Home » IT Security & Technology Blog » OAIC’s 2Apply Ruling Shows How Not to Collect Client Data — Lessons for Wealth Managers
Abstract shield graphic with Compliance label
By — Managing Director |

On 22 April, Privacy Commissioner Carly Kind handed down a determination against rental technology platform 2Apply, ruling that its parent company IRE had breached the Privacy Act by collecting excessive personal information and using unfair collection practices — as reported by the OAIC and covered in iTnews. 2Apply was ordered to stop collecting gender, student status, citizenship, visa expiry and previous living history from rental applicants.

Why wealth managers should read this closely

On the surface this is a rental story. Read the determination and it’s really a blueprint for how the OAIC will apply Australian Privacy Principle 3.2 (collect only what you reasonably need) and APP 3.5 (collect by fair and lawful means). Wealth management firms collect a huge amount of personal data under KYC, AML and best interests duties — ID documents, income evidence, health information, beneficiary details. The Commissioner’s point is that collecting more than you genuinely need, or using design tactics that pressure the client into handing it over, is now an enforcement risk regardless of whether you can point to a business reason.

The Commissioner was also specific about what she meant by unfair means: confirmshaming (“sharing this will speed up your application”), biased framing, and bundled consent that pairs a legitimate purpose with direct marketing. If your onboarding form or client portal has any of that — and plenty do — this ruling is the shot across the bow.

What to do this quarter

Two practical steps. Review every field in your client intake. For each one, can you articulate why it’s necessary for the specific financial service? If the honest answer is “it’s useful” or “we’ve always asked for it,” take it out. Then audit the flow. Default-on marketing opt-ins, language that implies refusal will harm the application, and single-click consent that bundles unrelated purposes are the patterns the OAIC is now actively looking for. These are the things your compliance team may have signed off on years ago and never revisited.

With the Privacy Act reforms continuing to tighten through 2026, firms that tidy this up now will sit in a much stronger position. Our financial services IT team regularly runs data-handling reviews for advisers and wealth managers — a quiet afternoon’s work that can save a very loud compliance problem later.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →

    Posted in Security Strategic

    About All IT Services

    We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

    CONTACT US