business days of receipt;
(b) we will investigate your complaint and provide a substantive response within thirty days unless exceptional circumstances require additional time;
(c) if additional time is required, we will notify you of the delay and expected timeframe for resolution;
(d) we will work with you to resolve your complaint directly wherever possible; and
(e) we will provide you with information about external review options if you remain dissatisfied.

External review: If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner. Information about making a complaint is available at www.oaic.gov.au or by calling 1300 363 992.

Privacy Contact:

Practice Manager
Clelands Lawyers
Level 2, 191 Pulteney Street, Adelaide SA 5000
Email: Clelands@cle.com.au
Phone: (08) 8177 5888