In Australia, there are strict breach of confidentiality laws that govern privacy and access to personal information.

The term "confidentiality" refers to the moral and legal duty to safeguard private information disclosed in an interpersonal, professional, or organisational setting.

Confidentiality is regarded as essential for protecting privacy, trust, and integrity in areas such as healthcare, law and finance.

Some states and territories have their own legislation that governs privacy and confidentiality. There is also federal legislation that governs it throughout Australia.

What is a Breach of Confidentiality?

A breach of confidentiality is the unauthorised access, use or disclosure of private information. It does not have to be deliberate, although it will be taken more seriously

Confidential information refers to information about a person that is disclosed privately and is legally protected.

Examples of confidential information include a person's:

  • Age
  • Residential address
  • Health Conditions
  • Income

The High Court of Australia recognised a confidentiality breach as an "equitable cause of action" in ABC v Lenah Game Meats Pty Ltd [2001] HCA 63; 208 CLR 199; 185 ALR 1; 76 ALJR 1. This creates a legal wrong and a right to sue.

In order to establish whether there has been a confidentiality breach or not, the following factors will be considered:

  • If all parties have been informed of the information's confidential nature it is more likely to be a breach
  • If all parties received the information in confidential circumstances and with an obligation to retain confidence it is more likely to be a breach
  • If the information is already publicly available it is less likely to be a breach
  • If there was written consent to disclose the information it is less likely to be a breach
  • If disclosure of the information is required to provide goods or services under a contract it is less likely to be a breach
  • If the information is disclosed to a professional advisor (eg. a lawyer or a doctor), it is more likely to be a breach
  • Information in the public domain which is common knowledge will not be regarded as confidential
  • Facts in legal proceedings and court documents will not be confidential where disclosure is required by law

Breach of Confidentiality Laws Australia

Privacy and breach of confidentiality laws in Australia are protected by the Privacy Act 1988 (Cth). The Act governs the use and disclosure of an individual's personal information. It also regulates Australian government agencies and organisations and how they deal with personal information. The Act is legally binding on individuals, Commonwealth Government Agencies and businesses.

'Personal information' under the Act includes a person's:

  • Name
  • Signature
  • Date of birth
  • Contact details such as email, telephone number, residential or IP address
  • Income
  • Healthcare conditions, medical records, and healthcare service providers
  • Bank details
  • Photos and videos
  • Disability or care information
  • Information about family members and emergency contact details

Breach of Confidentiality in the Workplace

A breach of confidentiality in the workplace is outlawed by the Privacy Act 1988 (Cth). Employers are required to protect the privacy of their employees' personal information. Under the Privacy Act, there may be a breach and subsequent legal action against the employer.

Nonetheless, the public sector in NSW is exempt from The NSW State Government is the only entity bound by the Privacy and Personal Information Protection Act 1998.

You can obtain legal advice from an accredited specialist criminal defence lawyer if you belief you have been a victim of a breach of privacy of confidentiality.

Examples of Breach of Confidentiality in the Workplace

Examples of a breach of confidentiality in the workplace include:

  • copying work-related data and taking it for personal use, particularly before the end of your employment;
  • disclosing information from a former employer to a new employer;
  • sending emails from a work email account to a personal email address;
  • sending client information to a third party, even if it is by accident.

Technological advances have increased the possibility of confidentiality breaches in the workplace, for example, if an employee copies data from a work computer before a contract expires, legal action may be taken against an employee to recover damages.

Can I sue my employer for disclosing personal information?

There is no right to sue for a confidentiality or privacy breach. However, there are statutory remedies available under the Privacy Act 1988.

Employer Breach of Confidentiality

Employers cannot use or disclose personal information other than for the purpose it was collected, unless the employee gives consent.

If an employer commits a breach of confidentiality or privacy, section 90 of the Privacy Act 1988 (Cth)allows legal action to be taken.

Section 93 of the Privacy Act provides that an individual who has suffered a breach of confidentiality can recover damages if the breach relates to personal information.

Section 36A of the Privacy Act allows an individual to make a complaint to the Commissioner about a breach of privacy. Once a complaint is made, the Commissioner can investigate the act or practice. The Commissioner has the authority to resolve complaints, conduct preliminary investigations, demand documentation, call required meetings, and refer cases to other complaint organisations.

The Commissioner can make a determination which is binding on the parties involved. If the declaration is not complied with, an application can be made to court for enforceable orders.

Under Section 52 of the Privacy Act, the Commissioner can make the following determinations:

  • dismiss the complaint
  • declare a breach of confidentiality or privacy
  • declare no further action is required

If the Commissioner declares a breach of confidentiality, they can stipulate that:

  • Specific steps are required within a specific time frame to ensure a breach of confidentiality does not happen again
  • any loss suffered must be rectified
  • pay compensation for any loss or damages suffered

Businesses have obligations when it comes to the protection of privacy. The Australian Privacy Principles (APP) requires government agencies and organisations to abide by the guidelines recorded in Schedule 1 of the APP on handling individual personal information.

These guidelines are:

  • Manage personal information with transparency
  • Allow a person to remain anonymous or have the option to use a pseudonym
  • Personal information of a person may only be collected if it is reasonable and necessary
  • Allow a person to stop unwanted direct marketing
  • Ensure a person is aware personal data is collected
  • Ensure a person knows how the information will be used
  • Ensure a person knows to whom the information will be disclosed to
  • To not use or disclose personal information for any other purpose other than the primary purpose a person consented to
  • Ensure personal information is accurate and updated regularly
  • To take reasonable steps to ensure personal information is protected from interference, misuse, loss, unauthorised access, modification, or disclosure of personal information
  • A person's personal information has to be destroyed or de-identified if not needed
  • Allows a person access to their personal information subject to certain outlines specified in Schedule 1 of the Privacy Act 1988
  • Allow a person to update inaccurate personal information
  • Ensure a person can lodge a complaint if confidentiality has been breached

Breach of Confidentiality in Healthcare

The Health Records Information Privacy Act 2002 (NSW) governs privacy and confidentiality in healthcare. Personal information cannot be disclosed by healthcare practitioners as they have ethical obligations.

Consequences of a breach of confidentiality in healthcare include a civil action such as negligence and disciplinary action by the employer and/or a regulatory body such as the Australian Medical Association and the Australian Medical Board.

Examples of a breach of confidentiality in healthcare include:

  • divulging private information without consent;
  • telling a relative or friend about a patient.

Where a healthcare worker makes an intentional and unauthorised disclosure of personal information regarding a client, a patient may bring a lawsuit against the medical practitioner and report the breach to the relevant disciplinary body.

A medical practitioner may share confidential information only if they have permission to do so. They may also need to disclose the information in special circumstances such as those involving medical research, the public interest, court cases, or other healthcare providers or organisations, may confidential information be shared.

How to report a Breach of Patient Confidentiality?

You can report a breach of patient confidentiality by:

  1. Contact the Privacy Contact Officer for your treating health service in the first instance;
  2. Contact the Office of the NSW Privacy Commissioner on 1800 472 679, or visit the Information and Privacy Commission NSW.

Breach of Confidentiality in Childcare

A breach of confidentiality in the childcare sector can result in a fine of $360,000 for individuals or $1.8 million for an organisation under the Privacy Act 1988 (Cth).

When a privacy or confidentiality breach occurs, childcare facilities must inform the affected individuals, the Office of the Australian Commissioner, and the Notifiable Data Breaches Scheme if there is a possibility that the data leak could cause significant harm.

Breach of Confidentiality Laws NSW

In New South Wales, breach of confidentiality laws are governed by the Privacy and Personal Information Protection Act 1998 (NSW).

Section 4 of the Privacy and Personal Information Protection Act 1998defines personal information as "information or an opinion forming part of a database [where the] identity of an individual is apparent or can be reasonably determined from the information or opinion."

The NSW Privacy Commissioner can investigate and address complaints regarding personal information and privacy issues.

Section 36(2) of the Privacy and Personal Information Protection Act 1998 lists and describes the principal responsibilities of the Privacy Commissioner. In addition to publishing instructions regarding the protection of personal information, the Commissioner oversees adherence to the information protection principles.

Privacy and Breach of Confidentiality Laws WA

Privacy and breach of confidentiality laws in Western Australia are governed by the Privacy Act 1988 (Cth).

In addition to laying forth the rules, responsibilities, and rights for managing, using, accessing, and correcting personal information, the Privacy Act also includes 13 privacy principles that govern how organisations are expected to handle personal data. Western Australia relies on these privacy principles to inform its decisions surrounding privacy and confidentiality.

Privacy and Breach of Confidentiality Laws Victoria

Privacy and breach of confidentiality laws in Victoria are governed by the Privacy and Data Protection Act 2014 (Vic).

It outlines ten information privacy principles governing how public sector entities handle individuals' personal information and grants privacy rights. This includes health information, Commonwealth government entities like Centrelink, and private groups like businesses and nonprofits.

Personal information is defined as your name, email address, address, phone number, signature, fingerprint, images or video, remarks about you, and financial information.

Whether or not the personal information is accurate, it will be taken into consideration. It also needs to be documented in order to be categorised as, "personal information." Personal information like race, ethnicity, religion, criminal record, sexual preference or membership to a profession or trade are subject to a higher security.

Privacy and Breach of Confidentiality Laws QLD

Privacy and breach of confidentiality laws in Queensland are governed by the Information Privacy Act 2009 (Qld). A set of privacy guidelines specify how Queensland government agencies manage personal data.

Individuals can file privacy complaints to the Office of the Information Commissioner. The Commissioner can conduct privacy compliance inspections and audits and issue compliance notices for infractions.

Privacy and Confidentiality Act SA

There is no specific privacy legislation in South Australia. Instead, the Cabinet has given ministries privacy guidelines.

The Public Sector Act 2009 (SA)also limits information-related activities of public sector employees.

The type of information and the person who possesses it will determine whether an organisation or individual can access information about you. You do not have the right to view the information that other companies or people own. This implies that the entity or individual in possession of your information is not required to grant you automatic access to it.

However, Commonwealth and State legislation grant individuals certain access rights to information maintained by government bodies, including as the ATO, Centrelink, Police, and Commonwealth and State health departments, as well as certain commercial businesses.

Defences to Breach of Confidentiality

Defences to a breach of confidentiality include:

  1. The information disclosed was not confidential (eg. the information was available in the public domain).
  2. The disclosure of the information was justified (eg. the information relates to a crime, fraud, civil wrong or disclosure is in the public interest).
  3. The disclosure was legally compelled. This is if disclosure of the confidential information was required by a court or government order.
  4. Consent. The confidential information was shared with the consent of the other person.

Remedies for Breach of Confidentiality

There are four main remedies for a breach of confidentiality:

  1. Injunction: an order preventing disclosure of the confidential information.
  2. Damages: an order awarding compensation for loss.
  3. Account of Profits: an equitable remedy available when the defendant benefits, or is expected to benefit from the breach of confidentiality.
  4. Constructive trust: an equitable remedy which allows the funds to be held in trust.

How to deal with a Breach of Confidentiality

You can deal with a breach of confidentiality by filing a complaint with the Commissioner who can then:

  • take no action;
  • order compensation;
  • order a person or organisation to make amends for the breach.

If a party fails to abide by the Commissioner's orders, legal proceedings can be commenced to enforce them.

You should generally first raise any breach with the organisation responsible. They should be afforded the opportunity to fix the breach and remedy any harm caused.

Consequences of a Breach of Confidentiality

A breach of confidentiality may result in job loss, legal action and disciplinary proceedings by a professional regulatory body.

Enquiries and declarations from the Privacy Commissioner are among the other possible courses of action.

The consequences of being found liable for a breach will carry different consequences depending on the industry. The legal and medical sectors will have different consequences; however, each sector has its own internal procedures for handling infractions, which range from reprimands to expulsion from the relevant professional body, as well as damages through litigation.

What is the Difference between Privacy and Confidentiality?

The main difference between privacy and confidentiality is that privacy laws protect personal informationwhile confidentiality protects people or entity information communicated in confidence and not available to the public.

Privacy and confidentiality are not only defined differently but also enforced differently and on different actors/ people.

Privacy imposes obligations on a business to follow the requirements of the Privacy Act 1988. A business is bound by the Privacy Act if the business has an annual turnover which is larger than $3 million.

If a business has an annual turnover of less than $3 million, it may still need to comply with the Privacy Act depending on the type of business.

The following businesses are expected to comply with the Privacy Act regardless of their annual turnover:

  • A business that is a part of the healthcare sector
  • A business which sells or purchases personal information
  • A contractor who provides services under contract with the Australian Government
  • A credit provider or reporting body
  • A residential tenancy database operator

While privacy laws do not bind businesses to define, protect and enforce confidential information, businesses often include a confidentiality clause in employee contracts or company policies to protect valuable business information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.