1. Background

The OAIC operates the EDR schemes mailbox to receive reports and enquiries from EDR schemes and to send communications to the EDR schemes.

The EDR Schemes Coordinator monitors the EDR schemes inbox and should follow the procedures set out below under Section 2. Internal process and reporting.

EDR schemes

There are currently 10 EDR schemes recognised on the OAIC’s EDR schemes register.

Section 50 referrals to EDR schemes

Section 50 of the Privacy Act 1988 (Cth) (the Privacy Act) provides that the Information Commissioner may transfer a complaint to an alternative complaint body, including recognised EDR schemes.

In addition, under s 56DA of the Competition and Consumer Act 2010, the ACCC may recognise an EDR scheme to handle particular CDR related disputes.

Also, under s 56DA(3) of the Competition and Consumer Act 2010 the Minister must consult with the Information Commissioner before recognising an EDR scheme.

Privacy complaints

Where the OAIC receives a privacy complaint that is more appropriately dealt with by an EDR body, the matter will be transferred directly to the recognised EDR scheme pursuant to s 50 of the Privacy Act.

Matters transferred to EDR schemes will be sent from the early.resolution@oaic.gov.au mailbox which is monitored by the OAIC’s Dispute Resolution Branch.

CDR complaints

Where the OAIC receives a CDR complaint that is more appropriately dealt with by an EDR body, the matter will be transferred directly to the recognised EDR scheme pursuant to s 50 of the Privacy Act.

Matters transferred to EDR schemes will be sent from the CDR@oaic.gov.au mailbox which is monitored by the OAIC’s Regulation & Strategy Branch.

Reporting

EDR scheme privacy reports

In accordance with the Guidelines for Recognising External Dispute Resolution Schemes (the Guidelines), EDR schemes are required to provide reports to the OAIC:

  • Annually; and
  • Quarterly – systemic and serious or repeated privacy issues.

Reports from EDR schemes are to be sent to the EDR schemes mailbox.

Timing

All annual reports from EDR Schemes should be received by 31 July each year.[1]

All quarterly reports should be received within a month after the end of each quarter, as below:

Quarter

Due date

1 – July-September

31 October

2 – October-December

31 January

3 – January-March

30 April

4 – April-June

31 July

All EDR schemes should submit to the OAIC a quarterly report each quarter, even if the report indicates that there were no serious or systemic issues identified in that period, in which case the EDR scheme will submit a ‘nil’ report, as outlined in the schedule above.

Reporting content

The Guidelines provide that reports from EDR schemes should contain the following information:

  • Annual reports
    • the number of privacy-related complaints received in a financial year
    • the average time taken to resolve privacy-related complaints received in a financial year
    • for privacy-related complaints finalised in the financial year, statistical information about:
  • the outcomes (e.g. conciliations, withdrawals)
  • the nature of the remedies agreed through conciliation, or by decision (e.g. compensation, apology, staff training).
    • any systemic privacy-related issues or trends identified in the financial year.

The Guidelines also note that the information included in annual reports should be placed in its appropriate context – for example, by explaining any increase in privacy-related complaints compared to the previous year.

Note: The Guidelines provide an Excel template for annual reports.

  • Quarterly reports[2]
    • the details of the serious or repeated interference with privacy, or systemic privacy issue
    • the identity of the reported EDR member(s)
    • the action taken by the reported EDR member(s), and also by the EDR scheme, in response to the serious or repeated interference with privacy, or systemic issue
    • any resolution or outcome to the serious or repeated interference with privacy, or systemic issue.

The Guidelines also note that EDR schemes may report a serious or repeated interference with privacy or a systemic issue more frequently where they consider that it would be appropriate for it to be brought to the OAIC’s attention sooner.

Note: The Guidelines include a reporting template at Annexure 1.

Consumer Data Right (CDR) reporting

Currently only CDR participants are required to provide quarterly reporting as outlined under Rule 9.4 of the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) (CDR Rules).

Currently there are no mandated reporting requirements under the CDR for EDR schemes. However the CDR Regulatory Action Policy sets out that EDR schemes are to provide reporting information to the ACCC and the OAIC (currently every 6 months) outlining the number of CDR complaints received and the types of issues raised. This information may be used to identify and address sector specific risks or to assist the Minister in the event an independent review of the scheme may be required (refer to s 56DA of the Competition and Consumer Act 2010).

2. Internal process and reporting

Once the case management system functionality for the EDR schemes has been built and implemented, the following internal processes outlined in this section ‘2. Internal process and reporting’ are no longer required.

In addition, the EDR schemes mailbox will primarily be used to organise meetings and training sessions with the EDR schemes as well as to send communications such as news or announcements to the EDR schemes.

Current internal processes for reports

While the case management system project is underway, the following process should be followed when the EDR schemes submit their reports to the EDR schemes mailbox.

Quarterly or ad hoc reports received from EDR schemes

  1. Acknowledge receipt.
  2. File the email containing the report into the ‘Recognised EDR schemes’ Content Manager folder for that current financial year[3] (for that EDR scheme).
  3. Summarise the report and provide this and the report to the relevant Directors and/or Assistant Commissioners in Dispute Resolution, Regulation & Strategy, Corporate Branches or the legal team, and also provide the internal checklist for Directors.
  4. Input the statistics provided in the report into the EDR schemes reporting statistics spreadsheet.
  5. File the email/s in the relevant subfolder for that quarter in the EDR schemes mailbox.
  6. Acknowledge receipt.
  7. File the email containing the report into the ‘Recognised EDR schemes’ Content Manager folder for that current financial year (for that EDR scheme).
  8. Input the statistics provided in the report into the EDR schemes reporting statistics spreadsheet.
  9. File the email/s in the relevant subfolder for that financial year in the EDR schemes mailbox.

Annual reports received from EDR schemes

Reoccurring (yearly) Outlook calendar reminders have been set up in the EDR schemes mailbox which will remind the EDR Schemes Coordinator to follow up with the EDR schemes that they have to submit their annual reports.

Advice

Requests for advice

At times, EDR schemes may seek advice from the OAIC (by submitting enquiries directly to the EDR schemes inbox, or through the Enquiries Line, for example requests for policy advice) to which the following process should be followed, while the case management system project is underway:

  1. Register a new ‘New General Enquiry’ in the case management system and fill out the relevant required case fields on the ‘Main’ tab of the case and then save the case. This will register and generate an enquiry case number.
  2. Acknowledge receipt of the enquiry and place a copy of the enquiry and receipt of enquiry into the ‘Documents’ tab of the enquiry case.
  3. Assign the enquiry case to the relevant OAIC officer such as in Regulation & Strategy (R&S), Dispute Resolution(DR), NDB, CII, Legal or Strategic Communications/Corporate for action, or the case may be assigned to the EDR Schemes Coordinator. A file note/s can also be assigned to other OAIC officers across different branches if required.

The officer that has the enquiry assigned to them must document the progress of the matter in the case management system up to and including closing the enquiry.[4]

  1. File the email/s in the relevant subfolder ‘General enquiries and advice’ in the EDR schemes mailbox.

3. Internal engagement

Quarterly Directors meetings

R&S, DR and Corporate will meet each quarter to consider matters that EDR schemes have reported. The meetings are timed to be held after the end of each quarter to allow the EDR schemes the opportunity to provide the quarterly and/or ad hoc reports. Reoccurring (quarterly) Outlook calendar meeting invites have been set up in the EDR schemes mailbox which have been sent to the following Directors.

Prior to each meeting, Directors will review the relevant quarterly and ad hoc reports which are available and summarised in Content Manager according to the relevant month of meeting.

At these meetings, the Directors are encouraged to consider and discuss the reports as a group and then discuss any recommendations that they may have, which may include noting the contents, referring a report within their branch, or referring to the Regulatory Action Committee (RAC). Where a report contains information about a particularly serious issue, Directors should escalate appropriately, which may include to their Principal Director, Assistant Commissioner or the Deputy Commissioner.

Meeting notes will be kept for this meeting. The minutes of the quarterly directors meetings are saved in Content Manager for the current financial year. The minutes record any discussion and actions and is then provided to the directors and Deputy Commissioner for their information following the meeting. The Deputy Commissioner may then consider whether these matters should be put before the Commissioner for their consideration.

The meeting is attended by the following staff members who hold the following roles:

  • R&S Director responsible for EDR schemes
  • CDR Director, R&S/DR
  • R&S Director responsible for credit reporting
  • R&S Director responsible for Assessments
  • DR Branch Principal Director
  • Early Resolution Director, DR
  • Notifiable Data Breach (NDB) Director, DR
  • CII Director, DR
  • Strategic Communications/Corporate Director, Corporate
  • Other relevant staff members such as from the Legal team.

In addition to routine reports, on an ad hoc basis EDR schemes will email reports of serious or repeated interferences with privacy or systemic issues to the EDR schemes mailbox and the Adviser, EDR Schemes Coordinator will follow the process set out above under ‘Quarterly or ad hoc reports received from EDR schemes’ including sending the checklist for Directors to assist directors assessing these ad hoc reports.

4. External engagement

Liaison meetings

The Information Sharing Arrangement (the Arrangement) between the OAIC and the EDR schemes contemplates that the parties to the Arrangement will hold regular liaison meetings.

The current schedule for the liaison meetings is available in Content Manager.

Ahead of each liaison meeting, the Assistant Director of the Early Resolution team in the Dispute Resolution Branch provides the EDR Schemes Coordinator with statistical information regarding complaints lodged about members of the EDR scheme and these are shared with the relevant EDR scheme along with the meeting agenda.

Before each liaison meeting, the EDR Schemes Coordinator sends an email to the EDR schemes requesting for any agenda items and asking the schemes to provide the names and job titles of their attendees. This information is included in the meeting agenda and circulated to all attendees prior to the liaison meeting.

The EDR Schemes Coordinator also drafts speaking notes for the liaison meeting and ensures that the relevant subject matter experts attend the meeting. Once the speaking notes have been drafted, the EDR Schemes Coordinator emails these notes to the relevant internal OAIC speakers seeking feedback and approval and also organises an internal meeting with the speakers to confirm the speaking notes.

The EDR Schemes Coordinator also takes the minutes and any action items of the meeting and circulates this internally to the OAIC attendees and ensures that the action items are completed.

All relevant correspondence and work (for 2022-2023) in relation to the liaison meetings are saved in Content Manager.

From 2023, given the number of EDR schemes recognised on the OAIC’s EDR schemes register will continue to grow, we have consolidated our liaison meetings with all EDR schemes by holding an annual liaison meeting with all EDR schemes.

This annual meeting is strategic-focused to allow Executive-level staff from all of the EDR schemes, such as the Ombudsmen of the schemes, to have a collective and high-level discussion about privacy and/or consumer data right (CDR). The minutes of these meetings are also provided to the EDR schemes.

Additionally, there are six-monthly liaison meetings in March and September for Senior officer-level staff across all EDR schemes to discuss any matters relating to privacy and CDR.

Outside of the liaison meetings, EDR schemes are welcome to request for any privacy training requirements, and further training and/or ad hoc meetings can be arranged as required or needed.

EDR schemes have also been advised that if they require specific guidance or advice on privacy-related matters that they are welcome to submit these requests to the EDR schemes mailbox and these may be referred internally to the appropriate team to review and consider. Please follow the process set out above under 2.   Internal process and reporting/Advice/Requests for advice.

CDR and privacy training

The OAIC is open to providing training to the EDR schemes on a regular basis as the regulator of the Privacy Act and CDR data.

The EDR Schemes Coordinator will organise regular and/or ad hoc OAIC training (in the Privacy Act and CDR) for the EDR schemes. The current 2023 training schedule is available in Content Manager. Prior to each training, the EDR Schemes Coordinator will set up a meeting with the trainers and give details about the training, including providing any training feedback received from the EDR schemes and giving Content Manager links to the summary of the EDR schemes reports. The EDR Schemes Coordinator also sends a Microsoft Teams calendar invite to all the EDR schemes giving details about the training session such as the training topic and time/date of the training. To obtain training volunteers to give training to the EDR schemes, in December, the EDR Schemes Coordinator sends an email to all DR and R&S Directors asking if their team members would be interested in delivering training to the EDR schemes for the following year.

If an EDR scheme wishes to upskill in any areas of the Privacy Act, including in CDR, they can contact the EDR Schemes Coordinator about any training requests by emailing the EDR schemes mailbox.

Independent review of EDR schemes

The Information Commissioner will make the recognition of all EDR schemes subject to specified conditions. One of these conditions relate to the conduct of an independent review of the operation of the EDR scheme where the EDR scheme must provide the Commissioner with an independent review of the EDR scheme at least once every five years.

Regular and independent review of an EDR scheme’s performance is a key practice to indicate an EDR scheme’s efficiency.

The Commissioner requires a recognised EDR scheme to commission an independent review of the EDR scheme’s privacy-related complaint-handling, operations and procedures at least once every five years. This review can be conducted as part of a broader independent review of the EDR scheme.

The EDR scheme must consult the Commissioner about the terms of the review before the review commences.

The review should be undertaken in consultation with relevant stakeholders (such as the EDR scheme’s members and relevant consumer groups) and should examine:

  • the EDR scheme’s ongoing ability to satisfy the matters that the Commissioner must take into account when recognising an EDR scheme as outlined in Parts 2 and 3 of the Guidelines
  • the EDR scheme’s ongoing ability to satisfy the conditions of the EDR scheme’s recognition as outlined in Part 4 of the Guidelines
  • how satisfied individuals and EDR scheme members are with the operation of the scheme
  • any other relevant matters, including matters the Commissioner considers relevant following notification by the EDR scheme to the Commissioner of the independent review’s terms of reference.

The EDR scheme should provide relevant parts of the report of the review to the Commissioner.

Internal process for independent review of EDR schemes

The letter template asking the EDR schemes to conduct an independent review is available in Content Manager. These letters are sent to the EDR schemes 12 months before their scheme’s review report is due. This would give the EDR scheme one year’s notice to conduct their review and provide their review report before or by the due date. The letter also requests that the EDR scheme consults with the OAIC regarding the terms of reference before the review commences.

The review spreadsheet in Content Manager is used to help record and track when the EDR schemes have completed their reviews and when they are due. The spreadsheet also includes links to the dates and notices of their ongoing recognition as a recognised EDR scheme.

Reoccurring (5 yearly) Outlook calendar reminders have been set up in the EDR schemes mailbox which will remind the EDR Schemes Coordinator when to send out the letters to the EDR schemes requesting that they complete their independent review.

The next independent review due date will be based on the last date of the review report that the scheme provides us and will be every 5 years from that point rather than based on the date the scheme was recognised as an EDR scheme.

Assessment of independent reviews of EDR schemes

Upon receipt of an EDR scheme’s review report, the report needs to be acknowledged and saved in the relevant Content Manager folder for that scheme. The ‘Register for 5 year Independent Reviews of EDR schemes’ needs to be updated where required.

The review report will need to be assessed and reviewed (by an OAIC assessor) to consider whether the EDR scheme has met the relevant criteria set out in the Guidelines. The OAIC assessor will need to follow the process document available in Content Manager and complete an evaluation and brief report. The evaluation form template and the brief report template are available in Content Manager.

The completed evaluation form and brief report should be emailed to the EDR schemes mailbox. These are then saved in the relevant EDR schemes Content Manager folder for that EDR scheme. If there are more than one review report that needs to be assessed, an overarching brief needs to be completed. An example is available in Content Manager. The final/overarching brief and relevant attachments should be emailed to the Assistant Commissioner, R&S for approval and once approved it should be emailed to the Deputy Commissioner for clearance. A draft letter template giving the EDR schemes feedback on their independent reviews is available in Content Manager.

Footnotes

[1] The Guidelines state that EDR schemes should provide privacy-related complaint information to the OAIC on an annual basis for inclusion in the OAIC’s Annual Report. In order to meet the OAIC’s annual report publication deadline, EDR schemes will be requested to provide this information by 31 July for the preceding 12-month period ending on 30 June.

[2] The guidelines also state that an EDR scheme should continue to report quarterly on a serious or repeated interference with privacy, or systemic privacy issue, while the EDR scheme is still engaging with the EDR scheme member(s) in relation to the issue.

[3] For example the current Content Manager folder for External dispute resolution (EDR) schemes 2022-23.

[4] The current KPI for closing written enquiries in the case management system is 2 weeks. If the advice is not ready by 2 weeks, the case officer may update the ‘Summary’ case field to advise that that the enquiry has been referred to for example ‘R&S Branch’ and they may then close off the enquiry.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia