Important note
This information is part of our broader privacy program. You can learn more in our Privacy Program overview.
Personal information inventory
A personal information inventory is a register of the categories of personal information your firm holds, including where it is stored, how it is collected, and who has access to it. While not explicitly required by the APPs, maintaining an inventory is recognised by the OAIC as a foundational element of good privacy management.[1]
[1] OAIC, Privacy management framework: enabling compliance and encouraging good practice (May 2025), Step 2: Establish a personal information inventory.
Why maintain an inventory?
An inventory improves protection and – in the longer term – minimises cost. It ensures that you do not have multiple copies and sources of data breach in existence, and that you can focus protection effectively on where it is needed most.
Organising your archive storage to quickly and easily manage destruction will also save a lot of work and expense in the longer term. While we tend to think of electronic storage as essentially free it is not once you factor in the cost of sorting through it prior to destruction.
Using the inventory template
The more complete this audit is, the better your overall outcome. However, for the purposes of initial compliance a general overview of what you hold, where and why and where you hold it may be sufficient.
The personal information register document provides a template with the following columns:
Template
Column | Description |
Information Category | Type of personal information (e.g., 'Client identity documents', 'Beneficial owner information', 'Staff records') |
Data Elements | Specific data items within the category (e.g., name, DOB, address, passport number) |
Source | How information is collected (e.g., directly from client, from company searches, from third parties) |
Storage Location | Where information is stored (e.g., practice management system, physical files, cloud storage) |
Access | Who has access to this information (e.g., all staff, principals only, specific staff members) |
Retention Period | How long information is retained (cross-reference to retention schedule) |
Sensitivity | Whether the category includes particularly sensitive information (health, criminal record, etc.) If information is especially sensitive – both in the sense that it falls within the Privacy Act definition, or you anticipate especial risk of harm - this should be flagged for special protection in motion and at rest. |
Overseas Disclosure | Whether information is disclosed overseas (and to which countries) |
Note: The template above includes pre-populated entries for common categories of personal information held by law firms. These are only examples, not intended as a comprehensive list.
Review and adjust these entries to reflect your firm's actual information holdings.