Introduction
Johanne Thomas Legal Pty Ltd ACN 679 576 446 (referred to as Johanne Thomas Legal, we, our, or us) is committed to the protection of Personal Information in accordance with the Privacy Act 1988 (Cth) (the Privacy Act), including the Australian Privacy Principles (APPs), and recognises the importance of ensuring the confidentiality and security of your Personal Information.
This Privacy Policy describes the way we collect, hold, use, and disclose Personal Information in accordance with the Privacy Act and the APPs. It is not intended to cover categories of Personal Information that are not covered by the Privacy Act or the Australian Privacy Principles.
All third parties (including clients, suppliers, contractors, or agents) that have access to or use Personal Information collected and held by Johanne Thomas Legal must abide by this Privacy Policy and Collection Statement (Privacy Policy). Johanne Thomas Legal makes this Privacy Policy available free of charge, and it can be downloaded from our website: https://johannethomaslegal.com.au/

Definitions and Interpretation

For the purpose of this Privacy Policy:

• AML Information means the Personal Information that we collect and hold as part of complying with our AML/CTF obligations, including (but not limited to) customer due diligence related information.

• AML/CTF Obligations means our obligations as a reporting entity enrolled with the AUSTRAC, as set out in the AML/CTF Legislation.

• AML/CTF Legislation means the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Anti-money Laundering and Counter-Terrorism Financing Rules 2025 (Cth), as amended from time to time.

• AUSTRAC means Australian Transaction Reports and Analysis Centre.

• Australian Privacy Principles means the principles set out in schedule 1 of the Privacy Act.

• Business Day means any day of the week except a Saturday, Sunday or a day which is an official public holiday in the city of Perth.

• Disclosure of information means providing information to persons outside Johanne Thomas Legal.

• Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether recorded in a material form or not, and includes AML Information.

• Privacy Act means the Privacy Act 1988 (Cth) as amended from time to time.

• Privacy Officer means Johanne Thomas.

• Sensitive Information is Personal Information that includes information relating to a person's racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences and criminal record, and also includes health information.

• Suspicious Matter Report means a report that we are required to submit to AUSTRAC if a suspicious matter reporting obligation arises as defined in section 41 of the AML/CTF Act.

• Tipping off prohibition means a disclosure to a person that we have lodged, are required to lodge, or have prepared, a Suspicious Matter Report to lodge with AUSTRAC, where such disclosure would or could reasonably be expected to prejudice a criminal investigation and is not otherwise permitted under the AML/CTF Legislation.

• Use of information means use of information within Johanne Thomas Legal.

• Website means the website accessible via the internet or similar network that is owned, operated or made available by or on behalf of Johanne Thomas Legal, including any associated domains, subdomains and content. The URL of the Johanne Thomas Legal Website at the date of this Privacy Policy is www.johannethomaslegal.com.au.

• You means an individual in respect of whom we have collected and hold Personal Information, or intend to do so.

  
  

Who do we collect Personal Information about?

The Personal Information we may collect and hold includes (but is not limited to) Personal Information about:

• clients, including potential clients and past clients

• service providers or suppliers

• prospective, current and past employees and contractors

• accountants, solicitors, barristers and other individuals who provide services to our clients

• trustees, executors, appointors, guardians, settlors and beneficiaries of trusts and estates administered by our clients or similar roles or offices of other types of legal arrangements

• shareholders and officeholders of companies associated with our clients

• individuals with a connection to a client that uses our service (for example, an officeholder, employee, consultant or agent of a corporate client or other legal arrangement), and

• other third parties with whom we come into contact.

  
  

What kind of Personal Information do we collect and hold?

We may collect and hold Personal Information from you and other individuals that is reasonably necessary:

• to provide you with our services

• for us to carry out one or more of our functions or activities, or

• to enable us to comply with our legal obligations (which include our AML/CTF Obligations).

The Personal Information we may collect for these purposes include your:

• name

• gender

• date of birth

• address

• phone numbers

• email addresses

• occupation

• bank account and other payment details

• driver’s licence details

• passport details

• details of other documents relevant to verifying your identity

• financial and tax information, including details of:

  • your investments, properties and other assets

  • your liabilities

  • your business interests

  • trusts, companies and other legal arrangements associated with you

  • your insurance policies

  • your estate planning

  • taxation information and records

  • health information

  • ABN/ACN

• source of wealth and source of funds

• employment history

• qualifications

• payroll tax information;

• superannuation information; and

• Sensitive Information not otherwise listed above.

  
  

How do we collect Personal Information?

We generally collect Personal Information directly from you. For example, Personal Information is collected through our file opening and other administrative processes such as completing forms, and other interactions that we may have with you or a third party that you are associated with, in the course of providing you with our services, including when you call us or send us correspondence.

We may also collect Personal Information about you through publicly available sources, from a third party – such as electronic verification services and referrers and websites.

We will not collect Sensitive Information about you without your consent, unless an exemption in the APPs applies. These exceptions include if the collection is required or authorised by law, or necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.

If you do not provide us with the Personal Information we request, we may not be able to provide you with the benefit of our services or meet your needs appropriately.

We do not give you the option of dealing with us anonymously, or under a pseudonym. This is because it is impractical, and in some circumstances illegal, for Johanne Thomas Legal to deal with individuals who are not identified. We are also obligated under AML/CTF Legislation to identify who we are dealing with for certain matters.

Why do we collect and hold Personal Information?

As above, we collect Personal Information so that we can provide our services and carry out the necessary functions to enable us to provide those services, including complying with the law.

We may use and disclose the information we collect about you for the following purposes:

• complying with our legal and regulatory obligations (including, but not limited to, our AML Obligations)

• providing you with our products and services

• reviewing and meet your ongoing needs

• providing you with information we believe may be relevant or of interest to you

• considering any concerns or complaints you may have

We may use and disclose your Personal Information for any of these purposes. We may also use and disclose your Personal Information for secondary purposes which are related to the primary purposes set out above, or in other circumstances authorised by the Privacy Act.

Sensitive Information will be used and disclosed only for the purpose for which it was provided (or a directly related secondary purpose), unless you agree otherwise, or an exemption in the Privacy Act applies.

Who might we disclose Personal Information to?

We may disclose Personal Information to:

• a related entity of Johanne Thomas Legal

• an agent, contractor or service provider we engage to carry out our functions and activities, such as our lawyers, accountants, administrative assistants, debt collectors or other advisers

• third party vendors we engage or use to assist us in carrying out our functions and activities or otherwise assist us in complying with our professional and legal obligations

• a lawyer, barrister, accountant, valuer or other professional engaged to assist with your matter

• an opposing law firm, lawyer or party

• organisations involved in managing payments, including payment merchants and other financial institutions such as banks

• regulatory bodies, government agencies, law enforcement bodies and courts

• anyone else to whom you authorise us to disclose it

• any person or entity to comply with our legal obligations, including our AML/CTF Obligations.

If we disclose your Personal Information to service providers that perform business activities for us, they may only use your Personal Information for the specific purpose for which we supply it.

Unsolicited Personal Information

We may receive unsolicited Personal Information about you. If this occurs, we will comply with our obligations under the Privacy Act. We may destroy or de-identify all unsolicited Personal Information we receive, unless it is relevant to our purposes for collecting Personal Information. We may retain additional information we receive about you if it is combined with other information we are required or entitled to collect. If we do this, we will retain the information in the same way we hold your other Personal Information. You acknowledge that we may de-identify and/or destroy this information unless we are required to keep it by law.

Click stream data

When you visit and browse our Website, our Website host may collect Personal Information for statistical, reporting, and maintenance purposes. Personal Information collected by our Website host will not be used to identify you. The information may include:

(a) the number of users visiting our Website and the number of pages viewed

(b) the date, time, and duration of a visit

(c) the IP address of your computer; or

(d) the path taken through our Website.

Johanne Thomas Legal’s Website host uses this information to administer and improve the performance of our Website, including to assist with the diagnoses of and to provide support for any issues with our Website or services.

Sending information overseas

We may disclose Personal Information to locations outside Australia in some circumstances, specifically:

(a) third party vendors that provide internet data storage and cloud computer access systems; and

(b) contractors that assist us with business administrative functions, including, but not limited to, invoicing.

In relation to (b) above, please note that contractors are not provided with:

(a) any Sensitive Information; or

(b) general access to our network or computer database.

It is not practical to list all the potential countries in which Personal Information may be disclosed, however, they are likely to include the following countries or regions:

• United States of America;

• Singapore;

• Philippines

• European Union; and

• New Zealand.

We will not send Personal Information to recipients outside of Australia unless:

• we have taken reasonable steps to ensure that the recipient does not breach the Act and the APPs;

• the recipient is subject to an information privacy scheme similar to the Privacy Act; or

• the individual has consented to the disclosure.

If you consent to your Personal Information being disclosed to an overseas recipient, and the recipient breaches the APPs, we will not be accountable for that breach under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

Management of Personal Information

We recognise the importance of securing the Personal Information of our customers. We will take steps to ensure your Personal Information is protected from misuse, interference or loss, and unauthorised access, modification or disclosure. Such steps include technical and organisational measures.

Your Personal Information is generally stored in our computer database. Any paper files are stored in secure areas. In relation to information that is held on our computer database, we apply the following guidelines:

• Johanne Thomas Legal is owned and operated solely by Johanne Thomas. There are no employees.

• a strong password or facial recognition is required to access the system.

• contractors are not provided with general access to the system, and may be sent selected documents on which to work from time to time. Such documents may contain Personal Information, but will not contain Sensitive Information. See further at items 10 above and 12 below.

• contractors are required to comply with our standard operating procedures and policies for securing any Personal Information.

• unauthorised persons are barred from updating and editing Personal Information.

• all computers which contain Personal Information are secured both physically and electronically, and are subject to regular anti-virus software updates.

• print reporting of data containing Personal Information is limited.

  
  

Contractual arrangements with third parties

We will make third parties that we contract with aware of this Privacy Policy, and will also ensure that those third parties have implemented policies in relation to the management of your Personal Information in accordance with the Privacy Act.

These policies include:

(a) regulating the collection, use and disclosure of Personal Information

(b) de-identifying Personal Information wherever possible

(c) ensuring that Personal Information is kept securely, with access to it only by authorised employees or agents of the third parties

(d) ensuring that Personal Information is only disclosed to organisations which are approved by us.

When disclosing Personal Information about an individual, we ensure that we will not breach the Tipping off prohibition.

Identifiers

We do not adopt identifiers assigned by the Government (such as drivers’ licence numbers) for our own file recording purposes, unless required to by our AML/CTF Obligations.

How do we keep Personal Information accurate and up-to-date?

We are committed to ensuring that the Personal Information we collect, use, hold and disclose is relevant, accurate, complete and up-to-date. You can update your Personal Information at any time by contacting us by email at admin@johannethomaslegal.com.au or in any of the ways specified in our privacy collection statement. We welcome any changes to your Personal Information to keep our records up to date.

Where we are satisfied that information is inaccurate, we will take reasonable steps to correct the information within 30 days, unless you agree otherwise. We do not charge you for correcting the information.

How long will we keep your Personal Information?

We will keep your Personal Information only for as long as required for our business purposes and as required by law, including as required to comply with our AML Obligations.

Where there is no longer a need to keep your Personal Information, we will take reasonable steps to destroy your Personal Information.

We have implemented defined data destruction periods.

If you wish to have your Personal Information destroyed or de-identified, please let us know, and we will take reasonable steps to do so (unless we need to keep it for legal, auditing, or internal risk management reasons).

Accessing your Personal Information

Subject to the exceptions set out in the Privacy Act, you may gain access to the Personal Information that we hold about you by contacting our Privacy Officer. We will provide access within 30 days of the individual’s request. If we refuse to provide the information, we will provide reasons for the refusal.

We will require identity verification and specification of what information is required. An administrative fee for search and photocopying costs may be charged for providing access.

Updates to this Privacy Policy

This Privacy Policy is reviewed from time to time to take account of new laws, regulations and technology, and changes to our operations and the business environment. We ensure that we stay informed of any issues or developments in relation to the application of the Privacy Act and any changing legal obligations by subscribing to the OAIC’s newsletter (Information Matters newsletter | OAIC).

We monitor for, and address any new security threats or risks, by signing up to alerts from the Australian Signals Directorate (Sign up for alerts | Cyber.gov.au).

Responsibilities

It is the responsibility of management to inform relevant third parties about this Privacy Policy and any changes to this Privacy Policy.

Privacy breaches must be reported to management by relevant third parties. Ignorance of this Privacy Policy will not be an acceptable excuse for non-compliance. Relevant third parties that do not comply with this Privacy Policy may be subject to disciplinary action.

Notifiable data breaches

We maintain a data breach response process. Where we suspect unauthorised access, disclosure or loss of Personal Information, we will take steps to contain and assess the incident.

If a breach is likely to result in serious harm and is an ‘eligible data breach’, we will comply with our obligations under the Notifiable Data Breaches scheme, including notifying affected individuals and the Office of the Australian Information Commissioner where required.

How to contact us, and making a complaint

We have a complaints handling process in place to manage privacy risks and issues.

The complaints handling process involves:

• identifying (and addressing) any systemic/ongoing compliance problems

• increasing consumer confidence in our privacy procedures, and

• helping to build and preserve our reputation and business.

You can make a complaint to us about the treatment or handling of your Personal Information by lodging a complaint with the Privacy Officer.

If you have any questions about this Privacy Policy, or wish to make a complaint about how we have handled your Personal Information, you can email – admin@johannethomaslegal.com.au, or phone Johanne Thomas on 0413 457 018.

If you are not satisfied with our response to your complaint, you can also refer your complaint to the Office of the Australian Information Commissioner by:

• telephoning – 1300 363 992

• writing – Director of Complaints, Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001

Your rights

This Privacy Policy contains information about how:

• you may access the Personal Information we hold about you

• you may seek the correction of your Personal Information

• you may complain about a breach of the Privacy Act, including the APPs, and

• we will deal with a privacy complaint.