There are a number of stages in the complaint handling process. See our Complaint Chart below for an overview of the process.
We will deal with your complaint as quickly as possible, and keep you informed of its progress. Some complaints are resolved within weeks, but more complex complaints may take longer. If you are unsure about whether the Office of the Australian Information Commissioner (OAIC) can investigate your complaint, please refer to our privacy complaint checker for guidance.
Will we investigate your complaint?
We cannot investigate all complaints about your privacy. We cannot investigate anonymous complaints.
When your complaint is received we will assess it to make sure that you have complained about an issue that is covered by the Privacy Act 1988 (Privacy Act) and is about an agency or organisation covered by the Privacy Act.
Your complaint needs to involve your ‘personal information'. 'Personal information' is any information that is about an individual and can reasonably identify that individual. If you have complained about something that the Privacy Act does not cover, we will contact you to explain why we cannot assist you.
If you have complained about something that the Privacy Act covers, we will then check to see whether the agency or organisation you have complained about has had an opportunity to address your complaint directly, and if not, whether it would be appropriate for them to do so. We may decide not to investigate a complaint if you have not first complained to the agency or organisation directly, or if you have not given them a reasonable amount of time to address your complaint.
We may also decide not to handle your complaint if:
- you are complaining about something that you found out about more than 12 months ago
- the matter is better dealt with under another law or by another body
- it is about an organisation not covered by the Privacy Act, such as a state government agency or a business with a turnover of less than $3 million a year.
Sometimes we need more information before we can decide whether we can investigate your complaint. If this is the case, we may contact you, the respondent you are complaining about, or a third party to gather more information about your privacy complaint. If we think we can resolve your complaint during this stage, we will attempt to do this.
Investigating and Resolving your complaint
If the OAIC decides to investigate your complaint, we will provide the respondent with a copy of your complaint.
Any other information or documents that you provide us may also be given to the respondent or anyone else who can assist us in dealing with your complaint. If you do not wish for your information to be passed on, you will need to tell us as this may affect how we handle your complaint.
The OAIC investigates complaints by contacting the respondent, usually in writing, to tell them about your complaint and asking for their side of the story. We will usually try to resolve your complaint through facilitating conciliation, if this is appropriate. The aim of conciliation is to resolve the issues through discussion and negotiation, allowing parties to reach their own agreement on the outcome, rather than the OAIC deciding what should happen. It is important to tell the OAIC what you are seeking from the respondent to resolve your complaint.
It is important to note that the role of the OAIC is to act as an impartial third party throughout this process. We do not act as an advocate for either party.
If you and the respondent can agree on an outcome to resolve your complaint, we will close your complaint on the basis that it has been adequately dealt with.
If you and the respondent cannot reach an agreement, we will make a decision on what should happen.
If we think the respondent has proposed a reasonable outcome, but you have not accepted it, we may finalise your complaint on the grounds that the respondent has adequately dealt with the matter, even if you do not agree.
If we do not think that the matter has been resolved or has been adequately dealt with by the respondent, the Australian Information Commissioner or the Privacy Commissioner can make a formal decision about what the respondent needs to do. This is called a determination.
You can choose to withdraw your complaint at any time without any penalty.
The OAIC is able to resolve the majority of complaints by conciliating an outcome between the parties. Depending on the particular complaint, some possible resolutions could include:
- taking steps to address the matter, for example providing access to personal information, or amending records
- an apology
- a change to the respondent's practices or procedures
- staff training
- compensation for financial or non-financial loss
- other non-financial options, for example a complimentary subscription to a service.
In some circumstances the Commissioner may also accept an undertaking from the respondent to do, or stop doing, a specific thing so that they do not breach the Privacy Act. If the respondent fails to meet the undertaking, the Commissioner can ask for it to be enforced by a court.
Where a breach of privacy is very serious, the Commissioner may seek a civil penalty. A civil penalty is like a fine, and is not paid to you as compensation.
The following complaint chart gives a general overview of our complaints process:
For further information, please see:
- Privacy fact sheet 9: Guide to internal investigations
- Privacy fact sheet 10: What will happen to my complaint
- Privacy fact sheet 11: How will the OAIC handle a privacy complaint against my organisation?
- Privacy fact sheet 12: Conciliation of privacy complaints
- Information Sheet 13: The Federal Privacy Commissioner’s Approach to Promoting Compliance with the Privacy Act
- Privacy Complaints Practice and Procedure Manual
- Privacy complaint checker