Important note
This information is part of our broader privacy program. You can learn more in our Privacy Program overview.
Effective privacy compliance depends on staff understanding their obligations and knowing how to apply privacy principles in their daily work.
APP 1.2 requires entities to take reasonable steps to implement practices, procedures and systems — and staff training is a critical component of this.[1] This overview explains how to develop and deliver privacy training.
[1]Australian Privacy Principle 1.2(d), (staff training as part of reasonable steps to implement practices, procedures and systems).
Who needs training?
All staff who handle personal information need privacy training. In a law firm, this typically includes:
Role | Training Focus |
Principals | Overall compliance responsibility; governance; breach response decision-making; regulatory interaction |
Solicitors | Confidentiality reminder, collection and use of client information; collection notices; handling access/correction requests; privilege considerations; client communication about privacy |
Paralegals/Legal assistants | Confidentiality training, Collection procedures; document handling; recognising access requests; secure document management |
Administrative staff | Confidentiality training, Reception of enquiries; client identification; secure document handling; recognising and escalating privacy requests |
IT/Systems staff | Which technical security measures have been selected; access controls; incident response; security policies and their role in maintaining and enforcing them |
New staff (all roles) | Induction training covering legal confidentiality rules, firm privacy policy, key procedures (such as system use and access, password policy, personal device policies, use of external systems – including AI – and internal incident escalation) |
Core training content
The template Staff Training Framework provides a comprehensive training curriculum.
Core topics that all staff should understand include:[2]
- Why privacy matters: Privacy vs confidentiality intersection, what information the firm holds is privacy regulated vs confidential, connection to professional obligations; consequences of non-compliance.
- Key concepts: Personal information; sensitive information; confidential information, privileged information, collection, use and disclosure.
- Firm's privacy policy: Overview of the policy; where to find it; how it applies to daily work.
- Security practices: Password security; physical security; secure document handling; email security.
- Collection notices: When and how to provide collection notices, which template to use.
- Recognising requests: How to recognise access requests, correction requests, and complaints; escalation procedures.
- Incident reporting: How to recognise a potential data breach; reporting procedures; importance of prompt reporting.
- AML/CTF integration: The connection between AML/CTF and privacy; CDD procedures; tipping off prohibition.
[2]OAIC, Privacy management framework (May 2025), Step 4: Train staff — training should be role-appropriate.
Training delivery and documentation
Document training delivery: Maintain a training register recording training sessions delivered, attendees, and topics covered.
This provides evidence of compliance with APP 1.2 and AML/CTF training requirements. It will also be of great assistance if a staff member makes an error and the firm needs to establish what steps it took to prevent this happening.