Ensuring that organisations comply with their obligations under the Privacy Act is one of the Office's most important functions. Good advice and good rules only make a real difference if they are put into practice.
This information sheet sets out the approach the Office intends to take to promoting compliance with the requirements of the Privacy Act and the mechanisms the Act provides to accomplish this objective.
Our Strategic Plan, launched in March 2000, explicitly states that the primary value we seek to deliver to our stakeholders stems from developing privacy solutions that build confidence throughout the Australian community. In implementing the new provisions in the Privacy Act, the Office will be seeking to find privacy solutions that deliver good privacy protection for individual Australians while imposing no undue burdens on the organisations involved.
Advice and assistance in preference to punishment
The Office takes the approach that compliance will be achieved most often by helping organisations to comply rather than seeking out and punishing the few organisations that do not. The large majority of Australian organisations in the private sector wish to comply with their legal obligations. The Office's emphasis will be on providing advice, assistance and information. This is our first and preferred approach at all times. Our experience indicates that such an approach will be all that is necessary to resolve the large majority of matters that come to our attention.
Nevertheless, when breaches of the Act are identified they will be actively pursued. The Office will take care to ensure that breaches of the Act are remedied and complainants' concerns addressed, including through compensation where that is warranted.
Investigating and resolving complaints
In line with this focus, the Office's approach to handling complaints is one which aims at achieving fair and workable outcomes for the parties involved. In summary, our process is based on taking the following steps:
- When we receive a complaint, we first check if the parties have attempted to resolve their differences directly and, if not, whether it would be appropriate for them to try. For private sector organisations covered by the National Privacy Principles or an approved code under Part IIIAA of the Act, this is mandated by section 40(1A) of the Act. In other words, we encourage internal complaints handling at the organisational level as a first step.
- If this fails, we enter a stage of conciliation based on accepted principles of alternative dispute resolution. In most cases, we rely on phone calls and letters to the parties. In a small proportion of more intractable matters, we may meet with the parties face to face.
- This process has been very successful in the established areas of the Commissioner's jurisdiction, which cover Commonwealth government agencies, tax file numbers, spent convictions and the consumer credit reporting industry. Most complaints are closed under section 41(2)(a) on the grounds that the respondent has adequately dealt with the matter rather than by the Commissioner issuing a formal determination.
- In the large majority of complaints over the last five years, resolution has involved measures other than monetary compensation. Only around six per cent of complaints have involved financial compensation. In all but a few serious matters, the amounts have been between $500 and $3,000.
- The Commissioner has the power to make a formal determination in relation to complaints (s.52). A determination may prohibit the respondent organisation from continuing or repeating conduct that has breached the Act. It may direct the organisation to perform any reasonable course of conduct to redress loss or damage suffered by the complainant. It may direct the organisation to pay a specified amount to the complainant by way of compensation. However, in the last 12 years, successive Commissioners have found it necessary to use the formal determination making power under s.52 in only two cases.
- If the parties do not comply with the terms of a determination, s.55A of the Act allows us to approach the Federal Court or the Federal Magistrates Court to seek enforcement via a new (de novo) hearing. So far, the Office has never needed to take this step.
The Office will take the same approach in relation to investigations that the Commissioner conducts on his or her own initiative.
The Privacy Act (s.40(2)) gives the Commissioner the power to carry out an investigation without having received a complaint. This power is available if there may have been an interference with privacy and the Commissioner thinks it is desirable that the matter be investigated. This power may be used where there appears to be a serious breach of privacy that has strong public interest implications. Whether the Office has received complaints about the organisation in the past is also a factor.
The first approach in these cases is to write to the organisation asking for further information. If there then appears to have been a breach of the Act, the action the Office takes will depend upon the respondent's acknowledgment of the breach and its preparedness to take appropriate remedial action.
The Commissioner has powers under s.98 of the Act to seek an injunction from the Federal Court to ensure compliance with the Act. An injunction may prohibit an organisation from engaging in conduct that would breach the Act or require it to take steps to bring itself into compliance with the Act. An injunction may be sought in relation to a complaint investigation or an own initiative investigation. Again, successive Commissioners have not sought any injunctions so far and this step would be taken only when other more informal means have failed to yield a satisfactory outcome.
Reporting to the public
The Office includes in its annual report some cases studies on complaints it has handled and investigations it has carried out. These are reported in summary form and do not generally identify the complainant or respondent.
With the new private sector provisions, the Office plans to add to this approach by publishing more frequent, de-identified case notes on complaints it has handled. The aim of these will be to help organisations and the community understand the way the Office applies the provisions of the Act and, where relevant, the provisions of approved codes.
On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. This may be, for example, where there is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. In the ordinary course of events, the Commissioner would not consider such a step unless:
- an organisation either repeatedly or very seriously breaches the Privacy Act;
- the organisation demonstrates by its actions that it does not intend to comply with its legal obligations; and
- all other measures have failed to change the organisation's behaviour.
We will signal our intentions
The Office will not take action in relation to an organisation without first giving it fair warning of our intentions. Our objective is to assist organisations to comply with their obligations under the Act. Openness and predictability are important means of accomplishing this objective.
We will take measures proportional with the seriousness of the issues
The strength of the measures the Office takes in relation to a particular matter will be proportional to its seriousness. The Office will not be taking strong measures in relation to minor breaches of the law. However, in the most serious matters, the Office will be prepared to use any mechanism available under the Act to achieve an acceptable privacy outcome.
In assessing the seriousness of any particular matter the Office will consider:
- the number of individuals involved;
- what disadvantage they have suffered;
- whether the matter raises ongoing systemic issues, or is a one-off incident; and
- the willingness of the organisation to take action to resolve the matter and to prevent recurrence - in assessing this, the organisation's track record in privacy matters will be taken into account.
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of The Privacy Commissioner ISBN 1-877079-39-1 Privacy Hotline 1300 363 992 (local call charge)