Family Law Info Requests: One‑Page Compliance System
Family law reforms already in force (6 May 2024) with more changes due June 2025 tighten how community legal centres and small practices collect, share, and protect client information. Here’s how to convert new obligations into a fast, safe, one‑page operational pathway.
The situation: new rules, higher stakes
Expect more court‑driven information flows in parenting and safety matters, tighter publication restrictions, and faster turnaround on orders and subpoenas (for example, s 69ZW requests). At the same time, you must comply with s 121 confidentiality, the Family Law Regulations 1984 Part IIAB information‑sharing framework, and the Privacy Act APPs and Notifiable Data Breaches (NDB) thresholds. The practical risk is operational: intake and admin teams now sit on the fault line between court compliance, client safety, and privacy law.
A day in intake: police request + subpoena, one inbox
Scenario: a police officer emails for risk information and, hours later, a subpoena arrives for a client’s counselling notes. Without a clear pathway, staff can make high‑impact mistakes.
- Over‑disclosure beyond lawful scope
- Missing mandatory redactions (e.g., addresses, third‑party identifiers)
- Insecure channels for transmission or storage
- Unlogged access leading to poor auditability
Consequence: client safety risks, OAIC‑reportable incidents, and court compliance issues—all from a small process gap.
What the law expects now (at a glance)
- Lawful authority first: verify Part IIAB info‑sharing, a valid court order/subpoena, or informed client consent.
- Minimum‑necessary disclosure: tightly scope and redact to purpose; separate privileged material.
- s 121 publication restrictions: protect identities and prevent publication of identifying details.
- Faster turnaround: meet court timelines (including s 69ZW) without skipping controls.
- Privacy Act APPs + NDB: maintain lawful basis, data minimisation, secure handling, and breach triage/reporting.
- Recordkeeping: log authority, scope, redactions applied, method of transmission, and who approved.
Build the one‑page decision tree
- Verify authority: Is it Part IIAB, a court order/subpoena, or signed consent? If none, do not disclose; request the correct authority.
- Scope + redact: Apply need‑to‑know. Remove third‑party identifiers, addresses, health notes outside scope, and sensitive metadata. Document the legislative basis for each redaction.
- Secure transmit: Use a secure portal or end‑to‑end encrypted file with password sent via a separate channel; avoid personal email and open cloud links.
- Log + file: Record decision basis in the access/log register; store the served package, proof of service, and a redaction schedule.
Secure transmission and redaction by default
- Channels: client/court portal, encrypted PDF/ZIP with separate‑channel password, or S/MIME/TLS‑assured email only if both ends are controlled.
- Controls: watermark with matter number, set link expiry, and disable forwarding where possible.
- Sanitise: scrub metadata and hidden notes; export to flattened PDF; maintain a clean, indexed bundle.
- Classify + restrict: label “Highly Sensitive—Family Law” and use role‑based access; no USBs or personal devices.
- Document control: version every disclosure pack; keep a redaction rationale table referencing s 121, APPs, and order scope.
Speed without shortcuts: staffing, SLAs, escalation
- Triage: colour‑code requests (red = safety/urgent, amber = court deadline, green = routine).
- Roles: Intake Lead (verify authority), Privacy Officer (APP/NDB check), Supervising Solicitor (legal sign‑off).
- SLAs: set internal deadlines (e.g., acknowledge in 2 hours; authority check in 4; disclosure within court timeframe).
- Templates: subpoena response cover, schedule of documents, redaction rationale, refusal/variation letter.
- Escalate: if scope is too broad, seek directions/variation; document all queries and extensions.
Prevent breaches before they start
- Checklists-at-desk: subpoena checklist; Part IIAB authority checklist; redaction checklist; secure‑send checklist.
- DLP + alerts: block outbound personal data to unknown domains; flag bulk exports.
- Incident readiness: a 1‑page NDB flow (contain, assess material risk of serious harm, notify if threshold met, learn).
- Remote‑proofed: step‑by‑step screenshots so remote staff follow the same pathway.
Leadership move: single source of truth
“Document your business or get out.” Centralise a single, version‑controlled source of truth so everyone follows the same page—literally.
- Policy pack: Information Sharing Policy (Part IIAB), Subpoena Response SOP, Redaction Standard, Secure Communications Standard, Access & Logging Procedure, Incident Response Plan (OAIC‑aligned).
- Governance: owner, review cadence (quarterly or on law change), change log, and training records.
- Metrics: turnaround time, rework rate, near‑misses, and breach count—reported to leadership monthly.
Next steps this week
- Draft the 1‑page decision tree (authority → scope/redact → secure send → log) and pin it to intake.
- Run a 20‑minute mock: police risk info + subpoena received same day.
- Enable a secure portal or encrypted‑file workflow; ban personal email for disclosures.
- Set SLAs and assign roles; add auto‑acknowledgement templates.
- Stand up an access/log register and test audit retrieval.
- Schedule a June 2025 law‑change review and refresher training.
If this raises questions about document control, change management, or compliance alignment, I’m happy to talk it through—message me here, or find us at tkodocs.com.
