While Australia was one of the first countries in the world to adopt privacy legislation, it has always lacked a cause of action for invasion of privacy. The Attorney-General's Department is currently reviewing the Privacy Act 1988 (Cth), including whether an action for invasion of privacy should be introduced into Australian law.
The current state of the law
While the Privacy Act regulates how organisations handle the personal information of individuals, there are very limited ways for an individual to take action against someone who interferes with their privacy.
At present, an individual's main recourse is to complain to the Office of the Australian Information Commissioner, which has the power to investigate and resolve complaints through a conciliation process. And because the Privacy Act is concerned solely with information privacy, an individual may have no recourse against acts which invade their privacy in other ways, such as physical or electronic intrusion into a private space.
What would a tort of privacy look like?
In 2014, the Australian Law Reform Commission ("ALRC") proposed a model cause of action that would require the following five elements:
- there was a misuse of an individual's private information or an intrusion into an individual's private space;
- the individual had a reasonable expectation of privacy;
- the invasion of privacy was committed recklessly or intentionally;
- the invasion of privacy was serious; and
- the public interest in privacy outweighs any countervailing public interests.
Additionally, the ALRC recommended that the invasion of privacy need not cause financial damage, and damages for emotional distress may be awarded.
Implications for medical practitioners
A statutory action for serious invasion of privacy would allow individuals to take legal action against a medical practitioner who intentionally or recklessly misused their medical information. That action could seek damages for emotional distress, and compensation for any other harm suffered by the individual. If such an invasion of privacy affected a large number of individuals, a class action would be possible.
However, the requirement that the invasion of privacy needs to be serious, and must have been committed intentionally or recklessly, means that not every breach of the Privacy Act would be actionable. Accidentally emailing a patient's medical information to the wrong specialist would generally not be intentional or reckless. A failure to adequately secure computer systems from hackers might be negligent, but would have to be very severe to be considered reckless. The action would be most applicable to deliberate breaches, such as the disclosure of a person's drug addiction or mental health condition to the media.
The application of the action to intrusions into private spaces is probably less relevant for medical practitioners, although it could potentially have relevance to any form of treatment that involves surveillance of a patient in their home. It also applies to the surveillance of private spaces in the workplace, such as change rooms.
Importantly for medical practitioners, in the form proposed by the ALRC, the action does not extend to an invasion of bodily privacy, which concerns protection of a person's body against invasive procedures.
In any event, if a statutory cause of action for invasion of privacy is introduced, it will clearly heighten the need for medical practitioners to be aware of their obligations under the Privacy Act, and to ensure they maintain adequate security of personal and sensitive information.