The Privacy Commissioner, Timothy Pilgrim, has found that a Melbourne medical centre has breached the Privacy Act 1988 (Cth) (Privacy Act) in failing to provide adequate security to protect Sensitive Information contained in medical information. The breach occurred before the Australian Privacy Principles (APPs) took effect and therefore the medical centre was found to have breached the National Privacy Principles (NPPs).
The medical centre stored the files of around 960 patients in a locked garden shed. The security of the files was compromised when the shed was broken into. The files contained detailed personal information including individuals’ full name, address, date of birth, Medicare number, treatment details as well as patient’s discharge summaries.
Under section 6(1)(b) of the Privacy Act Sensitive Information includes Health information which under section 6(1)(a) includes, but it not limited to, information or an opinion about: the health or a disability (at any time) of an individual that is also personal information; or other personal information collected to provide, or in providing, a health service.
The Privacy Commissioner highlighted the insecure, temporary nature of a garden shed and its inadequacy to protect sensitive information from unauthorised access and misuse. The files belonged to many patients that existed prior to 2004. In these circumstances many of the patient files should have been destroyed or de-identified as they were no longer necessary for the purpose in which they were collected. The files could have been shredded or disposed of using another secure method. In failing to take these steps, the medical centre placed its patients at risk of identity fraud.
The Commissioner advised the medical center to undergo a privacy risk assessment, train staff and develop a privacy breach response plan.
The amendments
The Privacy Act now contains thirteen (13) new Australian Privacy Principles aimed at protecting Personal Information. The APPs apply to business with an annual turnover of more than $3 million, as well as some small businesses including Health Service providers. The actions of the medical center breached the new APP 11 which requires businesses to take reasonable steps to secure Personal Information. The finding suggests that keeping Sensitive Information in a locked garden shed does not constitute “reasonable steps”.
Civil Penalty Provisions
Recent amendments to the Privacy Act have provided the privacy commissioner with the new powers. The Commissioner may apply to the Federal Court for civil penalties orders. The civil penalty provisions currently allow for penalties of up to:
- $A340,000 for an individual; and
- $A1.7 million for a company.
While the substance of the principles under the Privacy Act have not changed. The penalties and prescriptive requirements have become more onerous. Health Services providers and other small business should consider this finding when assessing the adequacy of their current security procedures.
Links and further references
Legislation
Privacy Amendment (Enhancing Privacy Protection) Act 2012
Other references
Office of the Australian Information Commissioner, APP Guidelines
Office of the Australian Information Commissioner, Australian Privacy Principles
Further information
If you need further information about complying with the Privacy Act 1988 (Cth), contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Related insights about privacy compliance
-
Bill to allow victims of AI deepfakes to sue for emotional damages
On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act).
-
Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes
On 3 December 2025, Malcolm Burrows appeared live on Katherine Feeney’s ABC Radio program, “Legal Eagles” as the Technology and Intellectual Property Lawyer to discuss the proposed amendments to the Online Safety Act 2021 (Cth) through the introduction of the Online Safety and other legislation Amendment (My Face Rights) Bill (Cth) 2025 (My Face Rights…
-
OAIC publishes new guidance for under-16s social media ban
On 10 October 2025, the Office of the Australian Information Commissioner (OAIC), led by Privacy Commissioner, Ms Carly Kind, released a twenty-nine (29) page Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021 (New Guidance). This New Guidance details the privacy obligations for Age-Restricted Social Media Platforms (Restricted Platforms)…
-
Aust Clinical Labs fined $5.8mil for failing to report data breach
On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL). Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach. This…
-
Federal Government releases report into age verification trials
On 31 August 2025, the Australian Government published the Final Report (Report) on the Age Assurance Technology Trial (Trial). Conducted by the independent Age Check Certification Scheme (ACCS), the Trial offers insights into the technical feasibility, privacy implications, and operational deployment capabilities of various age assurance technologies. While the Report explicitly states it is neutral…
-
What is the US Take It Down Act?
The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (Take It Down Act ) is a United States (US) federal law enacted on 19 May 2025. The Take It Down Act amends 47 U.S. Code § 223 (Code) of the Communications Act 1934 (US) (Communications Act) by establishing new…
-
Federal parliament enacts cyber security legislation
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-
Privacy Act amended to increase penalties to a max of $50 million
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent. The Bill was passed with virtually no amendment.
-
What should APP Entities include in data destruction policies?
This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.
