What the new statutory tort for serious invasions of privacy means for the public sector?

This Insight provides a legal perspective on how the statutory tort may affect the Australian public sector, including State and Territory government departments.

Under the statutory tort, a plaintiff has a cause of action against another "person" where certain conditions and elements are met. While the definition of a "person" under the Acts Interpretation Act 1901 (Cth) does not expressly include a government agency or department, Schedule 2 of the Privacy Act clarifies that the statutory tort binds the Crown in each of its capacities. Notably, the exemptions and defences provided under the statutory tort indicate a clear intent that, subject to those limitations, public sector entities and their staff are within its scope.

While the statutory tort will need to be tested by the courts and clarified over time through jurisprudence, its commencement is unlikely to materially affect the proper activities of most public sector entities given the elements that must be satisfied and the exemptions and defences available. In particular, we note the following:

1. Serious invasions of privacy: To establish a cause of action under the statutory tort, a plaintiff must satisfy a series of stringent requirements. Among other elements, the plaintiff must prove that a qualifying type of privacy invasion has occurred-either an intrusion upon seclusion or a misuse of their information-and that such an invasion was both "serious" and "intentional or reckless". As noted in an earlier Insight, these elements are designed to prevent the litigation of trivial claims. For most public sector entities, it is unlikely that their acts and practices would typically constitute "serious" invasions of privacy carried out intentionally or recklessly.

2. Public interest considerations: Additionally, for the statutory tort to succeed, a plaintiff must establish that the public interest in their privacy outweighs any "countervailing public interest". Schedule 2 (clause 7(3)) of the Privacy Act sets out a number of non-exhaustive factors that may constitute a countervailing public interest. Notably, one of these factors is the proper administration of government.

While the application of the countervailing public interest factors will need to be weighted and assessed against privacy considerations on a case-by-case basis, the proper administration of government forms a core tenant of the work of public sector entities. Other factors listed in Schedule 2 of the Privacy Act as constituting a countervailing public interest-such as national security-may also be potentially relied upon by some public sector entities.

3. Exemptions: Notably, as a result of amendments introduced by the Senate, the statutory tort does not apply to invasions of privacy by an "agency" or by a "State or Territory authority" (as defined under the Privacy Act) or to staff members of those entities (Agency and Authority Exemption) where the invasion occurs in "good faith":

• in the performance or purported performance of a function of the agency or authority; or

• in the exercise or purported exercise of a power of the agency or authority.

Relevantly, the definition of "State or Territory authority" under the Privacy Act captures State and Territory public sector entities-including departments-that are not generally subject to the Privacy Act.

The Agency and Authority Exemption does not apply to a "law enforcement body" or an "intelligence agency" (as defined under Schedule 2 of the Privacy Act) as they are covered under a separate exemption under clauses 16B and 17 of Schedule 2 of the Privacy Act, respectively. These exemptions are much broader than the Agency and Authority Exemption and do not include the same qualifications as the Agency and Authority Exemption.

In discussing the Agency and Authority Exemption, the Supplementary Explanatory Memorandum to the Privacy and Other Legislation Amendment Bill 2024 (Cth) noted that:

"The purpose of this exemption is to ensure that government agencies are able to effectively perform their legitimate functions and activities. The exemption would apply directly to agencies and State and Territory authorities as well as to the staff members of agencies and State and Territory authorities (other than staff members of an intelligence agency or law enforcement body).

These amendments are intended to ensure that the delivery of important outcomes by agencies and authorities for the community is not impeded in relation to activities undertaken in good faith and in the performance, or purported performance, or exercise or purported exercise of a function or power of the agency or authority such as information sharing between agencies or authorities to facilitate domestic and family violence prevention and responses and to promote the safety, welfare or wellbeing of a child or young person."       

4. Defences: A number of specific defences are also available as a defence to an action under the statutory tort. Some of these support activities carried out by public sector entities, including where:

• the invasion of privacy was required or authorised under an Australian law or by a court or tribunal order; or

• the defendant reasonably believed that the invasion of privacy was necessary to prevent or lessen a serious threat to a person's life, health or safety.

The practical impact of these exemptions and defences is that agencies and State and Territory authorities, as defined under the Privacy Act, will not be liable under the statutory tort for invasions of privacy that occur in good faith and in the course of performing their legitimate functions and activities. Further, public sector entities will have a defence under Schedule 2 of the Privacy Act in instances where their actions are authorised under Australian  law. For example, an agency undertaking surveillance activities of a person in accordance with surveillance device legislation may be protected from liability under the statutory tort.

While the impact of the statutory tort on public sector entities is likely to be limited, there may still be situations where the statutory tort arises-for example, in cases involving the deliberate misuse of personal information by a public sector agency. Further, it is important to recognise that exemptions and defences under the statutory tort do not circumvent a public sector agency's liability for non-compliance with the broader privacy obligations that they have at law and under contract. It is therefore still crucial that public sector entities ensure that all personnel are aware of the wide-ranging impacts that breaches of privacy may have. We recommend that public sector entities:

• Provide comprehensive and regular privacy training to all personnel. Training should ensure that personnel understand the importance of protecting personal information and know how to handle and safeguard personal information in accordance with relevant privacy laws. Personnel should also be trained in relation to their functions and activities to ensure they act within the scope of their functions and activities and not beyond the power of the relevant public sector entity;

• Implement stringent policies, procedures and security mechanisms (including auditing capabilities) to prevent unauthorised access to, and misuse of, personal information;

• Proactively identify gaps or deficiencies in respect of their privacy obligations, including areas where they may need to uplift current processes and procedures to support privacy compliance; and

• Develop, review and regularly update their data breach policies and broader data breach response frameworks to help prevent invasions of privacy and mitigate against the potential harm that may arise from misuse of information.