What Law Firms Need to Know About Storing PII Under Australian Privacy Law.

Written By Geoff Mann

Law firms are in the business of trust. Every matter they take on involves sensitive information, names, financial details, health records, case histories, that clients expect to be treated with absolute discretion. But in the age of cyber risk, compliance obligations, and hybrid workflows, that trust is no longer just personal. It’s regulated.

Under Australian privacy law, storing PII (personally identifiable information) isn’t a ‘nice to have’ process. It’s a legal requirement, and a reputational risk if done poorly. Whether your firm is managing case files digitally, archiving paper documents, or preparing briefs for court, understanding your obligations around data storage is critical.

This article outlines what counts as PII, what the law requires of you, where firms most commonly go wrong, and how to approach legal document compliance with confidence.

What Counts as PII in Legal Practice?

The Privacy Act 1988 (Cth) defines PII as any information or opinion that identifies, or could reasonably identify, an individual. In legal practice, that casts a wide net.

PII includes:

  • Names and contact details

  • Identification documents (e.g., driver’s licences, passports)

  • Financial records

  • Medical or psychological reports

  • Case notes and transcripts

  • Emails, correspondence, and phone logs

  • Even metadata, scanned handwritten notes or a photo with a name in it

In other words: if it’s in a client matter file, it’s probably got PII somewhere.

Your Legal Obligations Under the Privacy Act

Australian law firms (excluding sole practitioners who don’t hit the $3 million turnover threshold) are subject to the Australian Privacy Principles (APPs). Three APPs are especially relevant when it comes to storing legal documents:

  • APP 1 – Open and transparent management: Firms must have clear policies on how personal information is collected, stored, and handled.

  • APP 6 – Use and disclosure: Personal information must only be used for the purpose it was collected, unless the client consents otherwise.

  • APP 11 – Security of personal information: Reasonable steps must be taken to protect data from misuse, interference, loss, or unauthorised access.

And if a breach does occur? Under the Notifiable Data Breaches (NDB) scheme, firms are legally required to inform both the affected individuals and the OAIC if there’s a risk of serious harm.

The Risks of Poor PII Storage

Legal professionals are time-poor. That often leads to inconsistent systems: shared drives, personal desktops, unsecured emails, boxes stored off-site for decades without review, or the assumption that a Practice Management System is protection enough.

But poor PII storage carries more than just operational friction. The risks include:

  • Regulatory penalties under the Privacy Act

  • Breach of client confidentiality

  • Reputational damage and loss of future business

  • Loss of admissibility if documents are altered or tampered with

  • Data breaches from cyberattack or physical theft

No firm wants to be explaining a privacy breach to the OAIC, or worse, a former client’s counsel.

Best Practices for Storing PII in Law Firms

Whether digital, physical, or hybrid, storing PII safely means going beyond box-ticking. It means building document compliance into the way your firm operates.

Here are some best practices:

  • Encrypt all stored data, whether it’s on servers, hard drives, or in the cloud

  • Implement role-based access controls so only authorised staff can access sensitive files

  • Digitise physical documents using OCR and metadata tagging to ensure searchability and tracking

  • Use cryptographic sealing to protect evidentiary integrity of legal documents

  • Set retention and destruction rules based on matter type and jurisdiction

  • Train staff regularly on privacy responsibilities and secure handling

  • Avoid removable media like USBs or unencrypted external drives

  • Use privacy-focused platforms that are built for legal environments

How File Republic Supports Legal PII Compliance

At File Republic, we help law firms store, manage, and protect client information in line with Australian privacy law.

Our platform offers:

  • Secure digital matter storage with audit trails and metadata integrity

  • Retention-based storage rules to reduce liability from old or forgotten files

  • Bulk redaction tools for PII removal in disclosure bundles and stored matters

  • Cryptographic sealing for documents required in court or for evidentiary purposes

  • OCR and advanced search to help find information fast, without compromising compliance

  • Physical storage with retention alerts for firms managing historical matter archives

We understand the legal duty of care involved in document storage. And we’ve built our services to make compliance easier.

Storing PII isn’t just an admin function, it’s a regulated obligation, a core risk area, and a reflection of your firm’s professionalism.

If your document systems haven’t been reviewed in years, or if staff still rely on makeshift storage methods, now is the time to act. Audit your process. Educate your team. And partner with providers who understand the unique demands of legal practice.

Talk to File Republic today about privacy-compliant solutions built for law firms.

Geoff Mann
Next

Boolean Search in Bundle Preparation