Mishandling patient information is risky business: Proposed new statutory tort to the Privacy Act

Ben Ryan, Avant Law - Partner, Commercial & Corporate

Marko Novakov, Avant Law - Senior Associate, Commercial & Corporate

Monday, 14 October 2024

gavel and privacy act book

In May 2024, the Attorney-General indicated that the Privacy Act will soon undergo significant changes. The Privacy and Other Legislation Amendment Bill 2024 (Bill) was subsequently introduced into the lower house on 12 September 2024. The Bill includes recommendations from the 2014 report from the Australian Law Reform Commission (ALRC Report)1.

We consider that amongst the biggest reforms addressed in the Bill is for the proposed statutory tort for serious invasions of privacy. The scope of this new statutory tort can potentially be far-reaching and a further risk to health service providers for use and disclosure of personal and health information.

In this article, we take a deep dive into the proposed new statutory tort based on the comprehensive ALRC Report that serves as a precursor to what is included in the Bill.

Key Takeaways

  • A number of health service providers have been found historically to have either intentionally, or inadvertently, disclosed personal and health information of patients to third parties.
  • Organisations that employ or contract with health service providers can be at risk of being held vicariously liable for the intentional and negligent acts of their employees and contractors.
  • In Australia, the Australian Privacy Principles (APPs) mandate that organisations must take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. This demonstrates the importance of implementing an effective governance framework that includes up-to-date and best-practice training for staff and independent contractors.

What’s the proposed change?

New Statutory Tort for Protections for Serious Invasion of Privacy

 The ALRC Report recommended that:

  • Individuals in Australia should have an ability to bring a claim where there has been a ‘serious’ invasion of privacy based either on “intrusion upon seclusion”2 or misuse of their private information.
  • There should be protection against intentional or ‘reckless’3 invasions of privacy which are likely to offend, distress or harm the dignity of an ordinary ‘sensible’ person, even if the plaintiff cannot prove any actual damage. According to the ALRC, people have a reasonable expectation of privacy and so the invasion of privacy is inherently wrong in of itself, even if a person cannot prove any financial harm.
  • The legislature and the courts specifically consider how and whether an employer can be vicariously liable4 for the conduct of their employees under the new proposed statutory tort.


Intentionality and Recklessness

In terms of intentionality, the ALRC Report recommended that this would encompass a subjective and deliberate desire to intrude or misuse or disclose private information. However, depending on the surrounding circumstances, the ALRC also suggested that intentionality can be objectively assessed based on ‘imputed intent’ if the intrusion, misuse or disclosure could be shown to have been intended.

In the context of determining recklessness for invasion of privacy, the ALRC Report described it as someone being aware of the risk of an invasion of privacy, but still indifferent to whether or not an invasion of privacy would occur as a result of their conduct.

Seriousness, Distress and Ordinary Sensibilities 

The ALRC Report made a number of recommendations about how ‘serious’ should be defined in order to qualify as a statutory cause of action based on the Canadian court decision in Jones v Tsige5, including:

  1. the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff; and
  2. whether the defendant was motivated by malice or knew the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff.

Given the inherent sensitivity of health information, it would seem reasonable to presume that a person would feel particularly sensitive and distressed in response to unlawful or unauthorised disclosure of their health information. This was highlighted by the Australian Privacy Commissioner in the recent decision of ALI and ALJ6, in which an organisation was ordered to pay compensation to a former employee for sending an email to other staff members, without their consent, disclosing that they suffered a medical event at the organisation’s carpark and subsequently obtained hospital treatment.

What’s at stake for Health Service Providers?

The Bill signals changes to come. In response to the new statutory tort for serious invasion of privacy, we recommend that practices carefully consider:

  • The state of their current privacy training programs and engagement documents for employees and independent contractors in order to assess risks related to intentional or reckless conduct, as compared to negligent or inadvertent conduct, as it pertains to unauthorised disclosure. Any identified risks or ‘gaps’ should be evaluated for appropriate response measures.
  • Organisations or entities that employ or contract with health service providers could potentially be held vicariously liable for serious invasions of patient privacy committed by their staff and independent contractors.7 Therefore it is crucial that employment and contractor agreements be reviewed carefully to ensure they appropriately hold employees and contractors accountable for their privacy obligations and also protect the interests of the organisation.

If you would like to know more about the reasons behind our recommendations, we’ve prepared this helpful Case Study Guide which outlines two hypothetical scenarios as examples that apply to health service providers based on actual privacy breach cases from Australia and Canada.

How to prepare? Effective privacy governance and privacy training

Organisations are required to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. Lack of adequate privacy training was poignantly highlighted in a decision of the New South Wales Civil and Administrative Tribunal (NCAT) in the matter of CJU v SafeWork NSW8. An employee of SafeWork NSW disclosed certain personal information about the applicant to a third party in relation to an employment complaint. Evidence revealed that this SafeWork NSW staff member had received minimal privacy training. NCAT accepted that the unauthorised disclosure was due to the employee’s ignorance, rather than intentional malice, as a result of inadequate training implemented by SafeWork NSW.

This case highlights that effective privacy governance and training is a must for all individuals and organisations that handle personal and health information. We recommend that health service providers assess any current risks for breach of privacy given the increased risk of being found liable for the invasion of privacy, and other exposures for liability, arising under the proposed amendments to the Privacy Act. For a helpful tool to assess any current risks, we recommend you complete our Privacy Checklist.

We can help you

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

1 Serious Invasions of Privacy in the Digital Era (ALRC Report 123)

2 This refers to intruding in someone’s personal space or affairs, and is based on the seminal case of Jones v Tsige, 2012 ONCA 32 in the Ontario Court of Appeal in Canada.

3 The meaning at law of ‘recklessness’ has generally developed around crimes-based legislation and Court interpretations from criminal cases – see for example the High Court’s decision in Director of Public Prosecutions Reference No.1 of 2019 [2021] HCA 26. For the purposes of this article, reckless refers to heedless or careless conduct where one person can foresee the possibility or probability of a harmful consequence, but continues with the action with an indifference to, or disregard of, those consequences.

4 An employer can be vicariously liable for unauthorised or intentional tortious acts of an employee under certain conditions, where the wrongful act occurred in the coarse or scope of the employment, it had a real connection with the employment (the act was authorised, or required, by the employer or was incidental to the employment) and was not the result of employee acting on a ‘frolic’ of their own: CCIG Investments Pty Ltd v Schokman [2023] HCA 21. In Australia, vicarious liability does not extend to independent contractors unless it can be demonstrated that in fact there is an employment relationship: see generally the discussion by Meek J in Adelaide Concrete Cutting & Drilling Pty Ltd v Marino (No 2) [2024] NSWSC 499 at 713 to 725.

5 2012 ONCA 32

6 [2024] AICmr 131

7 Recent court decisions in EFEX Group Pty Ltd v Bennett [2024] FCAFC 35, Construction, Forestry, Maritime, Mining and Energy Union v Personnel Contracting [2022] HCA 1 and ZG Operations Australia Pty Ltd v Jamsek (2022) 275 CLR 254; [2022] HCA 2 emphasise that the courts will carefully scrutinise contractual arrangements between a principal and a contractor to determine whether there is in fact an employer-employee relationship between the parties, including relevantly, how much control the principal has over how the contractor performs their work in determining the independence of the contractor.

8 [2018] NSWCATAD 300

About the authors

Ben Ryan

Ben Ryan is a Partner in the commercial and corporate law practice at Avant Law, based in Brisbane. Ben has been working with medical practices since 2013. Ben works primarily on commercial structuring and intellectual property matters to help clients achieve strategic and commercially sensible results. He pursued a career in law to provide reliable and honest support to those in need of legal assistance and enjoys working with clients to develop solutions-oriented legal strategy and advice.

Marko Novakov

Marko Novakov is a Senior Associate in the commercial and corporate law practice at Avant Law, based in Melbourne. Marko has broad based experience practising in law firms and in-house legal roles in the areas of commercial law, corporate and regulatory governance, and litigation and alternative dispute resolution. Since 2023, Marko has focused on working with health practitioners and medical practices, primarily on commercial acquisitions and sales, governance, dispute resolution and intellectual property matters in order to help clients achieve both their strategic and commercial objectives. In working with his clients, Marko has developed a reputation of being a trusted advisor who can bridge the gap between legal expertise and effective communication. 

Prior to becoming a lawyer, Marko completed his Bachelor of Science Degree at the University of Toronto with a focus on Behavioural Neuroscience and with multiple publications in a peer-reviewed scientific journal for behavioural neuroendocrinology. Marko also attends and delivers presentations at conferences for doctors on commercial matters related to private practice. 

Disclaimers

This article is not comprehensive and does not constitute legal advice. You should seek legal or other professional advice before relying on its content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this article must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is current to 15 October 2024. © Avant Mutual Group Limited 2024.

To Top