Most Australian practice managers know they have obligations under the Privacy Act 1988. They know the Australian Privacy Principles apply to health information. They know a serious data breach needs to be reported to the OAIC. What most do not know is that since 10 June 2025, patients can now sue your practice directly in court for a serious invasion of their privacy, without going through the OAIC at all. That is a fundamentally different kind of legal exposure, and it arrived quietly while most healthcare providers were focused on other things.
This guide explains the new law, what it means for clinics and allied health practices specifically, and the practical steps that reduce your risk before your practice becomes a test case.
What Is the Statutory Tort of Privacy?
The Privacy and Other Legislation Amendment Act 2024 introduced a statutory cause of action for serious invasion of privacy. It commenced on 10 June 2025. Before this, a patient who believed their privacy had been seriously violated had one main path: complain to the OAIC, wait for an investigation that might take years, and hope for a conciliated outcome. That was a slow process with limited remedies for the individual.
Under the new tort, a patient can bring a private lawsuit in court. They do not need to go through the OAIC first. They do not need to wait for a regulator to investigate. If they can establish that your practice (or someone in it) seriously invaded their privacy, they can seek compensation directly from you, including for non-economic loss such as emotional distress, humiliation and anxiety. The cap on non-economic damages is currently $478,550.
The tort applies where a person had a reasonable expectation of privacy, the invasion was serious (not merely technical or trivial), and the conduct was either intentional or reckless. Health information sits at the very top of what counts as private under Australian law. A patient visiting a GP or allied health provider has an unambiguously reasonable expectation that their health records will not be seen, used or shared outside of their care.
How Healthcare Practices Are Most at Risk
Healthcare is the highest-risk sector in Australia for privacy breaches. The OAIC consistently reports that health is the number one industry for notifiable data breaches, accounting for around 18% of all reports. But the new tort does not require a data breach in the traditional sense. It captures a broader range of conduct. Here are the specific scenarios that expose healthcare practices most directly.
Staff Accessing Records Without a Clinical Reason
This is the most underestimated risk in the sector. When a staff member opens a patient record out of curiosity, because the patient is someone they know, or to share information with a third party, that access is a serious invasion of privacy. It is intentional. The patient had a reasonable expectation that their record would only be viewed by people involved in their care. And depending on what was seen and shared, it can easily meet the seriousness threshold.
In a large general practice or a multi-site allied health group, this kind of access is hard to detect without system-level audit logging. The new tort creates a direct financial incentive for patients who have been affected to bring a claim, which means incidents that previously went unaddressed are now far more likely to surface as legal disputes.
Data Breaches That Go Beyond a Notification Obligation
Under the Notifiable Data Breaches scheme, a practice that suffers a data breach must notify the OAIC and affected individuals where there is a likely risk of serious harm. That notification does not resolve the matter for the affected patients. Under the new tort, each individual whose health records were exposed in a breach now has the legal standing to pursue their own claim against your practice, independent of anything the OAIC does or does not do.
A ransomware attack that exposes patient health records, a misconfigured cloud storage bucket, or an email sent to the wrong recipient all carry the same underlying question: was there a serious invasion of the privacy of a real person? If yes, that person can now take you to court for it.
Verbal Disclosures and Third-Party Sharing
Privacy invasions are not only digital. A receptionist discussing a patient's diagnosis within earshot of the waiting room, a practitioner sharing a patient's health history with a family member without consent, or clinical records being discussed during a staff meeting without any need to do so, these are all capable of forming the basis of a claim under the new tort. If the conduct was intentional or reckless, and the patient can demonstrate genuine harm, the elements are present.
What Patients Need to Prove to Succeed in Court
The tort has a deliberate threshold to prevent trivial claims. A patient suing your practice needs to show that the invasion was serious, not merely that their privacy was technically interfered with. Courts will look at the nature of the information involved (health records score very high), the sensitivity of the context, the extent of any disclosure, and the actual or potential harm to the patient.
There is also a public interest balancing step built into the tort. Disclosures that are genuinely necessary for clinical care, public health purposes, or legally required reporting will generally not give rise to liability. The risk is concentrated in conduct that falls outside legitimate clinical purpose and was undertaken deliberately or without reasonable care.
What This Means for Your Privacy Practices Right Now
The new tort does not require you to rebuild your entire compliance programme. It does require you to take specific steps that many practices have treated as optional or low priority.
Review Your Access Controls
Your clinical software should be configured so that staff access only the records they need for their role. Front desk staff should not have unrestricted access to clinical notes. A practitioner should not be able to open records for patients who are not their own without a specific clinical reason. Where your software allows it, enable audit logging so you can see who accessed what and when. If you discover access that had no clinical justification, you need a process to respond to it.
Make Staff Training a Documentation Event
Your team needs to understand that accessing a patient record without a legitimate clinical reason is now a potential legal liability for the practice, not just an internal HR matter. Run a training session on this. Document who attended and when. Create a written policy that sets out what constitutes appropriate access and what the consequences of inappropriate access are. The combination of a written policy and documented training matters, because it demonstrates that your practice took reasonable steps to prevent harm.
Update Your Privacy Policy and Incident Response Plan
Your privacy policy needs to reflect the current legal landscape, including the existence of the new tort and what your practice does when a privacy incident occurs. Your incident response plan should have a clear path from detection to assessment to notification. If you do not have a written incident response plan, that is the highest-priority item on this list.
The Two-Track Risk Landscape
It is worth being clear that the statutory tort sits alongside, not instead of, the existing regulatory framework. The OAIC can still investigate complaints, issue determinations and impose civil penalties under the Privacy Act. In October 2025, the OAIC issued the first-ever civil penalty under the Privacy Act, a $5.8 million fine. Tranche 2 of the privacy reforms, covering automated decision-making and other obligations, is expected to commence in December 2026.
Your practice now faces two overlapping exposure pathways. Regulatory action from the OAIC is one. Direct litigation from individual patients is the other. The same underlying events, a staff member accessing records inappropriately, a data breach, a careless disclosure, can trigger both at the same time. Getting your privacy practices right is no longer just about avoiding a regulator's attention. It is about protecting your practice from claims that can be brought directly and independently by the people sitting in your waiting room.
How ClinicComply Helps
ClinicComply tracks your compliance against the Privacy Act 1988 Australian Privacy Principles framework and the Notifiable Data Breaches scheme in one place. You can assign privacy-related checklist items to your team, store your privacy policy and incident response documentation as evidence, and set reminders for regular reviews so your compliance does not drift between accreditation cycles.
If your practice is not currently tracking its privacy obligations in a structured way, now is the right time to start. Start your free 30-day trial at cliniccomply.com.au.
Frequently Asked Questions
What is Australia's new statutory tort of privacy?
The statutory tort of privacy is a new legal cause of action that commenced on 10 June 2025 under the Privacy and Other Legislation Amendment Act 2024. It allows individuals to sue in court for a serious invasion of their privacy without needing to go through the OAIC first. To succeed, a plaintiff must show they had a reasonable expectation of privacy, the invasion was serious, and the conduct was intentional or reckless.
Can a patient sue my practice directly for a privacy breach?
Yes, from 10 June 2025 any individual who has suffered a serious invasion of their privacy can bring a private lawsuit in an Australian court. Patients do not need to file a complaint with the OAIC first. Health records are considered among the most sensitive categories of personal information under Australian law, so healthcare practices face a higher inherent risk than most other sectors.
How is the new privacy tort different from an OAIC complaint?
An OAIC complaint is a regulatory process. The OAIC investigates, can make determinations, and in serious cases can seek civil penalties from the Federal Court. The new tort is a private right of action: the patient is the one bringing the claim, they choose when and where to sue, and they receive any damages awarded. Both pathways can be used in response to the same incident.
What damages can patients claim under the privacy tort?
Courts can award both economic damages (such as loss of earnings or out-of-pocket costs caused by the privacy breach) and non-economic damages for harm including emotional distress, humiliation, and anxiety. The cap on non-economic damages is currently $478,550. Courts can also award injunctions to prevent ongoing or future breaches.
Does the privacy tort apply to small practices and sole traders?
Yes. The Privacy Act 1988 applies to all healthcare providers regardless of size, including sole trader GPs, physiotherapists, dentists, psychologists, and allied health practitioners. Healthcare is explicitly carved out of the small business exemption that applies to other sectors. If you handle patient health records, the new tort applies to your practice.
What is the seriousness threshold for the privacy tort?
The tort requires that the invasion of privacy was serious rather than merely technical or trivial. Courts will assess the sensitivity of the information involved, the nature of the conduct, whether there was actual or likely harm, and any relevant public interest considerations. Unauthorised access to health records, disclosure of a diagnosis to a third party without consent, and patient data exposed in a ransomware attack are all likely to meet the seriousness threshold.