Operational policy for the management of privacy complaints about the OAIC
Audience and location: All staff
Review date: 30 September 2021
|0.1||A. Nowland||Initial draft||June 2020|
|0.2||E. Hampton||Amendment to draft||23 August 2020|
|0.3||AGS||Amendments||24 September 2020|
This operational policy applies to any officer of the Office of the Australian Information Commissioner (OAIC) who receives a complaint from an individual alleging that the OAIC has interfered with their privacy.
References in this policy to provisions are to those contained in the Privacy Act 1988 (Cth) unless otherwise indicated.
This policy outlines:
- the process for handling a first instance complaint about an act or practice on the part of the OAIC that may be an interference with the privacy of an individual
- the role of the OAIC's privacy officers
- the process for managing a complaint made under s 36 about an act or practice of the OAIC
- the legal basis for appointing an external investigator to conduct an investigation under s 40(1) and the role of the external investigator
- the role of Legal Services team and Corporate Services Branch in procuring and appointing the external investigator
- the role of the relevant Assistant Commissioner or Principal Director in progressing the s 36 privacy complaint
- supporting the officer about whom a privacy complaint is made.
This policy does not preclude action being taken under the Breaches of the APS Code of Conduct Procedures (if the complaint relates to a current or former OAIC employee) or under an applicable contract (if the complaint relates to a contractor).
OAIC as an agency and as a regulator
The OAIC acts as the regulator in handling privacy complaints made about other Australian Privacy Principle (APP) entities.
Under s 36 an individual may complain to the Commissioner about an act or practice that may be an interference with their privacy. If such a complaint is made, and the act or practice may be an interference with the privacy of an individual, under s 40 the Commissioner is obliged to investigate the act or practice, subject to exceptions.
The requirement to investigate only applies if the complainant complained to the respondent first or if the Commissioner decides that it was not appropriate for the complainant to first complain to the respondent.
As an APP entity, the OAIC may also receive complaints from individuals who claim that the OAIC has interfered with their privacy. In these instances, the OAIC is the respondent agency.
Where an individual lodges a complaint about the OAIC’s conduct, the OAIC must generally first consider dealing with that complaint in its capacity as a respondent agency, and second, in the event that the complainant continues to press their complaint after an unsuccessful attempt to resolve, in its capacity, as a regulator. There may be instances where it is not appropriate for the complainant to complain in the first instance to the OAIC as an agency, and the Commissioner may, pursuant to s 40(1A), decide to investigate the complaint under s 36.
Where an individual complains to the OAIC under s 36 (in its capacity as a regulator), that the OAIC has interfered with their privacy, there is a risk that the OAIC will be perceived to be biased or may have a conflict of interest in investigating its own actions. That is, a reasonable observer might consider that the OAIC may not bring an impartial mind as the regulator, in regulating its own actions.
In order to mitigate this risk, the OAIC has decided on a process by which it may seek the assistance of an appropriately qualified and experienced external consultant to conduct an independent investigation into the act or practice about which the complainant complains. The decision to engage an external investigator in a s 36 privacy complaint against the OAIC must be made by the Australian Information Commissioner (the Commissioner) or an Executive delegate.
- Privacy regulatory action policy : https://www.oaic.gov.au/about-us/our-regulatory-approach/privacy-regulatory-action-policy/
- Guide to privacy regulatory action
- Privacy Officer Appointment Instrument: https://www.oaic.gov.au/about-us/our-corporate-information/operational-information/privacy-officer-appointment-instrument/
- OAIC Privacy Management Plan: https://www.oaic.gov.au/privacy/guidance-and-advice/interactive-privacy-management-plan-for-agencies/
Role of privacy officers
The Privacy (Australian Government Agencies — Governance) APP Code 2017 (the Code) made under s 26G requires the OAIC to appoint at least one privacy officer who is the primary point of contact for advice on privacy matters in an agency and who handles privacy complaints, among other responsibilities.
Under the existing Instrument of Appointment, the Principal Lawyer is the Chief Privacy Officer (CPO), while Senior Lawyers and Lawyers within the Legal Services team constitute OAIC privacy officers for the purposes of the Code.
In the event that an OAIC officer receives a complaint in writing from an individual, which alleges that the OAIC has interfered with their privacy, the officer should acknowledge the complaint and refer the complaint to the CPO. The CPO will decide whether attempts to resolve the matter should be undertaken as the agency involved, or whether the matter should be considered under s 36. The CPO will consider the complexity of the matter in reaching their decision, with more complex matters more likely to be managed under s 36.
The CPO will liaise with the OAIC Executive about how to approach privacy complaints made against the OAIC. In some instances, as noted above, the Commissioner may consider exercising their discretion to find that it is not appropriate for the complainant to complain to the OAIC and may instead invite the complainant to make, or may decide to treat the first instance complaint as, a complaint under s 36.
The CPO may direct privacy officers within Legal Services Team to investigate a matter.
Officers who are subjects of the complaint
Any officer who is the subject of the complaint will be advised in broad terms of the nature of the complaint and will be directed not to access any of the OAIC’s document management systems (such as Content Manager or Resolve) relating to the complaint.
They will be offered support by their manager, including information about accessing such services as Employee Assistance Program.
Complaints will be handled with an appropriate level of confidentiality. Information about the complaint will be disclosed to relevant staff on a need to know basis, including where it is necessary to give procedural fairness to the officer concerned.
Outcomes of privacy complaints against the OAIC
If a complainant is dissatisfied with the outcome of their privacy complaint at first instance, they are entitled to make the complaint to the OAIC as a regulator under s 36 of the Act.
If the complainant considers that the OAIC’s privacy officer erred in law in their making of a decision about the complaint, it is open to the complainant to seek judicial review of that decision.
Alternatively, if the complainant is dissatisfied with the outcome of the complaint or the way in which the complaint was handled, they may contact the Commonwealth Ombudsman.
OAIC as an agency
The CPO will decide whether the OAIC should attempt to resolve the matter as an agency, ahead of moving to s 36 processes. Relatively straightforward matters, where the officer who is the subject of the complaint agrees with the facts and circumstances put forward by the complainant, may be able to resolved less formally.
In those circumstances, the resolution of the matter will be attempted by the Lawyer assigned to the matter by the CPO. This may involve:
- obtaining a statement of facts from the officer involved
- reaching a decision regarding whether those facts amount to an interference with the privacy of the complainant
- attempting to resolve the matter with the complainant.
Where the matter is more complex, or attempts to resolve the matter informally are unsuccessful and the complainant wishes to pursue the matter, the CPO may decide to investigate the complaint under s 36.
Section 36 complaint
Role of case manager
In-house management of s 36 complaint
On receipt of the complaint made under s 36 about the OAIC, the matter will be allocated to a Lawyer within Legal Services team (the case manager). The case manager will be responsible for both the management of the s 36 complaint and, where required, the procurement of an external investigator. Section 36 complaints against the OAIC will be expedited.
Management of s 36 complaint by an external investigator
Before an investigator is engaged, the OAIC must advise the complainant that the OAIC will engage the third-party investigator (the investigator) to investigate the complaint.
The case manager will write to the complainant explaining the decision to seek the assistance of the investigator and advising that information about the complaint, including the original complaint to the OAIC and the complainant’s submissions, will be sent to the investigator, who will contact them.
The case manager will undertake a procurement process to engage an external investigator in accordance with the OAIC’s usual legal procurement process. Final approval of the external investigator will be given by the Deputy Commissioner.
The case manager will also ensure that the investigator is appointed to the role under the relevant instrument of appointment. Legal Services and Corporate Services will be responsible for processing the invoices provided by the investigator.
The external investigator will treat the complaint under s 36 in the same way that the OAIC would treat any other complaint about an APP entity, including by following the relevant parts of the guidance contained in Case Management Overview. However the case manager and the external investigator will not be the decision-maker. The decision-maker will be a member of the Executive, usually the Assistant Commissioner or the Deputy Commissioner.
The case manager will liaise with the investigator. The case manager should contact the investigator and will be point of contact for the management of the investigation. The case manager will provide the investigator with the documents relevant to the complaint.
Apart from engaging an investigator, the case manager will treat the complaint under s 36 in the same way that it would treat any other complaint about an APP entity. This means that the case manager will communicate with the complainant, providing them with updates on the progress of the case.
On receipt of the draft investigation report from the investigator, the case manager will review the findings, reasons and recommendations for the following:
- understanding of all the complainant's claims
- factual findings based on evidence
- logical reasoning
- correct application of the law and policy
- consistency with other cases
- any other matters the case manager considers relevant.
It is open to the case manager to go back to the investigator seeking clarification on any aspect contained in the report. The case manager will not be the decision-maker and should liaise with the decision-maker on these inquiries.
Once the case manager and the decision-maker are satisfied that they agree with the investigator's report, they should provide procedural fairness to the complainant by providing the report and inviting comment, ensuring that enough information is provided to the complainant to enable them to understand why the information is relevant to their complaint.
Depending on the comments made by the complainant in response, the case manager, on consultation with the decision-maker, may need to confer further with the investigator.
Role of external investigator
Under s 24 of the Australian Information Commissioner Act (AIC Act), the Commissioner may engage consultants to assist in the performance of their functions and exercise of their powers, including privacy functions, where the relevant function or power can be delegated to a member of staff of the OAIC under s 25 of the AIC Act.
While it is not open to delegate a power to make a determination about a complaint under s 52, an external consultant is able to make a recommendation arising out of their investigation.
An investigator may find that there has been no interference with privacy and may recommend in their report that the complaint be finalised under one or more of the grounds in s 41, with the effect that the investigation is terminated.
Alternatively, the investigator may find that there has been an interference with privacy on the part of the OAIC, in which case, if this finding is accepted by the decision-maker, conciliation should be considered (see below).
The decision-maker will not be bound by any findings or recommendations made by the investigator. The investigator’s report will amount to relevant information to which the decision-maker is to have regard.
For s 36 privacy complaints about the OAIC, the decision-maker will be a member of the Executive, usually the Assistant Commissioner or the Deputy Commissioner. It is for the decision-maker in the OAIC to make the decision on a complaint.
Where the investigation of the complaint is outsourced to an investigator, the investigator’s report will likely comprise the relevant information upon which the decision-maker makes the final decision but will not be definitive. The decision-maker should set out in a decision record their consideration of the investigator’s report.
Before making a decision to accept the findings and recommendations of the case manager and/or investigator the decision-maker will need to be satisfied of the matters outlined above.
Where an external investigator has assisted with the complaint investigation
An investigator may recommend that there has been no interference with privacy and may that the complaint be finalised under one or more of the grounds in s 41, with the effect that the investigation is terminated. Provided that the decision-maker is satisfied with the investigator’s report, including they are satisfied with the matters outlined above, it is open to the decision-maker to finalise the matter by adopting the findings and recommendations of the investigator.
In the event that the investigator recommends that there has been an interference with privacy on the part of the OAIC, conciliation should be considered. If conciliation is unsuccessful, the decision-maker will need to carefully consider next steps and may wish to seek legal advice.
Depending on the circumstances of the case, it may be that the investigator is asked to provide recommendations to remedy the conduct. If those recommendations are agreed, it may be that the decision-maker considers it appropriate to finalise the matter under s 41(1)(da) on the basis that further investigation is not warranted having regard to all the circumstances.
However, whether to decline to investigate further, and if so on what ground, is a matter that will need to be considered on a case-by-case basis.
Conduct of an OAIC employee
An interference of an individual’s privacy is taken to be an act of the OAIC. However, the Code of Conduct requires all APS employees to act with care and diligence and to comply with Australian laws in connection with their employment. Consideration may be given to any conduct by an employee resulting in any interference of an individual’s privacy and whether the employee’s conduct ought to be referred for consideration under the Breaches of the APS Code of Conduct Procedures policy.
Privacy officers will be responsible for registering the matter on Content Manager, liaising with the complainant, dealing with the complaint at first instance and advising the complainant of the outcome. A Resolve LEG case file will also be opened, but will act as a duplicate folder, with all documents to be placed on both the Content Manager and Resolve files.
Access to the Content Manager and Resolve files concerning privacy complaints against the OAIC, for both complaints made to the OAIC as an agency and subsequent s 36 complaints, should only be available to officers within the Legal Services team and Executive.