Key Takeaways

Privacy and Confidentiality Act 1988 is actually called the Privacy Act 1988 (Commonwealth), which promotes and protects individual privacy and confidentiality. It also regulates Australia’s government agencies and organisations as to how they deal with personal information. If a privacy principle is breached by Australian Government agencies or some private sector businesses or organisations, there are a range of remedies available to protect individual confidentiality, outlined in this article.

This article is a guide written by our criminal lawyers Sydney team and is not intended to be used as legal advice.


The Privacy Act governs how individual’s personal information is dealt with. Individual’s personal information is protected to an extent which empowers you to know why your personal information is being collected, used and who it will be disclosed to; gives you the discretion to choose to not be identified; allows you access to your personal information (i.e. health information); allows you to cease receiving unwanted marketing; allows you to correct any incorrect personal information about you; and permits an avenue to lodge a complaint if you believe your private or confidential information has been breached.

Breach of Confidentiality | Privacy and Confidentiality Act

The Australian Privacy Principles (APP) require APP entities, including organisations and government agencies to comply with certain guidelines in the way personal information of individuals are handled, according to schedule 1 Australian Privacy Principles.

These guidelines or principles are required to be complied with by the following organisations, and includes the following requirements:

  1. To manage personal information in an open and transparent way
  2. To allow you the option to be anonymous or use a pseudonym
  3. Personal information of individuals is not to be collected unless it’s reasonably necessary for the organisation’s functions or activities
  4. To allow you to stop unwanted direct marketing
  5. To not use or disclose personal information about an individual for any purpose other than the primary purpose it was lawfully collected for unless consent is obtained and certain other limited circumstances.
  6. To ensure the personal information collected is accurate, up-to-date, and complete.
  7. To take steps reasonable in the circumstances in order to protect the personal information from misuse, interference, loss, unauthorised access, modification or disclosure. If such information is no longer needed, such steps as considered reasonable in the circumstances must be taken to destroy the information or at least ensure it’s de-identified.
  8. To allow you access to your collected personal information, subject to certain exceptions outlined in schedule 1 of the Privacy Act 1988.
  9. To allow you to update any inaccurate personal information of you.

Breach of Confidence | Breach of Confidence Australia

Generally, where a person is subject to an obligation of confidence to another person in relation to personal information, where there is a confidentiality breach, relief may be obtained in legal proceedings, according to section 90 Privacy Act 1988 (Cth), also known as the Privacy and Confidentiality Act of Australia.

Amongst the remedies available, one such remedy in the event of a breach of confidence includes the recovery of damages, according to section 93 Privacy Act 1988 (Cth).

An APP entity including organisations and government agencies must not breach an Australian Privacy Principles outlined above, according to section 15 Privacy Act 1988 (Cth).

If you believe there is a breach of confidentiality law in Australia the breach of confidentiality and privacy laws of the Commonwealth provides a mechanism for lodging a complaint, under section 36A of the Privacy Act 1988.

After an individual lodges a complaint to the Commissioner, the Commissioner is generally required to then investigate the alleged breach of confidence.

Even if a complaint is not made, the Commissioner can his/her own initiative, investigate the possibility of a breach of privacy or confidence.

During the investigation, the Commissioner can conciliate complaints, make preliminary inquiries of an individual, require a person to give information or documents, or to attend a compulsory conference, and/or to transfer matters to an alternative complaint body.

Following an investigation, the Commissioner can make a determination. The entity subject to that determination is required to then comply with the declarations outlined in that determination. If the entity fails to comply, then the requirements or conditions of the determination can be enforced by a court, through initiating court proceedings.

Amongst other things, the determination made can include any of the following, under section 52 Privacy Act 1988:

  • Dismissing the complaint, or
  • Declaration that there has been a breach of privacy or confidentiality and that it must not be repeated, or that specific steps be taken within a period of time to ensure that it is not repeated, or that reasonable acts or course of conduct be performed to redress any loss or damages suffered, or a specific amount of money be paid as compensation for any loss or damage suffered, or
  • A declaration that it wouldn’t be appropriate to take any further action.

Privacy and Confidentiality Act NSW

Privacy and Confidentiality Act NSW is governed by The Privacy and Personal Information Protection Act 1998 (NSW). It protects personal information and privacy of individuals. In addition it provides for the appointment of a Privacy Commissioner, amongst other things that it does, to protect people’s privacy and confidentiality. It’s functions are similar to the Commonwealth Act outlined earlier.

Under the NSW privacy and confidentiality Act, “personal information” means information or an opinion, including information or an op inion forming part of a database and whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. This is outlined in section 4 of the Privacy and Personal Information Protection Act 1998 (NSW).

The privacy commissioner’s main roles are outlined in section 36(2) Privacy and Personal Information Protection Act 1998 (NSW). This includes, monitoring compliance with the information protection principles, publishing guidelines relating to the protection of personal information and privacy matters, and to investigate and conciliate complaints about privacy matters.

Privacy and Confidentiality Act WA

Unlike NSW, Western Australia does not have a specific privacy legislation. It relies on the Commonwealth Act, namely, the Privacy Act 1988 (Cth). This regulates how personal information is handled by organisations, and it includes 13 privacy principles that set out the standards, obligations and rights for handling, using, accessing and correcting personal information.

Privacy and Confidentiality Act Victoria

Victoria has privacy rights under the Privacy and Data Protection Act 2014 (Vic) which contains ten information privacy principles outlining how public sector organisations are to handle individuals personal information. This does not apply to health information or commonwealth government agencies such as Centrelink, nor does it apply to private organisations such as companies and charities.

Under the Victorian law of privacy and confidentiality Act, “person information” includes your name, email, address, contact number, signature, fingerprint, photos or surveillance footage, comments about you, and your financial information.

The personal information will be considered so whether or not it is true. In addition, to classify as “personal information”, it must be recorded.

Certain personal information such as race, ethnicity, religion, criminal record, sexual preference, or membership to a professional or trade association are subject to higher security

Privacy and Confidentiality Act QLD

In Queensland, the Information Privacy Act 2009 (Qld) acknowledges the significance of protecting individuals private information. It also contains a set of privacy principles governing how the Qld Government agencies handle personal information in the similar fashion as the NSW and Commonwealth privacy laws.

The Privacy and Confidentiality Act of Queensland also provides for a process for people to lodge complaints about agency’s in the event of a breach of privacy. In Queensland, the office of the information commissioner mediates privacy complaints, reviews and audits privacy compliance, and gives out compliance notices for breaches of privacy.

Privacy and Confidentiality Act SA

In South Australia, there is not privacy legislation applying to the SA state Government departments. Instead, the Cabinet’s issued privacy instructions to departments as a layer of protection to individuals in South Australia.

In addition to his, the Public Sector Act 2009 (SA) places restrictions around what public sector servants are allowed to do with information. However, these laws are bind private individuals.

Ultimately, being able to access information about yourself or whether or not an organisation or person can access information about you, largely depends on the type of information and who holds that information. Information is held either by the Commonwealth Government, the State Government, or private businesses and individual people.

There’s no specific general right for you to see the information that other businesses or individuals hold. This means, that a person or business that holds your information has no obligation to automatically give you access to it.

However, Commonwealth and State laws as outlined earlier provide people with some rights to access information held by government agencies i.e. ATO, Centrelink, Police and Commonwealth and State health departments, in addition to limited private organisations.

Breach of Confidentiality in Healthcare

Covering, patient confidentiality breach and breach of confidentiality in nursing, a lack of understanding in the confidentiality in healthcare can leave health care professionals vulnerable.

“Privacy” is concerned with handing personal information of people. “Confidentiality” on the other hand, is concerned with protecting other people or entities information, being information that was communicated in confidence and is not readily available to the public.

Examples of confidentiality in healthcare include medical confidentiality which requires health care professionals such as doctors and nurses to protect their patients confidential information and discussions.

Privacy is generally governed by legislation such as the Privacy Act 1981 (Cth), while confidentiality is not covered in legislation. Confidentiality is covered by the common law, also considered precedent.

Generally, as a health care professional, you have a duty under the Privacy Act and APPs not to disclose personal information for secondary purposes such as marketing or media interviews. In addition you also have a common law duty and an ethical duty not to disclose such information. Breach of confidentiality can result in legal actions being taken out against you for damages. It can also result in disciplinary action from within the healthcare professional bodies.

As a health care professional, you may disclose confidential information if consent is obtained, and in other limited circumstances. Some of those limited circumstances include medical research, public interest and to other health care providers or agencies. In addition, you may also be required in limited circumstances to disclose confidential information in legal proceedings in court.

An example of breach of confidentiality in aged care includes a home carer leaving a file in his/her car where others may be able to access it or the car may be stolen.

Breach of Confidentiality by Employer

An employer has a duty of confidentiality in relation to all its employees personal information, including residential address. Breach of this information could result in a breach of the Privacy Act under the Commonwealth legislation outlined earlier. The consequences and processes resulting from that has also been outlined earlier.

Examples of employee records include the employees’ health, contact details, their employment details concerning salary and financial details.

These records are required to be handles in accordance with the Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth). An exception to this where an employer is permitted to disclose certain employees details include where the employer discloses it to a prospective purchaser of the business.

Concerning NSW public sector, the same Privacy Act (Cth) does not apply. Instead, the Privacy and Personal Information Protection Act applies to NSW State Government bodies.

Breach of Confidentiality in the Workplace

Breach of confidentiality in the workplace has become more prevalent due to advances in technology.

Breach of confidentiality by employees in Australia can result in an employee being sued for damages through legal proceedings. Examples of workplace confidentiality breaches include but not limited to copying data from a work computer or server to a hard drive or USB before ending the employment or disclosing information concerning a former employer to a new employer.

Examples of breach of confidentiality in childcare

Specifically concerning confidentiality in childcare in Australia, the Commonwealth Privacy Act 1988 deals with this type of information. The same kind of framework outlined earlier applies in the childcare industry when it comes to confidentiality.

The Australian Privacy Principles (APPs) which have been outlined earlier in this article applies to childcare organisations when handling confidential information. The same kinds of consequences apply in the event of a breach.

In addition, Notifiable Data Breaches (NDB) scheme requires childcare organisations to disclose and give notice to the Office of the Australian Commissioner and the affected people as to any data breach. This includes any data leak likely to cause serious harm.

Failing to notify in accordance with the NDB can result in a fine of up to $360,000 for individuals or up to $1.8 million for an organisation.

Breach of Trust

Criminal Breach of Trust

A relationship of trust exists where there is a special relationship between the victim and offender at the time of offending which “transcends the usual duty of care arising between persons in the community in their everyday contact or their business and social dealings” according to the case of Suleman v R [2009] NSWCCA 70. Examples includes, parent and child, doctor and patient, priest and penitent, or teacher and student. This is the context of breaches of trust in criminal law. A specific example of a criminal breach of trust, is where a doctor commits a sexual assault against a patient. Breach of trust generally aggravates an offence, which effectively means that it causes the punishment to rise.

For more on offences committed in breach of trust circumstances, we recommend speaking directly to a criminal lawyer for advice specific to your case.

Definition of Breach of Confidentiality

Confidential information can be considered personal information including age, residential address, health conditions and income. Breach of confidential information includes information disclosed in confidence to, for example, your doctor which is to be protected. The Privacy Act 1988 (Cth) and the Privacy and Personal Information Act 1998 (NSW) protect confidential information.

In summary, the Privacy and Personal Information Protection Act 1998 (NSW) protects privacy rights in NSW concerning NSW public sector agencies including local councils and universities. The Health Records Information Privacy Act 2002 (NSW) protects your privacy rights in NSW concerning your personal and health information. This applies in relation to NSW public sector agencies such as local councils, universities, and public and private sector health organisations such as private and public hospitals and medical centres, in addition to larger businesses with a turnover of more than $3 million if it holds health information i.e. insurance companies.


Example of a breach of confidentiality is a doctor patient confidentiality breach, and it may arise if your doctor discloses your private health information to anyone not authorised to be privy to it. This can include a family or friend. This example of confidentiality breach relationship is commonly referred to as doctor patient confidentiality.

Breach of patient confidentiality consequences includes loss of job, potential legal proceedings and being sued for damages if damages can be quantified. In the health care industry, there are certain oaths and codes of practices implemented that are required to be followed. Codes are implemented by, for example, the Australian Medical Board, and the Australian Medical Association, in addition to the common law and legislation in the way outlined in this article. Some other actions that may be taken is where the Privacy Commissioner gets involved to investigate and make declaration(s).

Breach of confidentiality consequences vary depending on the type of industry the breach has occurred in. The medical industry will have a different consequence than the legal industry, however, each one has their own internal mechanisms in dealing with breaches by way of their own disciplinary actions, from reprimand to being struck off as a member of that professional body, in addition to damages via legal proceedings.

If suspecting a breach of confidentiality, the first step is to assess whether a breach of confidentiality has occurred. This means ascertaining who committed the breach and the nature of the breach. The next step is to try to contain the breach before reporting it to the line manager. If a breach is established, then it must be disclosed to any effected person or organisation (if applicable). At the same time, it is important to determine and implement a strategy to mitigate or eliminate any damages caused as a result as soon as possible.

In addition, remedy can also be had by reporting breaches of confidentiality. You may lodge a complaint to the Commissioner (outlined earlier in this article). The Commissioner may then investigate and make a decision as to what should be done. This can include taking not further action to making a declaration for one party to pay damages to the other party and/or to comply with certain conduct to remedy the breach/damage caused. In this way, it can result in penalties for breach of confidentiality and privacy through the Commissioner. Any non-compliance with those declarations can result in action being taken through legal proceedings to enforce it. These procedures can also apply to accidental breach of confidentiality.

Published on 13/12/2021

AUTHOR Criminal Defence Lawyers Australia

Criminal Defence Lawyers Australia are Leading Criminal Defence Lawyers, Delivering Exceptional Results in all Australian Courts.

View all posts by Criminal Defence Lawyers Australia