Privacy Policy for AML/CTF Obligations
Blaze Business & Legal Pty Ltd ABN 45 652 018 383
Privacy Officer: Rachelle Hare
AML/CTF Compliance Officer: Rachelle Hare
Email: enquiry@blazebusinessandlegal.com.au
Phone: (07) 3063 3373
Address: Suite 8, Level 7, 154 Melbourne Street, South Brisbane QLD 4101
Date reviewed: June 2026
Our Commitment
We are committed to protecting your privacy. We collect, use, share and manage Personal Information only as reasonably necessary to carry out our functions and activities, including where we provide you with Designated Services under the AML/CTF Framework.
If we provide, prepare to provide, or reasonably anticipate that we may provide Designated Services to you, we will handle your Personal Information openly and transparently, subject to our legal obligations, in accordance with this policy.
What This Policy Covers
This policy applies only to Personal Information handled in connection with our AML/CTF obligations under the AML/CTF Framework. All other services we provide, including our legal services and business advisory services, are handled under our general confidentiality obligations, and the Privacy Act does not apply to Personal Information we collect for those services.
Meaning of Terms Used in This Policy
In this policy, the terms listed below have the following meanings.
AML/CTF Act
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
AML/CTF Framework
The AML/CTF Act, AML/CTF Rules and AUSTRAC-issued guidance.
AML/CTF Rules
Anti-Money Laundering and Terrorism Financing Rules 2025 (Cth) made under the AML/CTF Act.
APLYiD
APLYiD Pty Ltd, ABN 36 632 866 794, an accredited identity verification provider and its authorised sub-providers.
APPs
The Australian Privacy Principles in Schedule 1 of the Privacy Act.
AUSTRAC
Australian Transaction Reports and Analysis Centre.
Designated Services
The services described in Table 6 of section 6 of the AML/CTF Act that we provide or anticipate providing, including:
- assisting a client to plan, execute, or act on their behalf in buying, selling, or transferring a body corporate or legal arrangement (including a company, trust, or business);
- assisting a client to plan, organise, execute, or act on their behalf in a transaction for equity or debt financing related to a body corporate or legal arrangement;
- assisting a client to plan, execute, or act on their behalf in the creation or restructuring of a body corporate or legal arrangement;
- where we assist a client, acting as, or arranging for another person to act as, a company director or secretary, a power of attorney, a partner, a trustee, or an equivalent position on behalf of a nominator; and
- where we assist a client, acting as, or arranging for another person to act as, a nominee shareholder for a body corporate or legal arrangement on behalf of a nominator.
DVS
The Australian Government’s Document Verification Service, a national online system that allows authorised organisations to verify identity documents against records held by the issuing Commonwealth or State authority.
KYC Information
Information sufficient to establish initial customer due diligence on reasonable grounds, or to fulfil our ongoing customer due diligence obligations, under the AML/CTF Act, including:
- the identity of our client;
- the identity of any person on whose behalf our client is receiving the service;
- the identity of any person acting on behalf of the client, including their authority to act;
- where the client is not an individual, the identity of any beneficial owners;
- whether the client, any beneficial owner, or any person acting on their behalf is a politically exposed person or a person designated for targeted financial sanctions;
- information regarding source of wealth and source of funds;
- the nature and purpose of the business relationship or transaction; and
- any other matter specified in the AML/CTF Rules.
OAIC
Office of the Australian Information Commissioner.
Personal Information
Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not, provided to us for the purposes of, or in connection with, our AML/CTF obligations.
Privacy Act
Privacy Act 1988 (Cth).
Sensitive Information
A subset of Personal Information that includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record; health information; genetic information that is not otherwise health information; biometric information used for automated biometric verification or identification; and biometric templates.
We, us, our
Blaze Business & Legal Pty Ltd ABN 45 652 018 383, practising as Blaze Business & Legal.
What Privacy Law Applies
We are a small business operator under section 6D of the Privacy Act. We become subject to the Privacy Act, in relation to AML/CTF-related activities, by operation of section 6E(1A) of that Act.
The Privacy Act, including the APPs, applies only to our collection, use, sharing and management of Personal Information required to comply with our obligations under the AML/CTF Framework. Our other client information-handling activities, including information handled for our legal services and business advisory services, are governed by our confidentiality obligations under the Legal Profession Act 2007 (Qld), the Australian Solicitors’ Conduct Rules, and our general contractual obligations.
Under APP 2, you may interact with us anonymously or using a pseudonym where this is lawful and practicable. Where we ask you to provide Personal Information, we do so because we are required to identify and verify you under the AML/CTF Framework, and anonymous interaction is not possible in those circumstances.
We conduct ongoing monitoring of transactions and client information to comply with our AML/CTF obligations.
How We Collect Personal Information
We collect Personal Information only by lawful and fair means.
We collect Personal Information directly from the individual who is its subject unless the individual has consented to collection from a third party, direct collection is unreasonable or impracticable, or we are required or authorised by law to collect information from a third party.
We may collect Personal Information when you, your organisation, or those acting on your behalf:
- meet with us in person or by telephone, video conference, email, or other correspondence;
- engage us to provide services, including when you supply KYC Information in response to a direct request from us; or
- register to attend or participate in a meeting, conference, or event hosted or presented by us.
We will provide you with a collection notice at or before the time we collect your Personal Information.
Personal Information We Collect
We are required by law under the AML/CTF Act to collect and verify certain Personal Information and may be unable to provide Designated Services if we cannot do so.
We collect KYC Information as required by the AML/CTF Act, which may include names, addresses, contact details, date of birth, document types and numbers, source of wealth and funds, and information about ownership and control structures. We may also collect Sensitive Information where required for compliance with the AML/CTF Framework or where otherwise permitted by law.
Identity Verification and the Document Verification Service
To verify your identity, we may use electronic identity verification services, including the Australian Government’s Document Verification Service (DVS).
Where you have consented, your name, date of birth and identity document details will be securely sent to the relevant Commonwealth or State authority that issued your document. This may include passport offices, driver licence authorities, the Department of Home Affairs, Births Deaths and Marriages, or other authorised record holders. Those authorities check whether the details you have provided match the records they hold.
We do not receive a copy of your government records. The authority returns a match result only, confirming whether your details match (yes or no).
This process may be carried out through accredited identity verification providers, including APLYiD and its sub-providers. More information about the DVS is available at idmatch.gov.au.
We may also use a credit reporting body for electronic identity verification. Where we do so, we will seek your express consent before proceeding and will offer you an alternative means of verification (such as production of identity documents), as required by law.
Biometric Information
As part of identity verification, we may collect biometric information, such as a facial image or a short video of you holding your identity document.
Biometric information may be used to:
- confirm that you are a real person and physically present;
- match your image to the photograph on your identification document; and
- reduce the risk of fraud and identity theft.
Biometric information is Sensitive Information under the Privacy Act. We only collect and use biometric information for identity verification and related compliance purposes, and only with your consent.
Consent to Collection and Identity Verification
By providing your Personal Information and completing the identity verification process, you consent to:
- the collection, use and disclosure of your Personal Information for identity verification, AML/CTF and related compliance purposes;
- the collection and use of biometric information, such as a facial image or video, for identity verification;
- your information being checked against records held by Commonwealth and State authorities through the DVS; and
- your information being shared with our authorised identity verification providers, including APLYiD.
Your consent is voluntary. You can withdraw your consent at any time by contacting our Privacy Officer using the details at the end of this policy.
If you do not consent, or do not provide the information we need, we may not be able to verify your identity electronically. In that case, we may need to verify your identity in another way, or we may not be able to provide our services to you.
What Happens If You Do Not Provide Requested Personal Information
If you do not provide requested Personal Information, we may be unable to provide Designated Services or comply with our legal obligations under the AML/CTF Framework. We may therefore be required to decline to act for you or provide you with services, and should this occur during the course of an ongoing engagement, we may need to terminate our services effective immediately.
Why We Collect Personal Information
We collect and use Personal Information to carry out our functions and activities, including providing you with Designated Services and complying with our regulatory obligations in relation to those services under the AML/CTF Framework and other applicable legislation.
Unless you consent otherwise, we will only use your Personal Information for the primary purpose for which it was collected, or for a secondary purpose you would reasonably expect that is related to the primary purpose. For Sensitive Information, any secondary purpose will be one you would reasonably expect and that is directly related to the primary purpose.
Disclosure of Personal Information
Third parties
Subject to legal requirements, we do not share your Personal Information with third parties except with your express permission, or to contracted service providers engaged to facilitate the administration, management, or delivery of our services, including service providers that support our due diligence processes, such as APLYiD. We use reasonable endeavours to ensure that those service providers commit to protecting your Personal Information and agree not to use or disclose it for any other purpose, except as required by law.
Legal requirements
We may use or disclose your Personal Information where required or authorised by law, including:
- where we reasonably believe disclosure is necessary to prevent a serious threat to life, health, or safety;
- where we have reason to suspect unlawful activity or serious misconduct relating to our functions and believe disclosure is necessary to take appropriate action; or
- where we are compelled by law, including by warrant or subpoena, by order of a government agency, court or tribunal, or to AUSTRAC and other government agencies without your knowledge or consent, including where we form a suspicion under the AML/CTF Framework.
Nothing in this policy limits our confidentiality obligations or client legal privilege. There are circumstances, however, where we are compelled to disclose confidential information to AUSTRAC under the AML/CTF Framework. We are prohibited from notifying you of such disclosures and may be prohibited from notifying you of disclosures to other government agencies or authorities.
Business transactions
If we are involved in a merger, acquisition, or asset sale, your Personal Information may be disclosed in confidence as part of a due diligence process and may be transferred to the new owner. We will notify you before your Personal Information is transferred and becomes subject to a different privacy policy.
How We Protect Your Information
We may hold Personal Information in electronic and hard-copy formats. We take reasonable steps to protect that information from misuse, interference, loss, and unauthorised access, modification, or disclosure, including through:
- staff training on privacy obligations when handling Personal Information;
- administrative and technical controls to restrict access to authorised personnel only; and
- technological security measures, including firewalls, encryption, and anti-virus software.
Where a data breach is likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme under the Privacy Act, including notifying the OAIC and affected individuals as required.
When we consider Personal Information is no longer needed for any purpose for which we may use or disclose it under this policy, and we are not required by law or court order to retain it, we will take reasonable steps to destroy or de-identify that information. Our record retention obligations are set out in the section below.
Retention and Destruction of Personal Information
From 1 July 2026, the AML/CTF Act does not require us to keep scanned or photocopied identity documents for record-keeping purposes. We retain only the specific Personal Information from identity documents that is necessary to demonstrate compliance with our customer due diligence obligations, for example, name, date of birth, residential address, document type, document number, date of expiry, the outcome of our verification, and our assessment of money-laundering and terrorism-financing risk.
KYC Information and transaction records are retained for seven years after the end of the business relationship or after the date of the last occasional transaction, as required by the AML/CTF Framework. Once those retention periods have expired and no other permitted purpose exists for holding the information, we will take reasonable steps to destroy or de-identify that information.
Can Your Personal Information Be Accessed Offshore
We use reasonable endeavours to maintain your Personal Information physically and electronically within Australia, unless we have agreed with you to share your Personal Information with third parties offshore (such as legal experts in another jurisdiction).
Some of our service providers, including APLYiD, may store or process Personal Information outside Australia. Where this occurs, we use reasonable endeavours to ensure that your Personal Information is handled in a manner consistent with the Australian Privacy Principles, including through contractual protections with those providers.
Accessing and Correcting Your Personal Information
We will respond to inquiries from you regarding whether we hold Personal Information about you, and will allow you to access and correct that information, subject to our contractual arrangements where information is held by a third party and the conditions and limitations in the Privacy Act, including where:
- giving access would pose a serious threat to life, health, or safety;
- access would have an unreasonable impact on the privacy of other individuals;
- the request is frivolous or vexatious;
- giving access would be unlawful (including, for example, where it would constitute tipping off under section 123 of the AML/CTF Act, in which case our written notice refusing access will not explain why);
- denying access is required or authorised by Australian law or a court or tribunal order;
- giving access would reveal the intentions of our practice in relation to negotiations with you in a way that would prejudice those negotiations; or
- giving access would be likely to prejudice one or more enforcement-related activities conducted by or on behalf of an enforcement body.
To request access to or correction of your Personal Information, please contact our Privacy Officer. We may ask you to verify your identity before providing access or making corrections. We may charge a reasonable fee for providing access but will not charge for making a correction.
We will take reasonable steps to respond to access requests and to correct Personal Information within 30 days of receiving your request.
Complaints About Our Information Handling
All privacy-related inquiries and complaints are handled by our Privacy Officer. If you have concerns about how we manage your Personal Information, or believe we have breached the APPs, please contact our Privacy Officer in writing with the details of your complaint.
When you lodge a complaint, we will:
- acknowledge receipt within a reasonable time, usually within seven days;
- conduct an internal investigation, which may involve reviewing the circumstances of the collection, use, or disclosure of your information and assessing our compliance with the Privacy Act, and we may contact you to request further information; and
- endeavour to provide you with a written response within 30 days of receiving your complaint, setting out the outcome of our review and any corrective action we propose to take.
If you are not satisfied with our response, or if we do not resolve your complaint within 30 days, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints.
Privacy Officer: Rachelle Hare
Email: enquiry@blazebusinessandlegal.com.au
Phone: (07) 3063 3373
Address: Suite 8, Level 7, 154 Melbourne Street, South Brisbane QLD 4101
If you require a copy of this policy in a different format, please contact our Privacy Officer.
Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. The current version of this policy is always available at blazebusinessandlegal.com.au/privacy-policy/.
We will notify you of significant changes where we reasonably can, but we do not guarantee that you will receive notification of every update. We encourage you to check this policy periodically on our website to ensure you are aware of any changes. Your continued engagement with us following a change to this policy constitutes your acceptance of the updated policy.