How do the Australian Privacy Principles apply to a law firm's client data and marketing operations?
Australian law firms with annual turnover above $3 million are APP entities under the Privacy Act 1988 and bound by the Australian Privacy Principles, with APP 11 the operative obligation to take reasonable steps to protect personal information. Client matter data sitting in Affinity, LEAP or Smokeball, marketing CRM lists, intake forms and email automations are all in scope. The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals where a breach is likely to result in serious harm — and legal professional privilege does not displace the obligation.
Reviewed 2026-05-03Privacy Act 1988 (Cth), Schedule 1 — Australian Privacy Principle 11 (Security of personal information).
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information — (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure …
The substance, in plain English.
A law firm is an APP entity once annual turnover crosses $3 million, and many smaller practices are pulled in regardless — those that trade in personal information for benefit, and those handling health information through medico-legal, workers' compensation or estate-planning files. The small-business exemption is on the legislative agenda for removal in the second tranche of Privacy Act reforms; the OAIC has signalled the direction of travel publicly. Treating the exemption as durable architecture is a planning error.
APP 11 sets the operative obligation: "reasonable steps" to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. The OAIC's published guidance reads "reasonable" against the sensitivity of the information held — a personal-injury practice holding medical records, an immigration practice holding identity documents, a family law practice holding child-protection material is held to a higher bar than a commercial transactional practice. Practice management systems (Affinity, LEAP, Smokeball) hold the lot in one place, which raises the standard, not lowers it.
The Notifiable Data Breaches scheme (Part IIIC of the Privacy Act) requires notification to the OAIC and affected individuals where unauthorised access, disclosure or loss of personal information is likely to result in serious harm and the harm cannot be remediated. The clock is 30 days to assess once the firm becomes aware of grounds to suspect a breach. Legal professional privilege over the underlying material does not displace the obligation to notify the existence of the breach itself; the privilege protects the content, not the existence.
Marketing operations sit inside the same regime. Intake forms, lead magnets, email-marketing lists held in Mailchimp / HubSpot / ActiveCampaign, contact data syndicated to Meta or Google audiences, and any tracking pixel that captures identifiers are all governed by APP 1 (transparency through a published privacy policy), APP 5 (notification at collection), APP 6 (use and disclosure boundaries) and APP 8 (cross-border disclosure where a US-hosted MarTech vendor receives the data). Most law-firm sites Regimen audits run the marketing stack against an out-of-date privacy policy.
Client confidentiality under the Conduct Rules and APP obligations under the Privacy Act run in parallel and reinforce each other rather than conflict. The OAIC published Australia-wide guidance after the HWL Ebsworth incident on the legal profession's standing as a high-risk target for ransomware, and the firm-by-firm consequences of treating cyber as an IT line item rather than a privacy obligation. "We are a law firm, we know about confidentiality" is not a substitute for an APP 11 control set, an incident response plan with named owners, and a tested NDB notification workflow.
Maximum penalty: Civil penalty up to $50 million for serious or repeated interferences with privacy by a body corporate (Privacy Act 1988, s.13G as amended in 2022) — or three times the value of any benefit obtained, or 30 percent of adjusted turnover during the breach period, whichever is greater. Individual practitioners face a separate Conduct Rules pathway for confidentiality breaches under Rule 9..
Recent enforcement under this provision:
- 2024
OAIC investigation — HWL Ebsworth Lawyers
On 21 February 2024 the Australian Information Commissioner announced an investigation into the personal-information handling practices of HWL Ebsworth Lawyers arising from the April 2023 ransomware incident in which approximately 4 terabytes of data was exfiltrated and partially published on the dark web. The OAIC's announcement frames the investigation as into HWLE's acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.
OAIC opens investigation into HWL Ebsworth over data breach (21 February 2024)
- 2025
Notifiable Data Breaches Report — July to December 2024
The OAIC's bi-annual report recorded 595 notifications in the second half of 2024, contributing to a calendar-year total of 1,113 — the highest annual figure since the NDB scheme began in 2018. Phishing (30%), compromised or stolen credentials (27%) and ransomware (24%) led the cyber-incident causes. Legal services is named in the OAIC's reporting as a high-risk sector by volume of sensitive data held.
Notifiable Data Breaches Report: July to December 2024 — OAIC
- 2025
Australian Information Commissioner v Australian Clinical Labs
On 29 September 2025 ACL agreed to pay a $5.8 million penalty after the OAIC alleged serious and systemic failures in protecting personal and health information of approximately 223,000 individuals — the first NDB-era enforcement matter to land at full civil penalty. The case is the operative warning shot for any APP entity holding sensitive material, including law firms holding medical, identity and child-protection records.
A worked example.
A 22-partner Sydney commercial firm runs LEAP for matter management, HubSpot for marketing, Mailchimp for newsletters, and a Calendly widget on the site for new-business consults. A phishing email to a junior solicitor harvests her LEAP and Microsoft 365 credentials. The attacker exfiltrates a folder of due-diligence material from a live M&A matter, including identity documents and director details for 80 individuals. The privilege over the matter content does not displace the NDB obligation: the firm has 30 days from awareness to assess whether serious harm is likely, and on these facts it plainly is. The firm must notify the OAIC and the 80 affected individuals, log the incident under APP 11, and review whether the marketing stack (HubSpot, Mailchimp, the consult widget) shares a credential or vendor surface with the breached account. The principal's exposure runs in parallel under Rule 9 (confidentiality) — the privilege over the file does not protect the firm from a Conduct Rules complaint about the failure of supervision that allowed the breach.
The questions that come next.
Does legal professional privilege exempt a law firm from the Notifiable Data Breaches scheme?
No. Privilege protects the content of communications between solicitor and client; it does not displace the firm's obligation as an APP entity to notify the OAIC and affected individuals where unauthorised access to personal information is likely to result in serious harm. The notification can be drafted to describe the existence and nature of the breach without disclosing privileged content. The OAIC's investigation into HWL Ebsworth proceeded notwithstanding extensive privileged material in the breached set.
We're under the $3m turnover threshold — does the Privacy Act apply at all?
Possibly yes. The small-business exemption excludes practices that trade in personal information for benefit and those that handle health information — workers' compensation, medico-legal and estate-planning practices typically fall in. The exemption is also flagged for removal in the second tranche of Privacy Act reforms following the 2024 first-tranche package. Treating the threshold as durable is a planning error; treating it as a phase-out window is the operating posture.
Our practice management system is hosted by the vendor — does that move APP 11 liability to them?
No. APP 11 binds the entity that holds the personal information, not the storage provider. The firm remains the APP entity for client data sitting in Affinity, LEAP or Smokeball. What the vendor relationship does is contribute to whether the firm's steps are "reasonable" — vendor security certifications, contracted breach-notification obligations, and segregation of customer data are part of the assessment. "It's hosted with LEAP" is not a defence to inadequate access control on the firm's side.
If we use Meta Custom Audiences from our client list, is that an APP issue?
Yes — APP 6 (use and disclosure for a primary purpose) and APP 8 (cross-border disclosure to a US-hosted entity) both fire when client identifiers are uploaded to Meta. The published privacy policy must put the client on notice of the specific use, the consent collected at intake must extend to it, and the cross-border disclosure must be addressed. Most firms running Custom Audiences do so against an out-of-date privacy policy that fails APP 1's transparency limb.
Read it for yourself.
- Privacy Act 1988 (Cth) — Schedule 1, Australian Privacy Principles (austlii)
- OAIC — Chapter 11: APP 11 Security of personal information (Guidelines)
- OAIC — Notifiable Data Breaches scheme (Part IIIC)
- OAIC — Small business and the Privacy Act (current exemption status)
- Privacy and Other Legislation Amendment Act 2024 — first-tranche reforms (Holding Redlich)
Brief us with the regulator already in line one.