Managing day-to-day client records is something most legal practices carry out well.

Using that client data to manage and develop client relationships is something only a handful of practices do satisfactorily. It’s a lesson we are yet to learn from the broader business world.

So if we aren’t using that client data, why and how are we storing it?

“People pretend data is gold – it isn’t; it’s uranium – super useful if used correctly and incredibly dangerous to just have lying around.”1

The recent Optus hack highlights the security risks of storing data. In Optus’ case 11.2 million records were allegedly stolen. With a current market of about 5.8 million customers, Optus was holding about 5.4 million records for former customers.

So where is your legal practice’s data stored? How secure is your data? According to Minister for Cyber Security and Home Affairs Minister Clare O’Neill in a discussion with Laura Tingle on the ABC’s 7.30 Report (Monday 26/9/2022), Optus allegedly left a door open to its data, the hackers just waltzed in.

Most legal practices hold their client’s full names, addresses, emails and telephone numbers. Many also hold their dates of birth. Adding identity documents such as passport, driver’s licence, Medicare card, tax file numbers and/or bank accounts opens the floodgates for identity theft if a cyber intruder enters your system.


The cyber intruder may not immediately release these personal details but hold them for ransom, release them in a piecemeal manner, or taunt you with threats of release for years to come.

The loss of client confidence following a cyber intrusion may be devastating to the sustainability of your legal practice, and to your personal wellbeing.

Are you storing necessary information?

The Privacy Act 1988 (Cth) regulates how business should handle personal information – while the Privacy Act may not apply to your legal practice it is a model of best practice and opt-in compliance is encouraged.

  1. Collecting unnecessary personal information is a breach of the Act. You should not scan, copy, email or store a client’s driver’s licence if sighting it is sufficient.
  2. Collect sensitive information only if it is reasonably necessary for the services being delivered and you have the client’s consent.
  3. Ensure your privacy policy is up-to-date. Your privacy policy will set out what information you collect, what purpose it is required, how it is held, how long it is held, how clients may access their data, and how it is destroyed.

What to retain when verifying identification?

Where verification of identity is required, it is strongly recommended that you follow the VOI Standard.2

If verification of identity is not required, it is still strongly recommended that you take steps to verify the identity of your client. Evidence supporting the verification process ought to be retained to demonstrate that reasonable steps were taken, rather than copying or scanning client identification documents, details of the verification process may be recorded in a file note.

The Queensland Law Society Business Advisory Service offers cybersecurity advisory assistance to QLS full members. If you would like to ensure you have shut, locked and secured the doors to your cyber systems please call or message the Ethics Centre for a referral. or 07 3842 5843.


Judy Hayward is a Queensland Law Society Special Counsel and Practice Management Consultant.

1 A quote from an anonymous source to the ABC thought to be a paraphrase of Cory Doctorow in ‘Personal data is as hot as nuclear waste’ in The Guardian (16.01.2008).
2 See the Australian Registrars’ National Electronic Conveyancing Council (ARNECC) guidance note 5, Retention of Evidence, and Item 3.3(b) of [61-2700] Land Title Practice Manual which requires the identity verifier to retain a copy of all documents produced by the person being identified. See also [61-2330] Land Title Practice Manual concerning a witness’s record-keeping obligations.

Share this article

3 Responses

  1. Is it time for QLS to revisit its position that firms must retain all legacy ‘client documents’ indefinitely, despite ASCR Rule 14.2 and despite the now-more-obvious risks that data retention entails?

    Perhaps some reform is necessary, if not prudent – to enable firms to delete or destroy data and documents once reasonable attempts have been made to return them to the former client?

    1. Cheers Ben. Just to clarify: QLS does not suggest that solicitors retain client documents indefinitely. The issue has been that as a bailee we have no common law right to convert and destroy bailed property without the owner’s (ie, the Client’s) consent. The conservative view is that ASCR 14.2 does not confer such authority.
      If a firm has that consent built into the retainer or costs agreement we are OK to destroy documents in accordance with our usual destruction schedule. (Note, the 7 year minimum in the ASCR is not the recommended minimum for some classes of file where problems / statute of limitations issues can bite practitioners after 7 years.)
      QLS has advocated for some time that even where consent is not express, the Legal Profession Act should permit destruction of records. As you suggest, one of the main strings to our bow in the current environment is that retaining unneeded records places client data at risk.
      Hope to have an update on that in the near future.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by keyword