Treasury’s current project to upgrade the Companies Register is a unique opportunity to address the significant risks of director personal information being publicly available.
Director personal information
Some members may not be aware that their personal information is publicly available on the ASIC Companies Register (the Register).
The AICD has consistently raised concerns with government on this topic for a number of years.
For a small fee, the home address, date of birth and full name of directors and officers of entities incorporated under the Corporations Act are easily available online. This gives rise to significant privacy, cyber, identity-theft and personal safety risks.
The AICD believes that it is imperative that these risks are addressed as soon as possible to protect the approximately 3 million company directors on the Register. These serious privacy and security concerns are only increasing in the current environment, with certain parts of the community facing heightened risks.
The AICD position on urgently dealing with these risks is set out in this article following an explanation of the currently proposed reforms.
Registry project
On 12 December 2025 Treasury opened consultation into a project for upgrading the Companies Register (the Register).
A key element of the proposal is the proposed linking of the Director ID system (the unique identifying numbers of directors issued by the ATO) to the Register. This is designed to increase corporate transparency, making it easier to track directors between companies while preventing illegal phoenixing and identity fraud.
What does the Registry project propose in relation to personal information?
Once Director IDs are linked to the Register, Treasury has proposed to remove directors’ date of birth from the Register.
Although the Background Paper states that the only personal information to be disclosed on the Register will be Director IDs and a service address (or residential address where no service address has been provided), this is a policy proposal from Treasury and is not contained in the legislation. The AICD believes that this should be legislated to ensure that privacy concerns are clearly addressed.
Special access for certain users
The Background Paper states that there will be tiered access to director personal information.
The general public will only have access to limited details on the Register and will need to go through a basic authentication process (email address or security key).
There will be a special class of ‘special use access’ users who will be able to access significantly more personal information. Details of who will be in the class is still under government consideration. Regulators, insolvency practitioners, financial institutions, journalists, victim representatives and litigants are all being considered.
The Bill provides for this ‘special use access’ by giving ASIC discretion to publish or disclose personal information, if ASIC reasonably believes that:
the benefits of doing so outweigh any risks of doing so; and
to do so is in the public interest.
Rather than have a broad and subjective public interest test, the AICD believes that legislation should include a clear list of who is entitled to have ‘special use access’. This is the only way to give directors certainty and security about who can access their personal information.
Historical documents lodged with ASIC
Documents that were lodged with ASIC and contained dates of birth and residential addresses before the law commences on 1 July 2027 will continue to be available. This reflects ASIC’s concern about the difficulty of attempting to retrospectively amend documents.
Obligation to provide Director IDs and penalties
From 1 July 2027 companies will need to provide ASIC with Director ID information when notifying changes to directors’ details or at the time of their annual review, effectively requiring that all companies must provide Director ID details by no later than 30 June 2028.
There will be a new offence for companies that fail to provide Director ID information when notifying ASIC of a new director appointment, or when updating company or director details. This will be added to the existing offences, which include failure to apply for Director IDs, applying for multiple Director IDs and misrepresenting a Director ID. These will be strict liability offences and will attract up to 60 penalty units (currently $19,800).
There will also the ability to disqualify persons from managing companies where they are a director who has not complied with their obligation to apply for a Director ID.
Other key points to note
The Registry Project will need to resolve several design matters to achieve its goals and improve the current system. Some of the design issues that need to be addressed include:
- Dealing appropriately with directors who sit on multiple boards to ensure that they do not have to send or receive multiple notifications under the new system.
- Making sure that the provisions work when directors have appointed agents.
- Putting in place provisions for directors who live outside Australia and do not have Director IDs.
AICD position on timing of reforms
While the AICD supports the Registry Project, we believe that it is vital that directors’ personal information is removed from the Register before linkage occurs, which is not scheduled until July 2027. It is an unacceptable risk to have this information publicly available, and out of step with other jurisdictions.
The AICD has compared Australia’s position to six other jurisdictions with similar corporate and legal systems (New Zealand, the United Kingdom, the United States of America, Canada, Hong Kong and Singapore). Only New Zealand discloses directors’ residential addresses to the public. New Zealand is currently exploring a proposal to replace this requirement with the disclosure of an address for service. No other jurisdiction in this list discloses the full date of birth of directors to the public.
The AICD considers July 2027 too great a delay given the current arrangements expose directors and officers to potential privacy, personal safety, and cyber and identity-theft risks. These are harms that far outweigh the public benefit of availability of personal details on a public register and must be taken seriously. Accordingly, the AICD has written to the Government, asking it to urgently allow the provision of a service addresses instead of a director’s residential address on the Register as an interim step.
This would not undermine the planned Director ID linkage process and establishment of tiered access to personal details.
What you can do now to attempt to suppress your residential address from the Register
For members with personal safety concerns, it is important to know there is an existing mechanism to seek to remove information from general public access.
Directors can apply to ASIC using a Form 379 to suppress their residential address and instead show an address for service if the personal safety of the director or the director’s family will be put at risk by having the residential address publicly available.
What information is required by ASIC will depend on whether a director is enrolled to vote: if a director is enrolled, their residential address must have been supressed on the electoral role via the Australian Electoral Commission (see link here). If a director is not enrolled to vote, a statutory declaration around the safety risk is required. More information on this can be found here.
Next steps on Registry Project
In relation to the broader Registry Project, the consultation period is open until 10 February 2026. During this time the AICD will continue its discussions with key stakeholders within government.
The AICD will also make a formal submission outlining its concerns and highlighting the need for removal of directors’ personal information from the Register to take place as a matter of utmost urgency.
Latest news
Already a member?
Login to view this content