Important note
This information is part of our broader privacy program. You can learn more in our Privacy Program overview.
APP 1.2 requires entities to take reasonable steps to implement practices, procedures and systems for managing personal information in accordance with the APPs.[1] One element of this is conducting privacy impact assessments (PIAs) when planning new projects or significant changes that involve personal information.[2]
For small law firms, PIAs are most likely to be relevant when:
- Implementing new practice management or document management systems;
- Engaging new IT service providers or cloud platforms;
- Implementing AI tools that process client information;
- Expanding into new practice areas that involve different types of personal information; or
- Making significant changes to information security arrangements.
The OAIC has published a Guide to undertaking privacy impact assessments which provides information on how to conduct PIAs.
The Privacy Impact Assessment template document includes a threshold assessment tool to help determine when a full PIA is warranted.
[1]Australian Privacy Principle 1.2.
[2]OAIC, Guide to undertaking privacy impact assessments (September 2024), available at Guide to undertaking privacy impact assessments | OAIC.