Obligations of confidence

Common law and equitable duties of confidence

15.125 Legally enforceable obligations to maintain confidence may arise in contract and equity. These obligations are capable of applying to individuals, organisations, agencies and officers of agencies.[148] Relief is available against third party recipients of confidential information, and those who knowingly assist a confidant to breach his or her obligations of confidentiality.[149]

15.126 A contractual obligation of confidence can arise from express terms in a contract, but also by implication.[150] The nature of the obligation will depend on the terms of the contract. Remedies for threatened and actual breach of the contractual obligations to maintain confidence include injunctions and damages.

15.127 An equitable obligation of confidence can arise where the formalities for the formation of a contract are not present.[151] The obligation arises where information with the necessary quality of confidence is imparted in circumstances importing an obligation of confidence.[152] Such circumstances will exist where the information is imparted on the understanding that it is to be treated by the confidant on a limited basis, or where the confidant ought to have realised that in all the circumstances the information was to be treated in such a way.[153] Breach of the obligation occurs where there is an unauthorised use, not only where there is unauthorised disclosure, of the information.

15.128 Unlike the position in contract, where loss is the basis of a claim for damages, the plaintiff in a suit for breach of the equitable obligation does not need to show any damage.[154] Remedies for breach of the equitable obligation include compensation or an account of profits, an injunction and a declaration.

Statutory protection of confidential information

15.129 Legally enforceable obligations of confidence also may arise under statute. The FOI Act, for example, addresses government confidentiality and provides that a document is an exempt document if its disclosure under the FOI Act would found an action, by a person (other than an agency or the Commonwealth), for breach of confidence.[155] Federal, state and territory legislation also include a number of confidentiality provisions.[156]

Part VIII of the Privacy Act

15.130 Part VIII of the Privacy Act applies where an agency or an employee of an agency (a ‘confidant’) is subject to an obligation of confidence to another person (a ‘confider’) in respect of personal information.[157]

15.131 The obligation applies whether or not the information relates to the confider or to a third person.[158] It generally preserves all other laws, principles or rules ‘under or by virtue of which an obligation of confidence exists’, except as expressly qualified, or by necessary implication. It also preserves laws, principles or rules that ‘have the effect of prohibiting, or imposing a liability (including a criminal liability) on a person in respect of, a disclosure or use of information’.[159] Part VIII, therefore, allows for the fact that obligations of confidence may arise in various ways.

15.132 The operative provisions of Part VIII are ss 92 and 93. Section 92 extends the obligation a confidant owes to a confider to a third party who acquires the information knowing, or being in a position where he or she ought reasonably to know, that the person from whom he or she acquired the information was subject to an obligation of confidence. Section 93 concerns relief for breach of the obligation. Without limiting any other right a confider has to relief in respect of a breach,[160] a confider under s 93(1) ‘may recover damages from a confidant in respect of a breach of an obligation of confidence with respect to personal information’.[161]

15.133 Where the information the subject of the confidence is personal information relating to a third person, that person ‘has the same rights against the confidant in respect of a breach or threatened breach of the obligation as the confider has’.[162] This is an important extension of the general law position.

15.134 Courts of the ACT are conferred with jurisdiction regarding matters arising under Part VIII, although this does not deprive ‘a court of a State or of another Territory of any jurisdiction that it has’.[163] There are no known court decisions (reported or unreported) applying the confidentiality provisions.

15.135 In DP 72, the ALRC considered whether the provisions in Part VIII of the Privacy Act are adequate and necessary and, if so, whether the provisions should be contained in the Privacy Act or elsewhere. The ALRC noted that Part VIII represents an extension of the law of confidentiality in that it extends the right to enforce a duty of confidentiality to the person to whom the information relates. The ALRC expressed the view that rather than extending the law of confidentiality, it is more appropriate to enact a statutory cause of action for a serious invasion of privacy.[164] The ALRC proposed therefore that Part VIII of the Privacy Act should be repealed.[165]

15.136 All stakeholders that addressed the issue supported the proposal that Part VIII should be repealed.[166] For example, the OPC submitted that it was persuaded by arguments of the ALRC that the Part is unnecessary, given the proposal of a statutory cause of action for a serious breach of privacy.[167]

15.137 The confidentiality provisions contained in Part VIII of the Privacy Act should be repealed. The ALRC notes that the provisions have never been used. It is hard to imagine when this action would be used in preference to making a complaint to the OPC about a breach of the IPPs (or the model Unified Privacy Principles (UPPs)).

15.138 As noted above, Part VIII represents an extension of the law of confidentiality in that it extends the right to enforce a duty of confidentiality to the subject of the information. This right is not available under Australian common law.[168]

15.139 As discussed in Part K, the United Kingdom (UK) courts have developed the action for breach of confidence so that it now covers the wrongful disclosure of private information.[169] The ALRC agrees with the views expressed by the New South Wales Law Reform Commission (NSWLRC) that the law in Australia relating to breach of confidence should not follow the UK case law. The NSWLRC has listed three reasons why such a change is undesirable:

First, confidentiality and privacy are simply different concepts … While most confidential acts and information could arguably be described as private, not all private activity is necessarily confidential.

Secondly, the doctrine of breach of confidence, developed primarily in the exclusive jurisdiction of equity, seems an unsuitable vehicle for the introduction and development of greater privacy protection … equitable intervention does not fasten on the intrinsic value of the information itself.

Thirdly, although the legal notion of confidence is not necessarily restricted to the disclosure of ‘information’ in any technical sense, it is unclear to what extent breach of confidence would be useful beyond situations involving the unjustified publication of private information.[170]

15.140 Rather than extending the law of confidentiality, it is more appropriate to enact a statutory cause of action for a serious invasion of privacy. The cause of action will apply both to agencies and organisations, unlike Part VIII which only applies to agencies; will provide broader protection of privacy than that offered by Part VIII; and will offer a range of remedies. The ALRC’s recommendation for a statutory cause of action for a serious breach of privacy is outlined in Chapter 74.

Recommendation 15-3 Part VIII of the Privacy Act (Obligations of confidence) should be repealed.

[148] See, eg, Johns v Australian Securities Commission (1993) 178 CLR 408, 459–460; Attorney-General (UK) v Heinemann Publishers Pty Ltd (1987) 10 NSWLR 86, 191 (McHugh JA).

[149]Johns v Australian Securities Commission (1993) 178 CLR 408, 459-460; Breen v Williams (1996) 186 CLR 71, 129; Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199, [137].

[150] Parry-Jones v Law Society [1968] 1 All ER 177; R Meagher, J Heydon and M Leaming, Meagher Gummow & Lehane’s Equity: Doctrines & Remedies (4th ed, 2002), [41–015].

[151]Ibid, [41–020].

[152]Corrs Pavey Whiting & Byrne v Collector of Customs (Vic) (1987) 14 FCR 434, 443; Smith Kline & French Laboratories (Aust) Ltd v Secretary, Department of Community Services and Health (1990) 22 FCR 73, 86–87.

[153] Smith Kline & French Laboratories (Aust) Ltd v Secretary, Department of Community Services and Health (1990) 22 FCR 73, 86–87; Coulthard v State of South Australia (1995) 63 SASR 531, 546–547.

[154] National Roads and Motorists’ Association Ltd v Geeson (2001) 40 ACSR 1, [58]; NP Generations Pty Ltd v Feneley (2001) 80 SASR 151, [21].

[155]Freedom of Information Act 1982 (Cth) s 45.

[156] See discussion of Privacy Act 1988 (Cth) pt 8 below and discussion of other confidentiality provisions in Chs 16, 60.

[157] The history of Part VIII of the Privacy Act is outlined in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [12.129]–[12.130].

[158] Privacy Act 1988 (Cth) s 90.

[159] Ibid s 91.

[160] Ibid s 93(2).

[161] Since s 93(1) does not limit or restrict any other right that the confider has in respect of the breach, he or she will continue to have a claim to the remedy of equitable compensation where the obligation arises in the equity jurisdiction rather than, for example, in contract. The assessment of ‘damages’ under s 93(1) will not necessarily use the same criteria of quantum, causation, remoteness etc as those that apply to assessment of equitable compensation, or to assessment of damages in contract or for any other civil wrong.

[162]Privacy Act 1988 (Cth) s 93(3).

[163] Privacy Act 1988 (Cth) s 94.

[164] The ALRC’s recommendations for a statutory cause of action are outlined in Ch 74.

[165]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 12–14.

[166] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[167]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[168]Commonwealth v John Fairfax & Sons Ltd (1980) 147 CLR 39, 51.

[169] See OBG Ltd v Allan; Douglas v Hello! Ltd [2007] 2 WLR 920; Ash v McKennitt [2007] 3 WLR 194.

[170]New South Wales Law Reform Commission, Invasion of Privacy, Consultation Paper 1 (2007).