Law firms: managing privacy compliance in litigation and due diligence

Law firms are significant users of third-party data sources. During litigation, due diligence, and advisory work, lawyers routinely access company records, credit reports, property records, and other databases containing personal information.

Legal professional privilege

Lawyers may argue that legal professional privilege protects their data collection activities from IPP3A obligations. However, privilege protects communications between lawyer and client — it does not create a blanket exemption from the Privacy Act.

The litigation exception

IPP3A includes exceptions that may apply in litigation contexts — for example, where notification would prejudice the maintenance of the law or legal proceedings. However, this exception must be assessed on a case-by-case basis and documented.

Due diligence in transactions

In commercial transactions, lawyers often run company searches, director checks, and property searches. These are not covered by the litigation exception and require standard IPP3A compliance — consent, notification, or a documented exception.

Practical tips for law firms

• Classify your lookups: is this litigation (potential exception) or transactional (standard IPP3A)?

• Document the exception relied upon for each litigation-related lookup.

• Use standard consent or notification for transactional lookups.

• Maintain a separate evidence trail for each client matter.

DEIS for law firms

DEIS allows law firms to organise lookups by client matter and select the appropriate IPP3A pathway for each one. The evidence log can be filtered by matter reference, making it easy to produce compliance records for specific engagements.