Publication date: January 2023
5.1 After investigating a complaint under the Privacy Act, the Commissioner may make a determination which dismisses the complaint or finds that the complaint is substantiated (s 52(1)).
5.2 The complaint handling process under the Privacy Act is free and informal. Parties do not require legal representation to participate in the complaint handling process or the determination process. Parties generally bear their own costs in the complaint handling process.
5.3 The Commissioner can also make a determination after conducting an investigation on his or her own initiative (s 52(1A)).
5.4 Furthermore, some determinations may be made under the Crimes Act 1914 (Cth) or through an arrangement with the ACT Government, under the Information Privacy Act 2014 (ACT) (IP Act).
When will a determination be made?
Following an investigation of a complaint
5.5 The Commissioner generally tries to resolve complaints through conciliation as provided for by the Privacy Act (s 40A). Sometimes where a matter cannot be resolved through conciliation, and where the complaint is not able to be finalised on some other basis (for example, because the complaint is declined under s 41(1)), the Commissioner may make a determination under s 52.
5.6 When deciding whether to make a determination in response to a complaint under s 36, the Commissioner will take into account a number of factors. Factors that would weigh in favour of a determination include that:
- it appears there is a prima facie interference with privacy,4 the parties are unable to resolve the matter through conciliation, and the matter cannot otherwise be finalised
- one or both parties has requested that the matter be finalised by way of a determination and the Commissioner considers that making a determination would be the appropriate resolution in the particular circumstances
- the issues raised by the complaint are complex and/or systemic
- the investigation process has not been able to resolve whether an interference with privacy has occurred, and it is likely that the determination process would resolve that question.
5.7 The OAIC will also review the matter against either the Privacy regulatory action policy), the CDR regulatory action policy or the My Health Records Enforcement Guidelines as applicable when considering whether to make a determination.
Following an investigation on the Commissioner’s own initiative
5.8 Following an investigation on the Commissioner’s own initiative, the Commissioner (or approved delegate) may make a determination under s 52(1A).
5.9 A determination is one of several possible outcomes of a Commissioner initiated investigation where a breach appears likely to have occurred. Rather than finalising an investigation by determination, the Commissioner might, for example, accept an enforceable undertaking offered by the respondent. The possible outcomes are discussed in Chapter 2— Commissioner initiated investigations.
5.10 When deciding whether to make a determination, the Commissioner will take into account a number of factors. Factors that would weigh in favour of a determination include that:
- it appears there is a prima facie interference with privacy
- the respondent has not cooperated with the Commissioner’s inquiries or investigation, and the Commissioner believes that it is necessary to make formally binding declarations that the respondent must take certain steps to address the interference with privacy
- there is a disagreement between the Commissioner and the respondent about whether an interference with privacy has occurred, and the determination would allow that question to be resolved, and
- there is a public interest in the Commissioner making a declaration setting out his or her reasons for finding that an interference with privacy has occurred, and the appropriate response by the respondent.
5.11 The OAIC will also review the matter against either the Privacy regulatory action policy, the CDR regulatory action policy or the My Health Records Enforcement Guidelines as applicable when considering whether to make a determination.
Procedural steps in making a determination
5.12 The determination process is administrative, not statutory, and occurs while an investigation is still on foot. In making a determination, the Commissioner (or delegate) may conduct further investigation, and consider additional submissions and information provided by the parties.
5.13 The procedural steps below apply during the determinations process in relation to the investigation of a complaint,, but will also generally apply in the case of a determination following a Commissioner initiated investigation. However, some steps may not be relevant to a Commissioner initiated investigation, given there is no ‘complainant’ or conciliation process.
5.14 Where a matter is to proceed to determination the OAIC will generally take these steps:
- The OAIC will notify the parties in writing about its decision to make a determination and the basis for that decision. The notice will state how to make submissions, if the parties wish to do so, and the timeframe for making any submissions. In limited cases oral submissions may be sought. The Commissioner may also seek specific information about the remedies sought by the complainant.
- The Commissioner cannot consider any action done or information provided during the course of conciliation unless the complainant and respondent both agree (s 40A).
- If the Commissioner requires further information, and it is not voluntarily forthcoming on request, the Commissioner may, under s 44 of the Privacy Act, require the production of that information from the complainant, the respondent or a third party. The Commissioner may also, under s 45, require a witness to attend and answer questions.
- The Commissioner will adhere to the principles of natural justice and procedural fairness in determining a matter. Those principles include the parties having the opportunity to examine and comment on the information the Commissioner relies on in making the determination. On this basis, the OAIC will provide each party with the submissions and information received from the other party.
- Submissions will generally not be accepted on a confidential basis. This is because any determination made by the Commissioner would not be able to explicitly refer to the contents of such a submission and, in addition, a determination based on material in the submission would generally not satisfy the ‘procedural fairness’ principle unless the other party has been given a chance to respond to it.
- In exceptional circumstances where confidential or commercially sensitive information is essential to the determination process, the Commissioner will accept that information on a confidential basis and provide access to a summary of that material to ensure the other party is not disadvantaged.
- Parties may request that the Commissioner hold a hearing before making a determination under s 43A of the Act. However, whether a hearing is held is at the discretion of the Commissioner (s 43A(2)(c)). Where a party has requested a hearing, the Commissioner will give all interested parties a reasonable opportunity to make a submission about the request (s 43A(2)(b)).
- Where the Commissioner has allowed an oral submission to be made or a hearing to be held, both parties will generally be invited to participate. The format of a hearing generally comprises the parties providing their oral submissions and responding to questions that the Commissioner may have. The format will also depend on a range of matters including whether the hearing is held by phone, by video conference or at the OAIC’s, or another, premise.
- The Commissioner may seek external expert opinion, independent of the parties and at no cost to them, where a matter arising from the determination process raises issues that would benefit from specific technical or other expertise. In those cases, the parties will be advised of the name and qualifications of the external expert and their role in the proceedings.
Discretion to make a determination
5.15 Once an investigation is complete, the decision-making power of the Commissioner under s 52(1) or s 52(1A) is enlivened. The discretion pursuant to s 52(1) or s 52(1A) is twofold. First, the Commissioner has discretion as to whether they will make a determination. Second, if the Commissioner decides to make a determination, they then have discretion as to what determination to make.
5.16 In making the determination, the Commissioner will determine whether, on the balance of probabilities, an interference with privacy occurred, having regard to all information available to the Commissioner.
Content of determinations
5.17 A determination will generally contain the following information:
- the relevant parties, including, where relevant, the class members who are to be affected by the determination in relation to a representative complaint (s 53)
- the background to and summary of the complaint or Commissioner initiated investigation, which may include a chronology of events
- the OAIC’s investigation process
- the legislative framework
- a summary of the parties’ submissions
- any findings of fact (s 52(2))
- whether the complaint is substantiated (s 52(1)(b)) or is dismissed (s 52(1)(a)) following an investigation of a complaint
- any relevant declarations or orders which may include:
- a declaration that the respondent has engaged in conduct that interfered with the privacy of an individual and that the respondent should not repeat or continue the conduct (s 52(1)(b)(i); s 52(1A)(a))
- a declaration that respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued. Such steps may include a requirement for the respondent to engage, in consultation with the Commissioner, a suitably independent and qualified adviser to review the steps taken by the respondent to ensure the conduct referred to in the determination is not repeated or continued and to provide a copy of the review to the Commissioner (s 52(1)(b)(ia); s 52(1A)(b); s 52(1AAA))
- a declaration that the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant (s 52(1)(b)(ii)), or with a Commissioner initiated investigation, any loss or damage suffered by one or more individuals whose privacy has been interfered with (s 52(1A)(c))
- a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (s 52(1)(b)(iia); s 52(1A)(ba))
- a declaration that the complainant (or a Commissioner initiated investigation, one or more individuals whose privacy has been interfered with) is entitled to compensation (s 52(1)(b)(iii); s 52(1A)(d))
- a declaration that it would be inappropriate for any further action to be taken in the matter (52(1)(b)(iv); s 52(1A)(e))
- for determination following a complaint, a declaration that the complainant is entitled to a specified amount to reimburse the complainant for expenses reasonably incurred by the complainant in connection with making the complaint and the investigation of the complaint (s 52(3))
- in relation to representative complaints, the Commissioner may specify amounts or a way to work out amounts for payment to the complainants concerned (s 52 (4)) and may make directions in relation to the manner in which a class member is to establish his or her entitlement to the payment of an amount under the determination; and the manner for determining any dispute regarding the entitlement of a class member to the payment (s 52(5))
- the relevant review and enforcement mechanisms (discussed below).
Following an investigation of a complaint
5.18 Where the Commissioner makes a declaration that a complainant is entitled to an amount of compensation, the Commissioner is guided by the following principles on awarding compensation, drawn from a Federal Court decision:
- where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course
- awards should be restrained but not minimal
- in measuring compensation the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute
- in an appropriate case, aggravated damages may be awarded
- compensation should be assessed having regard to the complainant’s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.
5.19 In addition, the Commissioner is also guided by the principle that once loss is proved, there would need to be good reason why compensation for that loss should not be awarded.7 Loss or damage in this context can include hurt feelings and/or humiliation suffered by the complainant. The Commissioner may also award an amount to reimburse the complainant for expenses reasonably incurred in connection with the making of the complaint and the investigation of the complaint.
5.20 In deciding whether to award compensation and in assessing the appropriate amount of compensation, the Commissioner will consider the information submitted by the parties and previous privacy determinations.
5.21 The Commissioner can also award aggravated damages as well as general damages where he or she is of the view it is warranted. The principles for awarding aggravated damages, drawn from Federal Court decisions, include:
- aggravated damages may be awarded where the respondent behaved ‘high-handedly, maliciously, insultingly or oppressively in committing the act’ complained about
- the ‘manner in which a defendant conducts his or her case may exacerbate the hurt and injury suffered by the plaintiff so as to warrant the award of additional compensation in the form of aggravated damages’.
Following an investigation on the Commissioner’s own initiative
5.22 The Commissioner also has power to award compensation following a determination made after an investigation conducted on the Commissioner’s own initiative.
5.23 However, a Commissioner initiated investigation is less likely to determine the quantum of loss or damage suffered by individuals affected by an interference with privacy. Rather than awarding compensation by determination, the OAIC would typically inform affected individuals to make a complaint about the act or practice if the individual believes he or she has suffered compensable loss or damage.
Publication of determinations
5.24 Once made, and sent to the parties, determinations will be published on the OAIC’s website and on the AustLII website.
5.25 The Commissioner will generally publish the name of the respondent. However, the Commissioner will generally not publish the names of complainants, respondent individuals or any third party individuals.
5.26 5.26 A party may apply under s 96 of the Privacy Act to have a decision under subsection 52(1) or (1A) to make a determination reviewed by the AAT. The AAT provides independent merits review of administrative decisions and has power to set aside, vary, or affirm a privacy determination. An application to the AAT must be made within 28 days after the day on which the person is given the privacy determination (s 29(2) of the Administrative Appeals Tribunal Act 1975 (Cth)). An application fee may be payable when lodging an application for review to the AAT.
5.27 A party may also apply under s 5 of the Administrative Decisions (Judicial Review) Act 1977 (Cth) to have the determination reviewed by the Federal Circuit Court or the Federal Court of Australia. The Court may refer the matter back to the Commissioner for further consideration if it finds the decision was wrong in law or the Commissioner’s powers were not exercised properly. An application to the Court must be lodged within 28 days of the date of the determination. An application fee may be payable when lodging an application to the Court.
Enforcement of determinations
5.28 Under s 55 of the Privacy Act, where a determination applies to a respondent that is not a government agency, the respondent must comply with any declarations made in the determination within the period specified in the determination.
5.29 Under s 58 of the Privacy Act, where a determination applies to a government agency it must comply with any declarations made by the Commissioner in that determination.
5.30 Either the complainant or Commissioner may commence proceedings in the Federal Court or the Federal Circuit Court for an order to enforce a determination. However different rules apply depending on who the respondent is, for example, if the respondent is not a government agency the Court will re-examine whether there has been an interference with privacy.
 Information about our complaint handlingprocess can be found in Chapter 1
 Where a matter is determined s 52(3) provides for the Commissioner to award an amount to reimburse a complainant for expenses reasonably incurred by the complainant in connection with the makingof the complaint and the investigation of the complaint.
 Information about Commissioner initiated investigations can be found in Chapter 2 .
 As explained in the Introduction, an ‘interference with privacy’ includes contraventions of certain provisions of the My Health Records Act.
 See definition of systemic privacy issues in the Privacy regulatory actionpolicy (paras 12-13).
 Hall v A & A Sheiban Pty Ltd (1989) 20 FCR 217 as referredto in Rummery and Federal PrivacyCommissioner  AATA 1221, -.
 Rummery and FederalPrivacy Commissioner  AATA 1221 .