Skip to main content
About the OAIC
  • On this page

Updated:  

Background

EDR schemes

There are currently 10 EDR schemes recognised on the OAIC’s EDR schemes register.

Section 50 referrals to EDR schemes

Section 50 of the Privacy Act 1988 (Cth) (the Privacy Act) provides that the Information Commissioner may transfer a complaint to an alternative complaint body, including recognised EDR schemes.

In addition, under s 56DA of the Competition and Consumer Act 2010, the ACCC may recognise an EDR scheme to handle particular CDR related disputes.

Also, under s 56DA(3) of the Competition and Consumer Act 2010 the Minister must consult with the Information Commissioner before recognising an EDR scheme.

Reporting

EDR scheme privacy reports

In accordance with the Guidelines for Recognising External Dispute Resolution Schemes (the Guidelines), EDR schemes are required to provide reports to the OAIC:

  • Annually; and
  • Quarterly – systemic and serious or repeated privacy issues.

Reports from EDR schemes are to be sent to the EDR schemes mailbox.

Timing

All annual reports from EDR Schemes should be received by 31 July each year.

All quarterly reports should be received within a month after the end of each quarter, as below:

Quarter

Due date

1 – July-September

31 October

2 – October-December

31 January

3 – January-March

30 April

4 – April-June

31 July

All EDR schemes should submit to the OAIC a quarterly report each quarter, even if the report indicates that there were no serious or systemic issues identified in that period, in which case the EDR scheme will submit a ‘nil’ report, as outlined in the schedule above.

Reporting content

The Guidelines provide that reports from EDR schemes should contain the following information:

  • Annual reports
    • the number of privacy-related complaints received in a financial year
    • the average time taken to resolve privacy-related complaints received in a financial year
    • for privacy-related complaints finalised in the financial year, statistical information about:
  • the outcomes (e.g. conciliations, withdrawals)
  • the nature of the remedies agreed through conciliation, or by decision (e.g. compensation, apology, staff training).
    • any systemic privacy-related issues or trends identified in the financial year.

The Guidelines also note that the information included in annual reports should be placed in its appropriate context – for example, by explaining any increase in privacy-related complaints compared to the previous year.

Note: The Guidelines provide an Excel template for annual reports.

  • Quarterly reports
    • the details of the serious or repeated interference with privacy, or systemic privacy issue
    • the identity of the reported EDR member(s)
    • the action taken by the reported EDR member(s), and also by the EDR scheme, in response to the serious or repeated interference with privacy, or systemic issue
    • any resolution or outcome to the serious or repeated interference with privacy, or systemic issue.

The Guidelines also note that EDR schemes may report a serious or repeated interference with privacy or a systemic issue more frequently where they consider that it would be appropriate for it to be brought to the OAIC’s attention sooner.

Note: The Guidelines include a reporting template at Annexure 1.

Annual reports received from EDR schemes

Reoccurring (yearly) Outlook calendar reminders have been set up in the EDR schemes mailbox which will remind the EDR Schemes Coordinator to follow up with the EDR schemes that they have to submit their annual reports.

External engagement

Liaison meetings

Outside of the liaison meetings, EDR schemes are welcome to request for any ad hoc meetings can be arranged as required or needed.

EDR schemes have also been advised that if they require specific guidance or advice on privacy-related matters that they are welcome to submit these requests to the EDR schemes mailbox.

Independent review of EDR schemes

The Information Commissioner will make the recognition of all EDR schemes subject to specified conditions. One of these conditions relate to the conduct of an independent review of the operation of the EDR scheme where the EDR scheme must provide the Commissioner with an independent review of the EDR scheme at least once every five years.

Regular and independent review of an EDR scheme’s performance is a key practice to indicate an EDR scheme’s efficiency.

The Commissioner requires a recognised EDR scheme to commission an independent review of the EDR scheme’s privacy-related complaint-handling, operations and procedures at least once every five years. This review can be conducted as part of a broader independent review of the EDR scheme.

The EDR scheme must consult the Commissioner about the terms of the review before the review commences.

The review should be undertaken in consultation with relevant stakeholders (such as the EDR scheme’s members and relevant consumer groups) and should examine:

  • the EDR scheme’s ongoing ability to satisfy the matters that the Commissioner must take into account when recognising an EDR scheme as outlined in Parts 2 and 3 of the Guidelines
  • the EDR scheme’s ongoing ability to satisfy the conditions of the EDR scheme’s recognition as outlined in Part 4 of the Guidelines
  • how satisfied individuals and EDR scheme members are with the operation of the scheme
  • any other relevant matters, including matters the Commissioner considers relevant following notification by the EDR scheme to the Commissioner of the independent review’s terms of reference.

The EDR scheme should provide relevant parts of the report of the review to the Commissioner.