Privacy Fact Sheet 9
Guide to internal investigations
This fact sheet was created by the Office of the Australian Information Commissioner (OAIC) to assist organisations covered by the National Privacy Principles (NPPs) in the Privacy Act 1988 (Cth) (Privacy Act) to address a privacy complaint made by an individual.
Are you covered by the Privacy Act?
Under the Privacy Act, businesses (including non-profit organisations) with an annual turnover of more than $3 million, all private health service providers and some small businesses must comply with the NPPs.
What is an interference with privacy?
Acts or practices of organisations that are not consistent with the NPPs may be an interference with an individual's privacy.
When is your organisation involved?
The Privacy Act says that an individual that considers that an organisation has interfered with their privacy (a complainant) should generally take their complaint to the organisation before making a complaint to the Australian Information Commissioner (the Commissioner).
If the individual is not satisfied with the response from the organisation to their complaint, they may complain to the Commissioner if they consider that their privacy has been interfered with.
How does the OAIC handle complaints?
If the individual considers the matter has not been resolved by the organisation, they can make a complaint to the Commissioner. Where appropriate the Commissioner can make preliminary enquiries into the matter, investigate and attempt to resolve by conciliation.
The Commissioner also has the power to decline to investigate complaints (or not to investigate further) in a number of circumstances, including where:
- it is clear that there has not been an interference with privacy, or
- the matter has been ‘adequately dealt with' by the organisation.
The Commissioner may make a determination if the matter is not resolved between the parties.
How does your organisation handle privacy complaints?
Check the following list:
- Are individuals able to make a complaint to your organisation?
- Does your organisation have an enquiries line or provide feedback or complaint forms in both printed and electronic formats? Complaint forms should be easily accessible and available in a number of languages and accessible formats.
- Are privacy complaints identified and directed to staff with appropriate knowledge of the Privacy Act?
- If an individual complains, are they being heard? It might be possible to resolve a complaint and avoid the Commissioner becoming involved, especially where individuals just want to be heard or receive an apology.
- Are there regular reviews of complaint handling processes and procedures?
- Does your organisation have a data breach policy and response plan (that includes consideration of whether to notify affected individuals and the OAIC of a data breach)? Being prepared to react to data breaches may assist to mitigate damage to the affected individuals, and avoid potential complaints. The OAIC has published a guide to data breach notification that deals with how to effectively prepare for and respond to data breaches.
Below is a checklist to help your organisation address privacy complaints.
Steps to follow
1. Is the correspondence about a person's personal information?
☐ Yes. Treat the correspondence as a privacy complaint, and go to Question 2.
☐ No. Follow the organisation's usual complaint handling procedures.
2. Is the information about the person who wrote the correspondence?
☐ Yes. Go to Question 3.
☐ No. Do you know if the writer represents the person the correspondence is about?
3. Does the complaint involve any of the following?
☐ Collection of the complainant's personal information (NPP 1).
☐ Security or storage of the complainant's personal information (NPP 4).
☐ Refusal to give the complainant access or find out about their personal information (NPP 6).
☐ Refusal to change or delete complainant's personal information (NPP 6).
☐ Accuracy of the complainant's personal information (NPP 3).
☐ Use and/or disclosure of the complainant's personal information (NPP 2).
☐ Other/unsure - if this is the case, go back to the complainant and seek further information.
If the complaint is not one to which the NPPs apply, consider whether you can deal with the matter under the organisation's usual complaint handling procedures.
4. Appoint an investigating officer
This should not be someone who was involved in the conduct complained about.
☐ Put the investigating officer's name here:
5. Contact the complainant, either by telephone or in writing, stating:
☐ Your understanding of the conduct complained about.
☐ Your understanding of the NPPs at issue (if appropriate).
☐ That the organisation is conducting an investigation (if appropriate).
☐ The name, title, and contact details of the investigating officer.
☐ How the investigating officer is independent of the person/s responsible for the alleged conduct.
☐ The estimated completion date for the investigation process.
☐ A request that the complainant outline what they expect as an outcome.
Now you can start the investigation
6. Issues for consideration:
☐ Does it appear that the alleged conduct occurred?
☐ Was the information collected by the organisation for inclusion in a record or a generally available publication?
☐ Was or is the information held by the organisation in a record?
7. Preliminary findings about the facts and the application of the law to the facts:
☐ Is there sufficient evidence to establish that the matters complained about actually occurred?
Example: This may include the disclosure of information to a third party, use of personal information for a secondary purpose or failure to secure personal information.
☐ Which of the NPPs may be relevant and why?
☐ Does it appear that the conduct, decision or omission complied with the NPPs?
Examples: An apology, a change in procedures, improvement of security safeguards, or payment of compensation for loss or damage suffered.
Communication with the complainant
8. Write to and, if possible, call the complainant providing:
☐ Your decision.
Include as much detail about the investigation as possible.
☐ An invitation for the complainant to respond to your decision and if appropriate, the offer of a meeting.
☐ An apology if you did not comply with the relevant NPPs and consider whether any further remedy is appropriate.
Consider whether a meeting to discuss the possible outcomes would help, or whether the matter might be resolved by mediation.
9. Complainant's response
☐ Assess any response from the complainant.
☐ If the complainant remains unsatisfied with the outcome, refer the complainant to the OAIC.
10. Consider any systemic issues raised, such as:
☐ Privacy training
☐ Amendment of forms and/or collection notices
☐ Improve security and storage measures
☐ Steps to improve data accuracy.
Make a record of any changes made.
Evaluate the changes by reviewing against any future privacy complaints.
☐ When finalised, the record of the complaint and the investigation should be stored securely (NPP 4) and in accordance with record keeping requirements.
When responding to requests for information from the OAIC, you may wish to use the investigation report and related documents as appropriate.
- Privacy Act 1988
- National Privacy Principles
- Private Sector information
- Private Sector Information Sheet 12
- Guidelines to the NPPs
- Case Notes
- Complaint Checker
 ‘Personal information' is defined as ‘information or an opinion (including or forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion'.
 If the complaint is from a Member of Parliament on behalf of a constituent or from a lawyer on behalf of a client, it is assumed that the individual has consented for the writer to act on their behalf. In all other circumstances, you should check that the writer has the complainant's consent to act on their behalf.
 ‘Sensitive information' is an important category of personal information. Sensitive information includes health and genetic information as well as personal information about an individual's religious beliefs and affiliations, race, ethnicity, political opinions, membership of a political association, sexual preferences or practices, philosophical beliefs, membership of a professional or trade association, membership of a trade union, or criminal record. The Privacy Act imposes stricter rules about when sensitive information can be collected and how it should be handled. Usually, sensitive information can only be collected with the individual's consent and there are tighter restrictions on how this type of information can be used and disclosed.
 In the case of a small organisation or where there are allegations of bias, consider engaging an external investigator.