I have no idea of the merits of the matter, but take these recent NSW Supreme Court proceedings involving a case against TAFE employees ( Sellwood and Calvert) by a student (Chan) claiming, among other alleged wrongs, a breach of privacy. Part of the statement of claim in one case read:
 By 28 November 2005, the Defendant had begun a collection of/recording of personal information about the Plaintiff prohibited by the NSW (PPIP Act). In the alternative, the Defendant had acted without due authorisation in such collection/recording of personal information.Justice Davies dismissed this part of the proceedings: As a result of the fact in the above paragraph, the Plaintiff suffered injury.
One, the employee, the defendant in the case was not an "agency" for the purposes of the NSW Privacy and Personal Information Protection Act [34-35]. Comment: Yes, but no mention of the fact the emloyer, TAFE, is an agency and as such is responsible for compliance by employees with the Information Privacy Principles.
Two, Section 69 states that nothing in the Act gives rise to or can be taken into account in, any civil cause of action. Comment: Yes, but no mention of the fact that the Act establishes a scheme for complaint about breach by an agency of privacy principles, with eventual recourse to the Privacy Commissioner or the Administrative Decisions Tribunal.
Three, while the law in Australia is, as Justice Davies put it, "a little unclear" about whether there is a tort of breach of privacy, the plaintiff did "not purport to sue based on such a tort. His cause of action is based on specific breaches of the Act." Section 69 ruled this out. Comment: Yes, but no mention of the fact that the Act (Section 55) creates a statutory right to damages against an agency by conferring power on the ADT to award up to $40000 for loss or damage as a result of a breach of a privacy principle.
Mr Chan not only lost on this one- he was ordered to pay 90% of the costs of the defendant in the proceedings.
It may have been different if he had followed the Privacy and Personal Information Protection Act procedures seeking internal review of conduct, and if still aggrieved, taken a complaint to the ADT. But he would be none the wiser about the alternative course (now probably closed through the lapse of time) from reading the judgment.