Breach Of Confidentiality: Legal Remedies For Australian Businesses

Every Australian business relies on information. From pricing models and playbooks to client lists and source code, these assets are often what set you apart. In a world where data moves quickly, protecting that information isn’t just “good governance” - it’s central to your competitive edge and your customers’ trust.

If something slips out, it can feel overwhelming. What actually counts as a breach of confidentiality? Which laws apply in Australia? And most importantly, what practical steps can you take to stop further harm and enforce your rights?

In this guide, we’ll explain what a breach of confidentiality looks like in the workplace, the legal frameworks that apply, the remedies you can seek, and the steps you can take to prevent issues in the first place. You’ll find plain-English explanations and actionable tips you can use today.

What Is A Breach Of Confidentiality?

A breach of confidentiality occurs when someone uses or discloses information that they’re obligated to keep secret, without authority or consent. The information could be commercial (like pricing, supplier terms, product roadmaps or source code), technical (know‑how, processes, designs), or personal (customer records, employee details).

In practice, the obligation to keep information confidential usually comes from one or more sources: a contract (for example, an Non‑Disclosure Agreement or a confidentiality clause in a service or employment contract), equity (the equitable duty of confidence), statute (such as privacy laws) and workplace policies.

When Is Information “Confidential”?

Courts look at whether the information has the “necessary quality of confidence” (it’s not public, and it has value), was communicated in circumstances importing an obligation of confidence, and was used or disclosed without permission and to your detriment. Internal labels like “Confidential” help, but they’re not essential; what matters is substance and context.

Are Privacy And Confidentiality The Same Thing?

Not exactly. Privacy law deals with personal information about individuals, while confidentiality can cover any information a party is obliged to keep secret. They often overlap in business. For a clear comparison, see this guide on the difference between privacy and confidentiality.

Recognised Exceptions

There are limited situations where disclosure is permitted or required, including:

• Disclosure required by law (for example, a court order, warrant or regulatory notice).
• Express consent from the information owner.
• Preventing or reducing a serious threat to life, health or safety.
• Public interest disclosures in narrow, exceptional circumstances.

If you’re unsure whether an exception applies, it’s wise to seek advice before disclosing.

Common Workplace Examples In Australia

Breaches can be accidental or deliberate. Typical scenarios include:

• Forwarding a client list to a personal email account, then losing access to that inbox.
• Discussing a confidential product launch with friends, leading to a competitor beating you to market.
• Sharing a prospect database with a third‑party provider without a contract or consent.
• Using technical know‑how learned at work to set up a competing venture.
• Copying pricing templates, pitch decks or code repositories before resigning.
• Disclosing an employee’s medical information to the wider team without permission.

It’s also important to remember that employers can breach confidentiality too - for example, by mishandling employee or customer data or by accessing staff communications without clear legal authority or policy coverage. If you’re navigating questions about staff inboxes, see this overview of employer access to employee emails.

What Laws Apply To Confidentiality?

Multiple legal frameworks can protect your information and provide avenues for remedies.

1) Contract Law

Confidentiality obligations commonly appear in contracts, such as an Employment Contract, services agreements and a standalone NDA. Contractual remedies can include injunctions (to stop further misuse) and damages (to compensate loss). Clear definitions, permitted purpose/use and return‑or‑destroy obligations make enforcement easier.

2) Equitable Duty Of Confidence

Even without a written contract, Australian courts can impose duties of confidence where information is clearly confidential and shared in circumstances importing confidence (for example, a private meeting to discuss a partnership). Remedies can include injunctions, delivery up, damages, an account of profits, and sometimes declarations.

3) Privacy Law

If the information is “personal information” (about an identifiable individual), the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) may apply. Many businesses must also notify eligible data breaches under the Notifiable Data Breaches scheme. Having a compliant Privacy Policy and a tested Data Breach Response Plan helps you meet these obligations and respond quickly.

4) Workplace And Other Laws

Workplace laws can be engaged when employee information is misused. Depending on the sector, you may also have industry‑specific duties (for example, health, financial services or NDIS rules). A breach in one area often has consequences across several frameworks.

Legal Remedies If A Breach Occurs

Your enforcement options will depend on the facts, the agreements in place, and the type of information involved. Common remedies include:

Injunctions (Urgent Court Orders)

An injunction restrains further use or disclosure of the information. Courts can make interim (urgent) orders to stop the damage while the dispute is resolved. These orders can also require steps like removing content, disabling access or delivering up devices or documents.

Damages

Monetary compensation can be awarded for loss caused by the breach. In contract, this aims to put you in the position you would have been in if the breach hadn’t occurred. In equity, courts may also award damages or equitable compensation for misuse of confidential information.

Account Of Profits

Where the wrongdoer has made money from the misuse (for example, new sales using your client list), a court can order them to hand over those profits. This is an equitable remedy focused on preventing unjust enrichment.

Delivery Up, Destruction And Return

Orders can compel the person to return or destroy confidential materials (including copies, backups and derivatives) and to provide sworn statements confirming compliance.

Declarations And Costs

Courts can declare that a breach occurred and may order the breaching party to pay your legal costs, particularly if you’ve tried to resolve the issue reasonably and quickly.

Regulatory Consequences

If personal information is involved, you may need to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under privacy law. Some conduct may also be a criminal offence (for example, unauthorised computer access). In those cases, you don’t “pursue charges” yourself - you report the matter to police or the relevant regulator, who decides whether to investigate or prosecute.

Practical Steps To Respond To A Breach

Act quickly, methodically and proportionately. Here’s a sensible order of operations that works for most scenarios.

1) Contain The Issue

• Identify what was disclosed, when, by whom and to whom.
• Secure systems, revoke access, change passwords and preserve evidence (don’t delete logs).
• Request deletion or return from any recipients (and ask for confirmation in writing).

2) Check Your Obligations And Rights

• Review relevant contracts (for example, your NDA or service agreement) and policies to confirm duties, permitted use, return‑or‑destroy clauses and dispute steps.
• Consider whether privacy, employment or sector rules require you to notify anyone.

3) Assess Harm And Risk

• Consider actual and potential impacts on customers, staff, partners and your competitive position.
• Prioritise actions that reduce the biggest risks first.

4) Send A Targeted Demand

• Issue a focused letter that asserts your rights, demands cessation, return or destruction of materials, and seeks undertakings not to use the information. A properly framed cease and desist letter can resolve many matters quickly.

5) Escalate If Needed

• If the risk is ongoing or severe, consider urgent court relief (for example, an interim injunction) and claims for damages or an account of profits.
• Where criminal activity is suspected (such as unauthorised system access or theft), report it to police or the relevant regulator.

6) Notify Under Privacy Law (If Required)

• For eligible data breaches, notify affected individuals and the OAIC. Your Data Breach Response Plan should set out who does what and when.

7) Learn And Improve

• Close gaps through technical controls, updated contracts and targeted training.
• Record incident learnings and refine your playbooks for next time.

Throughout, document your decisions and timelines. This helps with any regulatory engagement and supports cost recovery in litigation.

How To Prevent Breaches (And The Key Documents To Have)

Prevention saves time, cost and trust. Combine the right paperwork with simple, practical controls.

Build A Culture Of Confidentiality

• Onboard staff with plain-English training about what’s confidential and how to handle it.
• Restrict access on a need‑to‑know basis and keep audit trails.
• Use two‑factor authentication, encryption and secure file‑sharing as standard.

Put Clear Contracts And Policies In Place

Well-drafted contracts and policies make expectations clear and enforcement easier:

• Employment Contract: Sets confidentiality obligations during and after employment, alongside IP ownership, conflict of interest and post‑employment restrictions where appropriate. See Employment Contract.
• Non‑Disclosure Agreement (NDA): Useful before sharing sensitive information with potential partners, suppliers, investors or contractors. A tailored NDA should define “Confidential Information”, permitted purpose, return‑or‑destroy obligations and remedies.
• Staff Handbook & Policies: Set baseline rules for IT security, bring‑your‑own‑device, remote work and reporting incidents. A concise, accessible handbook helps drive compliance - see the Staff Handbook package.
• Privacy Policy: If you collect personal information (most businesses do), a compliant Privacy Policy explains how you handle data and supports APP compliance.
• Data Breach Response Plan: A step‑by‑step guide for assessing, containing and notifying privacy breaches. Having a tested plan reduces confusion and delays when time matters.

Operational Tips That Make A Difference

• Use role‑based permissions and revoke access promptly on role changes or departures.
• Prohibit forwarding to personal email accounts; provide secure, sanctioned alternatives.
• Label confidential documents and include footer reminders about permitted use and return.
• Include return‑or‑destroy obligations on contract termination and verify compliance.
• Schedule refreshers - short, scenario‑based training every six to twelve months works best.

What About Employers’ Own Obligations?

Employers should model best practice. Avoid “informal” disclosures of staff details, implement clear approval processes for sharing information, and make sure your internal access to employee communications is covered by policy and the law. If in doubt, get advice before looking at private communications or sensitive records.

Key Takeaways

• A breach of confidentiality happens when information that should be kept secret is used or disclosed without authority; it can involve commercial, technical or personal information.
• Australian law protects confidential information through contracts, equity and privacy rules, with remedies including injunctions, damages, an account of profits, delivery up and costs.
• Move quickly if a breach occurs: contain the issue, confirm your rights and obligations, send a targeted demand, consider urgent injunctions where needed, and meet any privacy notification duties.
• Prevention starts with the basics - clear contracts, practical policies, need‑to‑know access and regular training - supported by a strong Privacy Policy and a tested Data Breach Response Plan.
• Employers have duties too; mishandling employee or customer information can create legal and trust risks, so lead by example and keep your processes tight.
• The right documents - your Employment Contract, NDA, Staff Handbook, Privacy Policy and response plan - make obligations clear and enforcement faster when it counts.

If you need help responding to a breach or putting strong protections in place, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.