ASIC redacts officeholder data: What your business needs to know

The regulatory landscape is shifting again, with the Australian Securities and Investments Commission (ASIC) introducing changes to what information businesses can access about company directors and other officeholders. Under its RegistryConnect program, ASIC has now removed residential addresses and birth-date details from company extracts, effective 2 February.

The changes come in response to privacy concerns that publicly available officeholder information is being harvested for illegal activities or grey-area profiling by third parties.

For clients, the key question is how these reforms will affect due diligence practices and what adjustments may be necessary moving forward.

What information has ASIC removed from public searches?

As of 2 February 2026, company extracts purchased through ASIC’s website will no longer display the following information about directors, secretaries or other officeholders:

• residential addresses
• the day of their date of birth.

Although hidden from the public, the information remains accessible to ASIC, law enforcement agencies and other government regulators such as the ATO. Individuals must therefore continue to provide accurate details to ASIC.

An officeholder’s birth month and year, as well as the company’s registered office addresses, remain public. Further, some shareholder address details may still appear in certain contexts and document requests.

ASIC is also considering allowing special access exceptions for stakeholders such as lawyers or creditors with legitimate legal purposes, as well as journalists who may continue to access some information through a dedicated media portal.

Officeholder data: Where this change is heading?

In place of personal address information, ASIC is moving to identify directors by their Director Identification Number or “DIN”. Upcoming reforms tied to the DIN regime include:

• mandatory DIN reporting from 1 July 2027
• public display of DIN status indicators, and
• replacement of residential address disclosure with an “address for service”.

Directors must apply for DINs themselves (no one else can apply on their behalf). A DIN is required if you are a director or an ‘alternate director’ acting in a director capacity. You do not need a DIN if you are, for example, a company secretary who is not a director, an external administrator of a company or operating as a sole trader or partnership business.

While ASIC considers any special stakeholder exceptions, lawyers and litigants can still make informal requests for information as well as compel its release via a summons or subpoena. For more on this, you can read ASIC’s guide on their website.

What should businesses do to stay compliant?

While the shift towards DINs may eventually improve the security and consistency of corporate records, it does not yet fully resolve the practical challenges businesses face. From a legal perspective, this is not sufficient for serving documents or verifying identities, particularly against third parties trying to imitate clients using deepfakes or other identity fraud methods.

Until clearer regulatory guidance emerges, your business may consider collecting this information during your onboarding process or through terms of sale. However, any decision to collect such information needs to be carefully weighed against the liabilities and privacy compliance obligations that arise from doing so.

Before expanding your data-collection practices, you should seek advice from privacy law experts, such as our Privacy Law team at Macpherson Kelley, to establish a proper data strategy that considers intellectual property, privacy compliance and consumer standards, and is supported by appropriate policies and terms in your engagement and service agreements.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.