Privacy Policy

Privacy Policy

Privacy and Website Use

Your privacy is important to us. It is Pengelly & Co Legal’s policy to respect your privacy regarding any information we may collect from you across our website.

You need not disclose your identity to us in order to use this website.

This website uses cookies and may automatically collect limited technical information, such as browser details, IP address and page views, to help improve website performance and functionality. This information is used for internal purposes only. Any personal information provided to us is collected and handled in accordance with our Privacy Policy.

 

Privacy Policy at Pengelly & Co Legal

Pengelly & Co Legal is a “small business operator” under s 6D of the Privacy Act 1988 (Cth) (Privacy Act) and is subject to the Privacy Act in relation to anti-money laundering and counter-terrorism financing (AML/CTF)-related activities by operation of s 6E(1A) of that Act.

Accordingly, the Privacy Act, including the Australian Privacy Principles (APPs), apply to our collection, use, sharing, processing, and management of personal information required to comply with our obligations under the AML/CTF framework (comprising the Anti Money Laundering and Counter Terrorism Financing Act 2006 (Cth) (AML/CTF Act), AUSTRAC-issued guidance, and the Anti-Money Laundering and Terrorism Financing Rules 2025 (Cth)).

This Privacy Policy describes how Pengelly & Co Legal collects, uses and discloses personal information about an individual and how we manage individual requests to access and correct it.

We may vary this policy from time to time. The most recent version can be accessed on our website.

1. Collection of personal information

Collection of personal, sensitive and confidential information is fundamental to our relationship with clients to our business.

All information received in connection to a client matter is subject to strict rules of confidentiality. The information will not be disclosed except in accordance with our professional obligations, as specifically authorised by our client or as contemplated by this Privacy Policy.

2. What kinds of personal information do we collect?

During the course of our business, we may collect personal information (including sensitive information).

‘Personal information’ means information or an opinion about an individual whose identity is apparent or reasonably ascertained. We collect and hold this information when it is necessary for business purposes. We will collect personal information by lawful and fair means.

The kinds of personal information we collect and hold may include:

  • your name;
  • your date of birth;
  • location;
  • your contact information (e.g. phone number, email and address);
  • your organisational role or occupation;
  • your office or position, or former office or position, in any legislature, executive, judiciary government body, military, state-owned organisation and your relationship with any persons in those positions, and information to ascertain whether you are a ‘politically exposed person’ for the purposes of the AML/CTF Act;
  • your listing on any Australian or global official sanctions lists
  • services and transactions obtained, offered and supplied including usage history;
  • areas of legal practice of interest or events of interest;
  • information about your dealings with us including time, place and circumstances;
  • drivers licence number and passport number;
  • identity documents;
  • criminal history and
  • if you apply for a position with us we will collect your name and contact details and it may be disclosed to recruitment agencies for suitability assessment.

We are also required by law under the AML/CTF Act to collect and verify certain personal information and may be prohibited from providing services if we cannot do so.

In particular, we collect KYC Information as required by the AML/CTF Act which may include the information listed above, in relation to you, any person on whose behalf you receive a designated service, any person acting on your behalf, and certain beneficial owners.

In the course of providing professional services, and/or where required for compliance with the AML/CTF Act, AUSTRAC-issued guidance, and the Anti-Money Laundering and Terrorism Financing Rules 2025 (Cth) (AML/CTF Framework), we may also collect and hold more detailed personal information, and/or sensitive information, for example:

  • where relevant to the services we are providing you, your financial information about your assets, occupation and income, bank account balances, account activities, payment history;
  • government identifiers such as Tax File Numbers, Australian Business Numbers, drivers’ license, passport and Medicare numbers and visa/work permit status;
  • shareholdings and details of investments;
  • memberships of trade or professional associations;
  • details of superannuation and insurance arrangements;
  • educational qualifications, employment history and salary; and/or
  • personal information about your spouse and dependents.

You do not need to give us any personal information when we ask for it. However, if you do not provide us with the requested personal information, we may be prohibited from providing services to you.

We may conduct ongoing monitoring of transactions and client information to comply with our AML/CTF obligations.

3. How we collect personal information

We collect personal information only by lawful and fair means.

We will collect personal information directly from the individual who is the subject of the information unless:

  • the individual has consented to collection of his or her Personal Information from a third party;
  • it is unreasonable or impractical to make a direct collection; and/or
  • we are required or authorised by law to collect his or her information from a third party.

We may collect personal information when you, your organisation, or those acting on your or your organisation’s behalf:

  • visit us or meet with our representatives;
  • communicate with us, including by physical post, email, social media, telephone or text message;
  • register to attend, present at or otherwise participate in a meeting, conference or event hosted or presented by us; and/or
  • engage us to provide services including when you supply ‘Know Your Client’ (KYC) Information, being information provided to us on request for the purpose of enabling us to fulfil our obligations under the AML/CTF Act as regards verifying your identity, enabling us to establish initial customer due diligence matters on reasonable grounds and to fulfil our ongoing customer due diligence requirements under the AML/CTF Act.

We may also collect personal information about you from public records where necessary.

We will let you know when we will collect personal information. When we collect information we will usually let you know why we are collecting the information, if we are required by law to collect the information and consequences of not providing the information

We will deal with any unsolicited personal or sensitive information in accordance with law. This includes destroying the information or ensuring it is de-identified where we are permitted to do so by law.

4. How we hold personal information

We treat the personal information (including sensitive information) that we receive and hold in accordance with strict professional obligations of confidentiality and legal professional privilege.

We hold personal information in physical records and electronic files, including electronic files on third party servers.

5. The purposes for which we collect, hold, use and disclose personal information

We collect, hold and use personal information for the purposes for which it was collected and related purposes including to:

  • provide or offer services to you;
  • respond to an individual’s request;
  • manage and account for the services;
  • manage our relationships with you and our other clients;
  • maintain contact with clients;
  • for general management and reporting purposes, such as invoicing and account management;
  • for recruitment purposes;
  • to comply with our legal and regulatory obligations, including under the AML/CTF Act;
  • to comply with legal processes, with may include disclosures to law enforcement, regulatory or government agencies;
  • provide to you information about legal developments, events, products or services that may be of interest to you;
  • facilitate our internal business operations, including fulfilling our professional obligations; and
  • for other purposes relating to our business.

Unless you consent to us doing so otherwise, we will only use your personal information for the primary purpose for which it was collected, and for any secondary purpose if you would reasonably expect, and the purpose is related to, the primary purpose of collection. Examples of secondary purposes you might reasonably expect are listed in the previous paragraph.

You may request not to receive direct marketing communications from us by contacting our Privacy Officer. You may also unsubscribe from our marketing emails.

Subject to legal requirements, we do not share your personal information with any third parties except:

  • with your express permission;
  • to contracted service providers to organise or facilitate the efficient and effective administration, management or delivery of our services. This may include service providers that support our due diligence processes associated with complying with our AML/CTF obligations; and
  • as required by law and subject to our professional obligations.

We may use or disclose your personal information in circumstances where required by law and/or expressly permitted by the Privacy Act, including if:

  • we have reason to suspect that unlawful activity or misconduct of a serious nature that relates to our activities or functions is being or has been engaged in, and we believe the collection, use or disclosure is necessary to take appropriate action in relation to the matter; or
  • we are compelled by law including:
    • by warrant or subpoena;
    • where we are required by request under statute or lawful order of a government agency or authority including law enforcement, courts and tribunals and regulators; and/or
    • to AUSTRAC and other government agencies without your knowledge or consent, including where we form a suspicion about a matter or transaction under the AML/CTF Framework.

Nothing in this Privacy Policy limits our obligations of confidentiality or client legal privilege. However, there may be circumstances where we are compelled to disclose confidential information to AUSTRAC under the AML/CTF Framework.

We are prohibited from notifying you of disclosures to AUSTRAC and may be prohibited from notifying you of disclosures to other government agencies or authorities.

6. International disclosures 

We may use and disclose your personal information in jurisdictions other than Australia or an external territory including where you have instructed us, as required by law or under our professional obligations, and as permitted under the APPs and this policy.

Some electronic services we use may process data offshore, including through Amazon Web Services (AWS) with servers located in the US, but those services are not entitled to access or use the personal information held by us except as required for delivery of the contracted service.

7. Access and correction of your personal information

We will take reasonable steps to ensure that your personal information is accurate, complete, up to date, and relevant whenever it is used, collected or disclosed.

You may request access to your personal information by contacting the Privacy Officer and you may request a correction of your personal information we hold about you.

We may charge you a fee where access is provided but not in relation to the correction of your personal information.

We will respond to your request for access or correction within a reasonable period after the request is made. We will also take reasonable steps to give you access in the manner you have requested.

We may not be required to give you access to your personal information in certain circumstances, such as if it would have an unreasonable impact on the privacy of other individuals, the information relates to existing or anticipated legal proceedings between us and you or it would be unlawful. Other circumstances where we may not be required to give you access include:

  • if we reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
  • giving access would have an unreasonable impact on the privacy of other individuals;
  • the request for access is frivolous or vexatious;
  • giving access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations;
  • denying access is required or authorised by or under an Australian law or a court/tribunal order;
  • the organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  • giving access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision making process.

Where we refuse to give you access to, or do not correct, your personal information we will provide you with written notice of our refusal.

If you wish to have your personal information deleted, please let us know and we will take all reasonable steps to delete, de-identify or destroy it immediately (unless we need to keep it for legal or internal risk management reasons, or compliance with our professional obligations).

8. Security of personal information

We will take reasonable steps to protect your personal information held in physical and electronic form from misuse, interference and loss and from unauthorised access, modification or disclosure.

All persons within Pengelly & Co Legal with access to confidential information are subject to confidentiality obligations.

Where a data breach occurs and is likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme in the Privacy Act, including notifying the OAIC and affected individuals, as required.

When we consider that personal information is no longer needed for any purpose for which the information may be used or disclosed in accordance with this Policy and that we are not required by law or court order to retain the Personal Information, we will take reasonable steps to destroy or de-identify the information. AML/CTF and KYC information and transaction records are kept for seven years after the business relationship ends or the transaction is completed.

9. Complaints

If you believe we may have breached the APPs or failed to comply with our Privacy Policy please contact our Privacy Officer, Jessica Pengelly, on +61 474 301 434 or by email at jessica@pengellyco.com.au