In May 2024, the Attorney-General indicated that the Privacy Act will soon undergo significant changes. The Privacy and Other Legislation Amendment Bill 2024 (Bill) was subsequently introduced into the lower house on 12 September 2024. The Bill includes recommendations from the 2014 report from the Australian Law Reform Commission (ALRC Report)1.
We consider that amongst the biggest reforms addressed in the Bill is for the proposed statutory tort for serious invasions of privacy. The scope of this new statutory tort can potentially be far-reaching and a further risk to health service providers for use and disclosure of personal and health information.
In this article, we take a deep dive into the proposed new statutory tort based on the comprehensive ALRC Report that serves as a precursor to what is included in the Bill.
Key Takeaways
- A number of health service providers have been found historically to have either intentionally, or inadvertently, disclosed personal and health information of patients to third parties.
- Organisations that employ or contract with health service providers can be at risk of being held vicariously liable for the intentional and negligent acts of their employees and contractors.
- In Australia, the Australian Privacy Principles (APPs) mandate that organisations must take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. This demonstrates the importance of implementing an effective governance framework that includes up-to-date and best-practice training for staff and independent contractors.
What's the proposed change?
New Statutory Tort for Protections for Serious Invasion of Privacy
The ALRC Report recommended that:
- Individuals in Australia should have an ability to bring a claim where there has been a 'serious' invasion of privacy based either on "intrusion upon seclusion"2 or misuse of their private information.
- There should be protection against intentional or 'reckless'3 invasions of privacy which are likely to offend, distress or harm the dignity of an ordinary 'sensible' person, even if the plaintiff cannot prove any actual damage. According to the ALRC, people have a reasonable expectation of privacy and so the invasion of privacy is inherently wrong in of itself, even if a person cannot prove any financial harm.
- The legislature and the courts specifically consider how and whether an employer can be vicariously liable4 for the conduct of their employees under the new proposed statutory tort.
Intentionality and Recklessness
In terms of intentionality, the ALRC Report recommended that this would encompass a subjective and deliberate desire to intrude or misuse or disclose private information. However, depending on the surrounding circumstances, the ALRC also suggested that intentionality can be objectively assessed based on 'imputed intent' if the intrusion, misuse or disclosure could be shown to have been intended.
In the context of determining recklessness for invasion of privacy, the ALRC Report described it as someone being aware of the risk of an invasion of privacy, but still indifferent to whether or not an invasion of privacy would occur as a result of their conduct.
Seriousness, Distress and Ordinary Sensibilities
The ALRC Report made a number of recommendations about how 'serious' should be defined in order to qualify as a statutory cause of action based on the Canadian court decision in Jones v Tsige5, including:
- the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff; and
- whether the defendant was motivated by malice or knew the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff.
Given the inherent sensitivity of health information, it would seem reasonable to presume that a person would feel particularly sensitive and distressed in response to unlawful or unauthorised disclosure of their health information. This was highlighted by the Australian Privacy Commissioner in the recent decision of ALI and ALJ6, in which an organisation was ordered to pay compensation to a former employee for sending an email to other staff members, without their consent, disclosing that they suffered a medical event at the organisation's carpark and subsequently obtained hospital treatment.
What's at stake for Health Service Providers?
The Bill signals changes to come. In response to the new statutory tort for serious invasion of privacy, we recommend that practices carefully consider:
- The state of their current privacy training programs and engagement documents for employees and independent contractors in order to assess risks related to intentional or reckless conduct, as compared to negligent or inadvertent conduct, as it pertains to unauthorised disclosure. Any identified risks or 'gaps' should be evaluated for appropriate response measures.
- Organisations or entities that employ or contract with health service providers could potentially be held vicariously liable for serious invasions of patient privacy committed by their staff and independent contractors.7 Therefore it is crucial that employment and contractor agreements be reviewed carefully to ensure they appropriately hold employees and contractors accountable for their privacy obligations and also protect the interests of the organisation.
If you would like to know more about the reasons behind our recommendations, we've prepared this helpful Case Study Guide which outlines two hypothetical scenarios as examples that apply to health service providers based on actual privacy breach cases from Australia and Canada.
How to prepare? Effective privacy governance and privacy training
Organisations are required to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. Lack of adequate privacy training was poignantly highlighted in a decision of the New South Wales Civil and Administrative Tribunal (NCAT) in the matter of CJU v SafeWork NSW8. An employee of SafeWork NSW disclosed certain personal information about the applicant to a third party in relation to an employment complaint. Evidence revealed that this SafeWork NSW staff member had received minimal privacy training. NCAT accepted that the unauthorised disclosure was due to the employee's ignorance, rather than intentional malice, as a result of inadequate training implemented by SafeWork NSW.
This case highlights that effective privacy governance and training is a must for all individuals and organisations that handle personal and health information. We recommend that health service providers assess any current risks for breach of privacy given the increased risk of being found liable for the invasion of privacy, and other exposures for liability, arising under the proposed amendments to the Privacy Act. For a helpful tool to assess any current risks, we recommend you complete our Privacy Checklist.
Footnotes
1 Serious Invasions of Privacy in the Digital
Era (ALRC Report 123)
2 This refers to intruding in someone's personal
space or affairs, and is based on the seminal case of Jones v
Tsige, 2012 ONCA 32 in the Ontario Court of Appeal in
Canada.
3 The meaning at law of 'recklessness' has
generally developed around crimes-based legislation and Court
interpretations from criminal cases – see for example the
High Court's decision in Director of Public Prosecutions
Reference No.1 of 2019 [2021] HCA 26. For the purposes of this
article, reckless refers to heedless or careless conduct where one
person can foresee the possibility or probability of a harmful
consequence, but continues with the action with an indifference to,
or disregard of, those consequences.
4 An employer can be vicariously liable for unauthorised
or intentional tortious acts of an employee under certain
conditions, where the wrongful act occurred in the coarse or scope
of the employment, it had a real connection with the employment
(the act was authorised, or required, by the employer or was
incidental to the employment) and was not the result of employee
acting on a 'frolic' of their own: CCIG Investments Pty
Ltd v Schokman [2023] HCA 21. In Australia, vicarious
liability does not
extendto independent
contractors unless it can be demonstrated that in fact there is an
employment relationship: see generally the discussion by Meek J
in Adelaide Concrete Cutting & Drilling
Pty Ltd v Marino (No 2) [2024] NSWSC 499 at
713 to 725.
5 2012 ONCA 32
6 [2024] AICmr 131
7 Recent court decisions in EFEX
Group Pty Ltd v Bennett [2024] FCAFC 35, Construction,
Forestry, Maritime, Mining and Energy Union v Personnel
Contracting [2022] HCA 1 and ZG
Operations Australia Pty Ltd v Jamsek (2022) 275 CLR 254;
[2022] HCA 2 emphasise that the courts will carefully scrutinise
contractual arrangements between a principal and a contractor to
determine whether there is in fact an employer-employee
relationship between the parties, including relevantly, how much
control the principal has over how the contractor performs their
work in determining the independence of the contractor.
8 [2018] NSWCATAD 300
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.