Australian accountants, lawyers, financial advisers and consultants are already using Claude to draft, summarise and analyse. The tool is rarely the problem. The paperwork is. If a client later asks whether their file passed through an AI system and there is nothing in writing that says they agreed, the firm is exposed on confidentiality, on the Privacy Act, and on professional conduct rules. Getting the consent wording right at the start removes almost all of that risk.
Why the wording matters more than the tool
Most professional obligations were written long before generative AI. They still apply. When a Sydney advisory firm feeds a client's financial statements into any external system, that is a disclosure of confidential information. Whether it is permitted turns on what the client agreed to, not on how good the tool is.
A vague line such as "we may use technology to assist our work" does not carry the weight you need. It does not name the practice, does not describe what data is involved, and does not give the client a real choice. Regulators and professional bodies increasingly expect specific, informed consent, and a court or complaints body will read the clause narrowly if a dispute arises.
What Australian rules actually require
Four sources of obligation usually apply to a professional firm, and consent wording should account for all of them:
The Privacy Act 1988 and the Australian Privacy Principles, which govern how personal information is collected, used and disclosed, including to overseas recipients.
Professional confidentiality duties under your body's code, whether that is CPA Australia, CA ANZ, the Legal Profession Uniform Law, or the financial advice rules overseen by ASIC.
Contractual terms in your engagement letter, which set the baseline the client actually signed.
Any sector rules, such as APRA guidance for regulated entities or trust-account obligations, that constrain where data can go.
The practical test is simple. Could the client, reading your clause, understand that an AI system may process information about them, roughly what kind, and what safeguards apply? If yes, the consent is likely to hold. If they would be surprised, it will not.
Wording that works, and wording that fails
Effective consent language is short, plain and specific. It names AI use, describes the data at a sensible level, states the safeguards, and gives the client a way to opt out. Weak language hides the practice inside a general technology clause or buries it in a privacy policy the client never reads.
A workable clause for an engagement letter reads something like this: "We use approved artificial intelligence tools, including Claude, to help prepare, review and summarise documents. Where we do so, your information is handled under our confidentiality and privacy obligations, is not used to train external models, and is limited to the vendors listed in our privacy policy. You may ask us not to use these tools on your matter at any time."
Note what that clause does and does not do:
It names the tool rather than gesturing at technology in general.
It states a concrete safeguard the client cares about: their data is not used to train external models.
It preserves the client's choice, which is what turns a notice into genuine consent.
It avoids promising things you cannot verify, such as absolute security or that no human ever sees the data.
Where consent fits in the engagement lifecycle
Consent is not a one-off signature. It works best when it appears at three points across the relationship:
In the engagement letter or terms of business, as the standing baseline every client agrees to.
In your privacy policy, where you list the specific vendors and the data categories involved, so the engagement clause can stay short.
At the point of unusual use, for example before you run a sensitive matter or a large document set through a tool, where a quick email confirmation is prudent.
Keeping the detail in the privacy policy lets you update the vendor list as tools change without re-issuing every engagement letter. The engagement letter points to the policy, and the policy carries the specifics.
A practical rollout for a small firm
A firm of ten people can put this in place in about a week. Draft the engagement clause and the privacy-policy section, have them reviewed against your professional body's code, then update your templates so every new engagement carries the wording. For existing clients, a short notice at the next review or renewal is usually enough.
The cost is modest against the downside. A properly reviewed clause and policy update runs in the low thousands, often under $4,000 including a legal review, while a single confidentiality complaint can cost far more in time, professional-indemnity excess and reputation. For most Australian firms the maths is not close.
If you want help drafting consent wording that fits your practice and your regulator, and a safe way to adopt Claude across the firm, book a short strategy session and we will map it out with you.



