ARTICLE
20 October 2024

Mishandling patient information is risky business: Proposed new changes to the Privacy Act to ensure effective information governance and privacy training

A
Avant Law

Contributor

Avant Law is a doctor-focused law firm that was originally established for our members in 2009 to provide the highest level of defence and protection in medical indemnity. It is now the largest medico-legal firm in Australia and continues to protect members for medical indemnity and employment issues and provide expert advice to help reduce the risk of a complaint or claim. With our deep understanding of medical practitioners and their practices and to help support doctors across life’s opportunities and challenges, we provide tailored legal services to address their personal, professional and business legal needs. Avant Law is a subsidiary of Avant Mutual (Avant) – Australia’s leading doctor organisation with a proud heritage of protecting the Australian medical professional for 130 years.
Deep dive into the proposed new statutory tort based on the comprehensive ALRC Report.
Australia Privacy

In May 2024, the Attorney-General indicated that the Privacy Act will soon undergo significant changes. The Privacy and Other Legislation Amendment Bill 2024 (Bill) was subsequently introduced into the lower house on 12 September 2024. The Bill includes recommendations from the 2014 report from the Australian Law Reform Commission (ALRC Report)1.

We consider that amongst the biggest reforms addressed in the Bill is for the proposed statutory tort for serious invasions of privacy. The scope of this new statutory tort can potentially be far-reaching and a further risk to health service providers for use and disclosure of personal and health information.

In this article, we take a deep dive into the proposed new statutory tort based on the comprehensive ALRC Report that serves as a precursor to what is included in the Bill.

Key Takeaways

  • A number of health service providers have been found historically to have either intentionally, or inadvertently, disclosed personal and health information of patients to third parties.
  • Organisations that employ or contract with health service providers can be at risk of being held vicariously liable for the intentional and negligent acts of their employees and contractors.
  • In Australia, the Australian Privacy Principles (APPs) mandate that organisations must take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. This demonstrates the importance of implementing an effective governance framework that includes up-to-date and best-practice training for staff and independent contractors.

What's the proposed change?

New Statutory Tort for Protections for Serious Invasion of Privacy

The ALRC Report recommended that:

  • Individuals in Australia should have an ability to bring a claim where there has been a 'serious' invasion of privacy based either on "intrusion upon seclusion"2 or misuse of their private information.
  • There should be protection against intentional or 'reckless'3 invasions of privacy which are likely to offend, distress or harm the dignity of an ordinary 'sensible' person, even if the plaintiff cannot prove any actual damage. According to the ALRC, people have a reasonable expectation of privacy and so the invasion of privacy is inherently wrong in of itself, even if a person cannot prove any financial harm.
  • The legislature and the courts specifically consider how and whether an employer can be vicariously liable4 for the conduct of their employees under the new proposed statutory tort.


Intentionality and Recklessness

In terms of intentionality, the ALRC Report recommended that this would encompass a subjective and deliberate desire to intrude or misuse or disclose private information. However, depending on the surrounding circumstances, the ALRC also suggested that intentionality can be objectively assessed based on 'imputed intent' if the intrusion, misuse or disclosure could be shown to have been intended.

In the context of determining recklessness for invasion of privacy, the ALRC Report described it as someone being aware of the risk of an invasion of privacy, but still indifferent to whether or not an invasion of privacy would occur as a result of their conduct.

Seriousness, Distress and Ordinary Sensibilities

The ALRC Report made a number of recommendations about how 'serious' should be defined in order to qualify as a statutory cause of action based on the Canadian court decision in Jones v Tsige5, including:

  1. the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff; and
  2. whether the defendant was motivated by malice or knew the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff.

Given the inherent sensitivity of health information, it would seem reasonable to presume that a person would feel particularly sensitive and distressed in response to unlawful or unauthorised disclosure of their health information. This was highlighted by the Australian Privacy Commissioner in the recent decision of ALI and ALJ6, in which an organisation was ordered to pay compensation to a former employee for sending an email to other staff members, without their consent, disclosing that they suffered a medical event at the organisation's carpark and subsequently obtained hospital treatment.

What's at stake for Health Service Providers?

The Bill signals changes to come. In response to the new statutory tort for serious invasion of privacy, we recommend that practices carefully consider:

  • The state of their current privacy training programs and engagement documents for employees and independent contractors in order to assess risks related to intentional or reckless conduct, as compared to negligent or inadvertent conduct, as it pertains to unauthorised disclosure. Any identified risks or 'gaps' should be evaluated for appropriate response measures.
  • Organisations or entities that employ or contract with health service providers could potentially be held vicariously liable for serious invasions of patient privacy committed by their staff and independent contractors.7 Therefore it is crucial that employment and contractor agreements be reviewed carefully to ensure they appropriately hold employees and contractors accountable for their privacy obligations and also protect the interests of the organisation.

If you would like to know more about the reasons behind our recommendations, we've prepared this helpful which outlines two hypothetical scenarios as examples that apply to health service providers based on actual privacy breach cases from Australia and Canada.

How to prepare? Effective privacy governance and privacy training

Organisations are required to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. Lack of adequate privacy training was poignantly highlighted in a decision of the New South Wales Civil and Administrative Tribunal (NCAT) in the matter of CJU v SafeWork NSW8. An employee of SafeWork NSW disclosed certain personal information about the applicant to a third party in relation to an employment complaint. Evidence revealed that this SafeWork NSW staff member had received minimal privacy training. NCAT accepted that the unauthorised disclosure was due to the employee's ignorance, rather than intentional malice, as a result of inadequate training implemented by SafeWork NSW.

This case highlights that effective privacy governance and training is a must for all individuals and organisations that handle personal and health information. We recommend that health service providers assess any current risks for breach of privacy given the increased risk of being found liable for the invasion of privacy, and other exposures for liability, arising under the proposed amendments to the Privacy Act. For a helpful tool to assess any current risks, we recommend you complete our Privacy Checklist.

Footnotes

1 Serious Invasions of Privacy in the Digital Era (ALRC Report 123)
2 This refers to intruding in someone's personal space or affairs, and is based on the seminal case of Jones v Tsige, 2012 ONCA 32 in the Ontario Court of Appeal in Canada.
3 The meaning at law of 'recklessness' has generally developed around crimes-based legislation and Court interpretations from criminal cases – see for example the High Court's decision in Director of Public Prosecutions Reference No.1 of 2019 [2021] HCA 26. For the purposes of this article, reckless refers to heedless or careless conduct where one person can foresee the possibility or probability of a harmful consequence, but continues with the action with an indifference to, or disregard of, those consequences.
4 An employer can be vicariously liable for unauthorised or intentional tortious acts of an employee under certain conditions, where the wrongful act occurred in the coarse or scope of the employment, it had a real connection with the employment (the act was authorised, or required, by the employer or was incidental to the employment) and was not the result of employee acting on a 'frolic' of their own: CCIG Investments Pty Ltd v Schokman [2023] HCA 21. In Australia, vicarious liability does not extend to independent contractors unless it can be demonstrated that in fact there is an employment relationship: see generally the discussion by Meek J in Adelaide Concrete Cutting & Drilling Pty Ltd v Marino (No 2) [2024] NSWSC 499 at 713 to 725.
5 2012 ONCA 32
6 [2024] AICmr 131
7 Recent court decisions in EFEX Group Pty Ltd v Bennett [2024] FCAFC 35, Construction, Forestry, Maritime, Mining and Energy Union v Personnel Contracting [2022] HCA 1 and ZG Operations Australia Pty Ltd v Jamsek (2022) 275 CLR 254; [2022] HCA 2 emphasise that the courts will carefully scrutinise contractual arrangements between a principal and a contractor to determine whether there is in fact an employer-employee relationship between the parties, including relevantly, how much control the principal has over how the contractor performs their work in determining the independence of the contractor.
8 [2018] NSWCATAD 300

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Privacy Law and Privacy Regulations

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More