Mishandling patient information is risky business: Proposed new changes to the Privacy Act to ensure effective information governance and privacy training.

Ben Ryan, Avant Law - Partner, Commercial & Corporate

Marko Novakov, Avant Law - Senior Associate, Commercial & Corporate

Monday, 14 October 2024

gavel and privacy act book

In May 2024, the Attorney-General indicated that the Privacy Act will soon undergo significant changes. The Privacy and Other Legislation Amendment Bill 2024 (Bill) was subsequently introduced into the lower house on 12 September 2024. The Bill includes recommendations from the 2014 report from the Australian Law Reform Commission (ALRC Report)1.

We consider that amongst the biggest reforms addressed in the Bill is for the proposed statutory tort for serious invasions of privacy. The scope of this new statutory tort can potentially be far-reaching and a further risk to health service providers for use and disclosure of personal and health information.

In this article, we take a deep dive into the proposed new statutory tort based on the comprehensive ALRC Report that serves as a precursor to what is included in the Bill.

Key Takeaways

  • A number of health service providers have been found historically to have either intentionally, or inadvertently, disclosed personal and health information of patients to third parties.
  • Organisations that employ or contract with health service providers can be at risk of being held vicariously liable for the intentional and negligent acts of their employees and contractors.
  • In Australia, the Australian Privacy Principles (APPs) mandate that organisations must take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. This demonstrates the importance of implementing an effective governance framework that includes up-to-date and best-practice training for staff and independent contractors.

What’s the proposed change?

New Statutory Tort for Protections for Serious Invasion of Privacy

 The ALRC Report recommended that:

  • Individuals in Australia should have an ability to bring a claim where there has been a ‘serious’ invasion of privacy based either on “intrusion upon seclusion”2 or misuse of their private information.
  • There should be protection against intentional or ‘reckless’3 invasions of privacy which are likely to offend, distress or harm the dignity of an ordinary ‘sensible’ person, even if the plaintiff cannot prove any actual damage. According to the ALRC, people have a reasonable expectation of privacy and so the invasion of privacy is inherently wrong in of itself, even if a person cannot prove any financial harm.
  • The legislature and the courts specifically consider how and whether an employer can be vicariously liable4 for the conduct of their employees under the new proposed statutory tort.


Intentionality and Recklessness

In terms of intentionality, the ALRC Report recommended that this would encompass a subjective and deliberate desire to intrude or misuse or disclose private information. However, depending on the surrounding circumstances, the ALRC also suggested that intentionality can be objectively assessed based on ‘imputed intent’ if the intrusion, misuse or disclosure could be shown to have been intended.

In the context of determining recklessness for invasion of privacy, the ALRC Report described it as someone being aware of the risk of an invasion of privacy, but still indifferent to whether or not an invasion of privacy would occur as a result of their conduct.

Seriousness, Distress and Ordinary Sensibilities 

The ALRC Report made a number of recommendations about how ‘serious’ should be defined in order to qualify as a statutory cause of action based on the Canadian court decision in Jones v Tsige5, including:

  1. the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff; and
  2. whether the defendant was motivated by malice or knew the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff.

Given the inherent sensitivity of health information, it would seem reasonable to presume that a person would feel particularly sensitive and distressed in response to unlawful or unauthorised disclosure of their health information. This was highlighted by the Australian Privacy Commissioner in the recent decision of ALI and ALJ6, in which an organisation was ordered to pay compensation to a former employee for sending an email to other staff members, without their consent, disclosing that they suffered a medical event at the organisation’s carpark and subsequently obtained hospital treatment.

What’s at stake for Health Service Providers?

The Bill signals changes to come. In response to the new statutory tort for serious invasion of privacy, we recommend that practices carefully consider:

  • The state of their current privacy training programs and engagement documents for employees and independent contractors in order to assess risks related to intentional or reckless conduct, as compared to negligent or inadvertent conduct, as it pertains to unauthorised disclosure. Any identified risks or ‘gaps’ should be evaluated for appropriate response measures.
  • Organisations or entities that employ or contract with health service providers could potentially be held vicariously liable for serious invasions of patient privacy committed by their staff and independent contractors.7 Therefore it is crucial that employment and contractor agreements be reviewed carefully to ensure they appropriately hold employees and contractors accountable for their privacy obligations and also protect the interests of the organisation.

If you would like to know more about the reasons behind our recommendations, we’ve prepared this helpful  which outlines two hypothetical scenarios as examples that apply to health service providers based on actual privacy breach cases from Australia and Canada.

How to prepare? Effective privacy governance and privacy training

Organisations are required to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. Lack of adequate privacy training was poignantly highlighted in a decision of the New South Wales Civil and Administrative Tribunal (NCAT) in the matter of CJU v SafeWork NSW8. An employee of SafeWork NSW disclosed certain personal information about the applicant to a third party in relation to an employment complaint. Evidence revealed that this SafeWork NSW staff member had received minimal privacy training. NCAT accepted that the unauthorised disclosure was due to the employee’s ignorance, rather than intentional malice, as a result of inadequate training implemented by SafeWork NSW.

This case highlights that effective privacy governance and training is a must for all individuals and organisations that handle personal and health information. We recommend that health service providers assess any current risks for breach of privacy given the increased risk of being found liable for the invasion of privacy, and other exposures for liability, arising under the proposed amendments to the Privacy Act. For a helpful tool to assess any current risks, we recommend you complete our Privacy Checklist.

We can help you

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

1 Serious Invasions of Privacy in the Digital Era (ALRC Report 123)

2 This refers to intruding in someone’s personal space or affairs, and is based on the seminal case of Jones v Tsige, 2012 ONCA 32 in the Ontario Court of Appeal in Canada.

3 The meaning at law of ‘recklessness’ has generally developed around crimes-based legislation and Court interpretations from criminal cases – see for example the High Court’s decision in Director of Public Prosecutions Reference No.1 of 2019 [2021] HCA 26. For the purposes of this article, reckless refers to heedless or careless conduct where one person can foresee the possibility or probability of a harmful consequence, but continues with the action with an indifference to, or disregard of, those consequences.

4 An employer can be vicariously liable for unauthorised or intentional tortious acts of an employee under certain conditions, where the wrongful act occurred in the coarse or scope of the employment, it had a real connection with the employment (the act was authorised, or required, by the employer or was incidental to the employment) and was not the result of employee acting on a ‘frolic’ of their own: CCIG Investments Pty Ltd v Schokman [2023] HCA 21. In Australia, vicarious liability does not extend to independent contractors unless it can be demonstrated that in fact there is an employment relationship: see generally the discussion by Meek J in Adelaide Concrete Cutting & Drilling Pty Ltd v Marino (No 2) [2024] NSWSC 499 at 713 to 725.

5 2012 ONCA 32

6 [2024] AICmr 131

7 Recent court decisions in EFEX Group Pty Ltd v Bennett [2024] FCAFC 35, Construction, Forestry, Maritime, Mining and Energy Union v Personnel Contracting [2022] HCA 1 and ZG Operations Australia Pty Ltd v Jamsek (2022) 275 CLR 254; [2022] HCA 2 emphasise that the courts will carefully scrutinise contractual arrangements between a principal and a contractor to determine whether there is in fact an employer-employee relationship between the parties, including relevantly, how much control the principal has over how the contractor performs their work in determining the independence of the contractor.

8 [2018] NSWCATAD 300

Topic

Other resources

  1. Payroll tax

    Your words matter - use of language and payroll tax for medical practices

  2. Demystifying litigation

    Demystifying the litigation process

  3. person writing

    New year, new practice?

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

About the authors

Ben Ryan

Ben Ryan is a Partner in the commercial and corporate law practice at Avant Law, based in Brisbane. Ben has been working with medical practices since 2013. Ben works primarily on commercial structuring and intellectual property matters to help clients achieve strategic and commercially sensible results. He pursued a career in law to provide reliable and honest support to those in need of legal assistance and enjoys working with clients to develop solutions-oriented legal strategy and advice.

Marko Novakov

Marko Novakov is a Senior Associate in the commercial and corporate law practice at Avant Law, based in Melbourne. Marko has broad based experience practising in law firms and in-house legal roles in the areas of commercial law, corporate and regulatory governance, and litigation and alternative dispute resolution. Since 2023, Marko has focused on working with health practitioners and medical practices, primarily on commercial acquisitions and sales, governance, dispute resolution and intellectual property matters in order to help clients achieve both their strategic and commercial objectives. In working with his clients, Marko has developed a reputation of being a trusted advisor who can bridge the gap between legal expertise and effective communication. 

Prior to becoming a lawyer, Marko completed his Bachelor of Science Degree at the University of Toronto with a focus on Behavioural Neuroscience and with multiple publications in a peer-reviewed scientific journal for behavioural neuroendocrinology. Marko also attends and delivers presentations at conferences for doctors on commercial matters related to private practice. 

Disclaimers

This article is not comprehensive and does not constitute legal advice. You should seek legal or other professional advice before relying on its content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this article must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is current to 15 October 2024. © Avant Mutual Group Limited 2024.

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.