The new statutory tort, introduced under the Privacy and Other Legislation Amendment Act 2024, has been added as Schedule 2 to the Privacy Act 1988 (Cth). It is a significant shift – especially for sectors like healthcare, where personal information is routinely handled and privacy breaches can be particularly sensitive.
The new cause of action allows someone to bring a claim if their privacy has been invaded in a serious way. That might involve someone intruding into their private life – physically, electronically or through surveillance – or misusing their personal information. What matters is that the conduct was either intentional or reckless, that the person had a reasonable expectation of privacy in the circumstances, and that the breach was serious enough to justify legal action. The court also has to be satisfied that the interest in protecting that person’s privacy outweighs any competing public interest, like freedom of expression or public safety.
There is no need for the individual to prove financial loss and in doing so recognises that some invasions of privacy (particularly in areas like health) can cause distress, embarrassment or loss of dignity in ways that are not easily measured in dollars.
For healthcare providers, this raises obvious red flags. Staff accessing patient records without a legitimate reason, sensitive information being emailed or shared inappropriately, or failing to adequately secure medical records could all give rise to a claim if the breach is serious enough. The impact on healthcare providers could be significant, not only exposing them to legal liability, but also by compromising patient trust and resulting in potential reputational harm.
Recklessness here is defined quite strictly, in line with the criminal law. It is not just about being careless. It means the person knew there was a real risk that their actions would breach someone’s privacy, and they did it anyway. That might include staff who access records out of curiosity, or organisations that ignore obvious weaknesses in their privacy practices.
If a claim is successful, the court can award damages (including for emotional harm), up to a cap of $478,550 for non-economic loss. In exceptional cases, the court can also award punitive damages. Other remedies are also available, including injunctions, apologies, correction orders, or requiring the destruction or handover of materials like recordings or documents.
There are carve-outs. Journalists and media organisations are largely exempt, provided their conduct relates to professional journalism. So are law enforcement and intelligence agencies acting in good faith. The tort also does not apply to people under 18, and there are defences available, including consent, lawful authority, or where the conduct was necessary to prevent serious harm.
From a healthcare perspective, this is not likely to spark widespread litigation overnight. However, it does create new exposure for high-impact breaches, particularly those that feel targeted or deliberate. Further, it underscores the importance of having proper access controls in place, reviewing who sees what and why, and training staff on the limits of their role when it comes to patient information.
It is important to be proactive. If you have not reviewed your privacy policies, access logs, or internal breach handling in a while, now is a good time. The legal framework has changed, and while the threshold for liability under this tort is high, the reputational and personal impact of getting it wrong could still be significant.
