Family Law Data-Sharing: CLC Survival Playbook

New family law reforms effective 6 May 2024—and further changes flagged for June 2025—reshape how community legal centres (CLCs) collect, share and protect client data. This guide translates the shift into practical steps for small teams facing high stakes, tight timelines and limited resources.

1) What just changed—and why it matters

The FCFCOA’s expanded information-sharing settings with police and child protection bodies broaden lawful disclosures under the Family Law Act 1975, while lifting expectations under the Privacy Act 1988 (APP 3, 6 and 11) and court practice directions. The reforms also intersect with how courts make parenting orders in the best interests of children and with financial/property aspects of relationship breakdown. For small CLCs and family law practices, this is both a new compliance obligation and a data privacy/operational risk: faster lawful requests, tighter rules for location data, and deeper scrutiny of consent, security and audit trails.

2) The real-world risk: a five-minute mistake

On a busy duty list, a worker gets an order for “risk material” by 3 pm. Without a protocol, they email the whole file. Hidden metadata carries a refuge address. Safety risk ensues—and potential APP 6/11 non-compliance.

Lesson: In high-pressure moments, systems—not heroics—prevent harm.

Similar pressures face sector peers (including CLCs across Queensland and services welcoming stronger family-violence protections). Chronic underfunding noted by SPLA/ALRC reports raises the stakes: you must do more, with less.

3) Start here: a one-page “Responding to Requests” protocol

Confirm legal basis and scope: Is it a subpoena, a s 69ZW order, a practice-direction request or consent-based disclosure? Capture the exact wording and timeframe.
Apply data minimisation: Disclose only what is necessary and relevant to the request’s scope.
Check special sensitivities: Flag and review location identifiers (addresses, school names, service locations) and any risk indicators.
Strip metadata: Remove tracked changes, comments and file properties before release.
Use secure transfer: Prefer court portals, secure file links or SFTP over email attachments; add passwords separately.
Log decisions: Record basis, scope, redactions, transfer method and approver.
Escalate when unsure: Have a named senior reviewer on-call for time-critical decisions.

4) Disclose less, protect more: APP 3/6/11 in action

APP 3 (collection): Collect only what you need; avoid over-collection that later tempts over-disclosure.
APP 6 (use/disclosure): Tie each disclosure to a lawful basis and the narrowest scope; note exceptions under the Family Law Act and court directions.
APP 11 (security): Protect against unauthorised access, including accidental metadata leaks and misdirected emails; ensure timely destruction when appropriate.

Redaction priorities: client/responder addresses, school and childcare details, refuge/service locations, calendar patterns, geo-tagged images, and names of non-parties unless necessary.

5) Metadata and secure transfer: make leakage unlikely by design

Metadata hygiene: Export to clean PDF/A or flattened image-PDF; remove properties, comments and tracked changes; scrub EXIF from images.
Protective markings: Label documents “Sensitive—Location Information” to cue extra care.
Transfer controls: Use FCFCOA portals, secure link delivery with expiry, or SFTP; set passwords out-of-band and restrict download/forwarding; avoid public cloud shares by default.
Verification: Confirm recipient identity and mailbox before sending; enable delivery/read logs.

6) Build system guardrails in your CMS (and make remote work safer)

Flag high-risk fields: Configure “addresses,” “school names,” “service locations,” “safe contacts,” and “risk indicators” for mandatory senior review before release.
Single source of truth: Maintain one up-to-date procedures hub with the protocol, checklists and exemplars so remote staff follow the same instructions.
Role-based access: Limit who can view/export sensitive fields; require approvals for external disclosure.
Audit everything: Timestamp requests, decisions, redactions and transfers; store artefacts (orders, emails, logs) together.
Templates and checklists: Build standard redaction checklists and email/cover-letter templates referencing the legal basis and scope.

7) Strategy: document your business or get out

Speed and safety come from documented systems, not individual memory. Treat documentation as core infrastructure: it aligns dispersed teams, survives staff turnover and proves compliance under scrutiny. In a funding-constrained environment, this is your highest-ROI risk control.

Leadership cadence: Weekly 15-minute protocol drills; monthly file-spot checks.
Change control: Version your protocol as court directions evolve toward June 2025; brief staff on what changed and why.
Measures that matter: Response time to lawful requests, redaction defects per file, and audit completeness rate.

8) Your 48-hour action plan

Draft and publish a one-page “Responding to Requests” protocol (use the 7 steps above).
Configure CMS flags for location data and set a senior reviewer.
Install/enable metadata scrubbing and standardise exports to clean PDF/A.
Stand up a secure transfer method (court portal or managed secure links) and disable ad hoc attachments.
Run a 30-minute drill on a mock s 69ZW order; log decisions as if real.

Small practices can meet the new bar—by engineering clarity into everyday work. Start with the protocol, harden your handoffs, and make documentation your safest habit.