Stacks Privacy Policy
We understand that your privacy is important. We are committed to protecting your personal information and handling it in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs).
Stacks is a network of locally owned and independent law firms in Australia. The network includes:
- Stacks Law Group Pty Ltd (Stacks Law Group), which provides network, brand, administrative, technology, compliance and support services; and
- independent law firms that operate under the Stacks name (Member Firms).
In this Policy, Stacks, we, us and our means Stacks Law Group and/or one or more Member Firms, depending on the context.
This Policy explains how we collect, hold, use and disclose personal information. Please read this Policy carefully and contact us if you have any questions.
The Stacks network operates through independent Member Firms. This means responsibility for your personal information may depend on how you interact with us.
Generally:
- if you make an enquiry with, or become a client of, a Member Firm, that Member Firm will generally be the primary APP entity responsible for handling your personal information;
- if you contact Stacks through a central website, telephone number, marketing campaign, online form or other shared service, Stacks Law Group may collect your information and then provide it to the relevant Member Firm;
- if Stacks Law Group provides administrative, technology, compliance, marketing, risk management, training or operational support to a Member Firm, Stacks Law Group may handle personal information for those purposes; and
- in some cases, more than one Member Firm or Stacks Law Group may handle your information if this is needed to provide legal services, manage a referral, deal with a conflict check, comply with legal obligations, or operate the Stacks network.
All Member Firms and Stacks Law Group are expected to handle personal information securely and in accordance with privacy, confidentiality and professional obligations.
The kinds of personal information we collect depend on your dealings with us and the nature of the services we provide.
We may collect:
- General information, including: name, contact details, date of birth, occupation, financial details, employer or business details, information about your legal matter, information about your dealings with us, records of communications with us, website, device, browser and analytics information, other information you provide to us, or other information relevant to your matter.
- Sensitive information (where required or permitted by law and reasonably necessary for our functions or activities), including: health or medical history, criminal history, biometric information or other sensitive information relevant to your matter.
- Government identifiers and information (where required or permitted by law and reasonably necessary for our functions or activities), including: driver licence details, passport details, Medicare details, Centrelink details, Tax File Number, visa or immigration information, or other Government identifiers or information relevant to your matter.
- AML/CTF information (where required or permitted by law and reasonably necessary to comply with anti-money laundering and counter-terrorism financing laws), including: identity documents and information, source of funds and source of wealth, the nature and purpose of a proposed transaction or matter, politically exposed person screening information, information about the ownership, control and structure of companies, trusts, partnerships or other entities, and/or directors, shareholders, trustees, beneficiaries, partners, officeholders, beneficial owners and controllers, or other information needed to comply with applicable AML/CTF obligations.
We usually collect personal information directly from you (enquiries, forms, documents, emails, SMS or other communications, etc).
In some instances, this may not be possible or appropriate so we may also collect personal information from other sources where this is lawful and reasonably necessary, including from:
- your representatives, agents, advisers, brokers, banks or family members;
- other parties to a transaction, dispute or matter;
- courts, tribunals, regulators and government agencies;
- experts, consultants and other service providers;
- employers, medical providers or other third parties relevant to your matter;
- public registers, including ASIC, ABR, land title, court and insolvency registers;
- identity verification, AML/CTF, sanctions screening and fraud prevention providers;
- referral sources; and
- publicly available sources, including websites and social media.
We collect, hold, use and disclose personal information for purposes connected with our legal practice, business operations and legal obligations.
These purposes include:
- providing legal advice and services;
- assessing enquiries and managing client relationships;
- verifying identity and conducting due diligence and conflict checks;
- communicating with you and others involved in your matter;
- complying with legal obligations (including AML/CTF laws);
- managing billing, risk, compliance and business operations;
- dealing with suppliers and service providers;
- managing referrals within the Stacks network;
- providing administrative, technology, compliance and business support across the Stacks network;
- assessing job applications and managing recruitment;
- sending legal updates, newsletters, event invitations and marketing communications; and
- any other purpose required or permitted by law.
If you do not provide information we reasonably request, we may not be able to act for you, continue acting for you, provide a service, respond to an enquiry, or comply with our legal obligations.
Australian anti-money laundering and counter-terrorism financing laws may require us to collect, verify and retain personal information about clients and related persons.
We may use and disclose AML/CTF-related information to:
- verify identity;
- understand ownership and control structures;
- assess and manage money laundering and terrorism financing risks;
- conduct ongoing monitoring;
- comply with reporting, record-keeping and other obligations;
- respond to lawful notices, requests or requirements from regulators or law enforcement agencies; and
- report matters to AUSTRAC or another authority where required or permitted by law.
In some circumstances, AML/CTF laws may limit what we can tell you about certain actions we take, including where doing so would breach tipping-off restrictions.
If we cannot collect or verify information required for AML/CTF compliance, we may not be able to act, or continue acting, for you.
Because Stacks operates as a network of independent Member Firms supported by Stacks Law Group, personal information may be shared within the Stacks network where reasonably necessary for our functions or activities or otherwise permitted by law.
This may include sharing information:
- from Stacks Law Group to a Member Firm when an enquiry is referred;
- from a Member Firm to Stacks Law Group for administrative, technology, compliance, risk, marketing, training, billing, reporting or operational support;
- between Member Firms where needed to manage a referral, conflict check, client enquiry, matter transfer, joint matter, or related legal service;
- for network-wide risk management, insurance, quality assurance, cyber security, data management or compliance purposes;
- to operate shared systems, websites, databases, document management platforms or communication tools; and
- where required or permitted by law.
We will only share personal information within the Stacks network where there is a proper basis to do so. Each Stacks entity that handles personal information must take reasonable steps to protect it from misuse, interference, loss and unauthorised access, modification or disclosure.
We may disclose personal information where reasonably necessary for the purposes set out in this Policy.
This may include disclosure to:
- other Stacks Member Firms;
- Stacks Law Group;
- courts, tribunals, commissions and dispute resolution bodies;
- regulators, government agencies and law enforcement bodies;
- AUSTRAC, where required or permitted by AML/CTF laws;
- other parties involved in a matter or transaction;
- barristers, experts, consultants, investigators, mediators and other legal service providers;
- foreign lawyers or overseas advisers where needed for a matter;
- banks, financial institutions, insurers and brokers;
- accountants, tax advisers and other professional advisers;
- identity verification, AML/CTF, sanctions screening and fraud prevention providers;
- technology, cloud, data storage, cyber security and software providers;
- document management, photocopying, archiving and mailing providers;
- marketing, analytics and research providers;
- debt recovery providers;
- recruitment agencies, referees and employment screening providers;
- insurers and professional indemnity providers;
- auditors, consultants and advisers who assist our business;
- third parties involved in a proposed restructure, merger, sale or transfer of part of our business; and
- any person or organisation where you have consented to the disclosure or where disclosure is required or permitted by law.
We do not sell, rent or trade your personal information.
Where we disclose information to service providers, we take reasonable steps to ensure they handle personal information securely and consistently with applicable privacy obligations.
We generally aim to store personal information in Australia where reasonably practicable. However, we may disclose personal information to overseas recipients where necessary for our legal services, legal obligations, business operations, or technology systems (for example with cloud or technology providers or where matters involve foreign parties).
Countries may include New Zealand, Singapore, the UK, the US, the EU and other countries where service providers or matters require.
We take reasonable steps to ensure overseas recipients handle information consistently with Australian privacy law.
We may use your contact details to send you legal updates, newsletters, event invitations or information about services that may be relevant to you.
You can opt out of direct marketing at any time by:
- using the unsubscribe function in an email;
- contacting the lawyer or staff member you deal with; or
- contacting our Privacy Officer using the details at the end of this Policy.
We will not use sensitive information for direct marketing unless permitted by law.
When you use our websites or online services, we may collect information using cookies, analytics tools and similar technologies. We use this information to operate and improve our services, personalise content where appropriate and to maintain security.
You can manage cookies through your browser settings. If you disable cookies, some website functions may not work properly.
Our websites may contain links to third-party websites. We are not responsible for the privacy practices of those websites. You should review their privacy policies before providing personal information to them.
We may use artificial intelligence tools to support legal services and business operations.
Where we use AI tools, we take reasonable steps to ensure they meet our privacy, confidentiality, data security, professional and ethical requirements. We do not knowingly use personal information to train public AI models or enter personal information into publicly available AI tools unless appropriate safeguards are in place and the use is permitted.
If we use automated decision-making in a way that could reasonably be expected to significantly affect your rights or interests, we will take reasonable steps to tell you about that use where required by law and provide information about how you may raise concerns or request human review.
If you have questions about how AI or automated tools may be used in your matter, please contact your supervising lawyer or our Privacy Officer.
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure, including:
- secure systems and access controls;
- encryption and cyber security measures;
- staff training and confidentiality obligations; and
- contractual controls with service providers.
No system is completely secure. If you believe your personal information held by us has been compromised, please contact us promptly using the details below.
We keep personal information only for as long as reasonably necessary for the purposes for which it was collected, or as required or permitted by law.
For legal matters, we generally retain legal files for at least 7 years after the matter is closed, unless a longer or shorter period applies. Some documents may need to be kept for longer, such as wills, deeds, trust documents, property documents or records required for legal, professional, insurance, tax, AML/CTF or regulatory purposes.
When we no longer need personal information, we will take reasonable steps to destroy it or de-identify it.
Where information is held electronically and cannot reasonably be destroyed or de-identified without affecting other information we are required to keep, we may restrict access and place the information beyond active use.
If we suspect that a data breach has occurred, we will assess the incident promptly. If we have reasonable grounds to believe that an eligible data breach has occurred, we will notify affected individuals and government agencies as required by law.
If you believe your personal information may have been affected by a data breach, please contact our Privacy Officer immediately.
You may request access to, correction of, or deletion of, personal information we hold about you.
Requests should be made in writing to our Privacy Officer.
We may need to verify your identity before responding. We will respond within a reasonable time. In most cases, we will respond within 30 days.
In some circumstances, we may refuse access, correction or deletion where permitted by law. If we refuse a request, we will explain why, unless it would be unreasonable or unlawful to do so. We may not be able to delete information where we need to retain it for legal, professional, regulatory, or other record-keeping reasons.
If you have a concern or complaint about how we handle your personal information, please contact our Privacy Officer in writing.
Please include enough detail for us to understand and investigate your concern. In most cases, we will respond within 30 days.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner:
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Website: www.oaic.gov.au
We may update this Policy from time to time. The latest version will be available on our website.
If you have any questions about this Policy, or if you wish to make an access request, correction request, deletion request or privacy complaint, please contact:
Privacy Officer
Stacks Law Group Pty Ltd
Email: privacy@stacklaw.com.au
Telephone: 02 8276 2500