Information Sharing Arrangement for the referral of privacy complaints under section 50 of the Privacy Act 1988 (Cth) between The Office of the Australian Information Commissioner and External Dispute Resolution Schemes

(as named in the Schedule)

1Background

1.1 Under s 50 of the Privacy Act 1988 (Cth) (the Privacy Act), the Commissioner may decide not to investigate or further investigate a privacy complaint, and transfer it to an alternative complaint body, if the Commissioner forms the opinion that a complaint could have been made to one of those bodies and that the matter could be more conveniently or effectively dealt with by that body.

1.2 The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Privacy Amendment Bill) sought to improve the Commissioner’s ability to recognise and encourage the use of external dispute resolution services.

1.3 The Privacy Amendment Bill added recognised external dispute resolution schemes (EDR schemes) to the list of alternative complaint bodies to which the Commissioner could refer complaints under s 50. [1]   This amendment complemented the implementation of the Government’s response to Recommendation 49-2 of the Australian Law Reform Commission’s report number 108, ‘For Your Information: Australian Privacy Law and Practice’, which gave the Commissioner the power to decline to investigate a complaint where the Commissioner considers it would be better dealt with by an EDR scheme.

1.4 The Office of the Australian Information Commissioner’s (OAIC) Guidelines for recognising external dispute resolution schemes (EDR Guidelines) include:

  1. matters that the Commissioner must take into account in considering whether to recognise an EDR scheme
  2. the steps an EDR scheme should take to apply for recognition
  3. the general conditions for ongoing recognition

1.5 The EDR Guidelines provide that one of the general conditions for ongoing recognition of the EDR scheme is for that EDR scheme to accept relevant privacy-related complaints referred to the EDR scheme by the Commissioner, provided that the complaint falls within the EDR scheme’s scope or terms of reference. [2]  

1.6 Under the OAIC’s Privacy regulatory action policy (the Policy), EDR schemes constitute the second tier of a three-tiered complaints process:   [3]

  1. an individual should first make a complaint to a respondent entity and allow the entity a reasonable time to respond
  2. an individual who is not satisfied with the response or outcome may complain to a recognised EDR scheme of which the entity is a member (if any)   [4]
  3. an individual who is not satisfied with the outcome of the external dispute resolution process may complain to the OAIC. The OAIC will consider whether to accept the complaint or decline to investigate under s 41 of the Privacy Act.

1.7 The Policy also stipulates that a complainant who has not first complained to a recognised EDR scheme of which the respondent entity is a member, will generally be advised to do so, before the OAIC will accept the complaint.   [5]

1.8 EDR schemes play an important role in dealing with complaints which relate to credit reporting. Before a credit provider can disclose credit information to a credit reporting body, the credit provider must be a member of an EDR scheme. [6]   Credit Reporting Bodies are also required to be a member of an EDR scheme.   [7]

1.9 The Explanatory Memorandum to the Privacy Amendment Bill (EM) stated that in most cases it is expected that the individual will make complaints about credit reporting to a credit reporting body or credit provider then to an EDR scheme, then to the Commissioner.   [8]

1.10 The Information Sharing Arrangement for the referral of privacy complaints under s 50 (the Arrangement):

a. reflects the expectation that the Commissioner may receive privacy complaints about entities that are members of an EDR scheme, and that EDR schemes constitute the second tier of a three-tiered complaints process

b. recognises that the EDR scheme may be best placed to investigate the acts or practices of the entities complained about at first instance.

2 Objectives of the Arrangement

2.1 The objective of the Arrangement is to assist the process of complaint referral and information sharing from the OAIC to EDR schemes as permitted under s 50.

2.2 Nothing in the Arrangement is intended to:

  1. create binding obligations, or affect existing obligations under Commonwealth, state or territory law; or
  2. create obligations or expectations of cooperation that would exceed an EDR scheme’s scope of authority and/or jurisdiction.

3 Effect

3.1 The Arrangement will come into effect between the OAIC and the EDR scheme on the date on which the EDR scheme provides its written notice to the OAIC of its agreement to be a party to the Arrangement.

3.2 The Arrangement may be modified by the OAIC to include other entities that the Commissioner subsequently recognises as EDR schemes under s 35A of the Privacy Act.

4 Definitions

In the Arrangement, the following definitions apply:

Arrangement means this document, ‘the Information Sharing Arrangement for the referral of privacy complaints under s 50 of the Privacy Act 1988 (Cth)’.

Commissioner means the Australian Information Commissioner within the meaning of the Australian Information Commissioner Act 2010.

complaint means a complaint that meets the requirements of s 36 of the Privacy Act.

EDR scheme is an external dispute resolution scheme recognised under s 35A of the Privacy Act.

OAIC means the Office of the Australian Information Commissioner.

Privacy Act means the Privacy Act 1988 (Cth).

5 The Office of the Australian Information Commissioner

5.1 The OAIC is the independent regulator responsible for administering the Privacy Act.

5.2 The Privacy Act provides for an individual (the complainant) to complain to the Commissioner about an interference with their privacy by certain Australian government agencies or private sector organisations.   [9]

6 EDR schemes

6.1 An EDR scheme is eligible to be a party to the Arrangement if it is a recognised EDR scheme under s 35A of the Privacy Act.   [10]

6.2 An EDR scheme will become a party to the Arrangement by providing written notice advising the OAIC of their intention to do so. Parties to the Arrangement will be named in the Schedule.

7 Complaint referral

7.1 Where the OAIC receives a complaint under s 36 of the Privacy Act about an act or practice that may involve an interference with the privacy of an individual, the Commissioner may decide not to investigate, or further investigate the complaint, if the Commissioner forms the opinion that:

a. the complainant has made, or could have made, a complaint relating to that matter to a EDR scheme; and

b. the matter could be more conveniently or effectively dealt with by the EDR scheme.

7.2 If the Commissioner decides not to investigate such a matter, the Commissioner will:

  1. transfer the complaint to that EDR scheme; and
  2. give notice in writing to the complainant stating that the complaint has been transferred; and
  3. give to the EDR scheme any information or documents that relate to the complaint.

7.3 To properly inform the Commissioner, the OAIC may consult with the relevant EDR scheme to determine whether the conditions outlined in paragraph 7.1 exist.

7.4 A complaint transferred under s 50 will be taken, for the purposes of the Privacy Act, to have been made to the EDR scheme.   [11]

7.5 Where the EDR scheme determines that a complaint that the OAIC transfers is outside its terms of reference or jurisdiction, it may refer the matter back to the OAIC. If it does so:

  1. it will give prior notice in writing to the complainant that the matter will be transferred back to the OAIC and the reasons why this will occur; and
  2. give the OAIC written reasons for the re-transfer.

8  Information Sharing

8.1 The OAIC may share information or documents with an EDR scheme for the following purposes:

  1. where the discretion not to investigate or further investigate a complaint under s 50 has been exercised, and
  2. for the purpose of deciding if the discretion not to investigate or further investigate a complaint under s 50 ought be exercised.

8.2 In agreeing to be a party to the Arrangement, the parties confirm that they have satisfactory arrangements in place for protecting information or documents shared by the Commissioner under the Arrangement from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

8.3 In signing this protocol, the parties agree to store the relevant information securely, and that access to the information or documents will be restricted to individuals on a need to know basis.

9 Transfer of information or documents

9.1 The OAIC shall adopt appropriate security measures, in accordance with the requirements under the Protective Security Policy Framework, to protect the transfer of information or documents.

9.2 Parties shall have regard to the sensitivity of the information or documents and any classification that is applied by the sender.

10 Liaison meetings

10.1 Parties will hold regular liaison meetings and establish direct lines of communication for the purpose of the Arrangement.

10.2 Parties shall nominate a designated contact officer.

10.3 Parties may change their designated contact officer at any time by providing written notice to the OAIC.

10.4 The OAIC will provide relevant policy guidance to the parties to the Arrangement as it considers appropriate, to inform the EDR schemes’ handling of complaints that the OAIC has transferred under the Arrangement.

10.5 The OAIC will periodically provide information to the parties to the Arrangement as it considers appropriate about the number and types of complaints that it has transferred under the Arrangement.

11 Amendment and period of Arrangement

11.1 The Arrangement will continue until the repeal of s 50 of the Privacy Act.

11.2 The Parties may review the operation of the Arrangement on a periodic basis and will consult with each other with a view to improving its operation where necessary.

11.3 The Arrangement may be amended at any time by agreement of the parties.

11.4 Parties may withdraw from the Arrangement at any time by providing written notice to the OAIC.

12 Schedule

The following EDR schemes are parties to the Arrangement:

EDR schemeDate of effect

Australian Financial Complaints Authority (AFCA)

11/8/21

Telecommunications Industry Ombudsman (TIO)

10/8/21

Energy and Water Ombudsman NSW (EWON)

6/8/21

Energy and Water Ombudsman VIC (EWOV)

28/7/21

Energy and Water Ombudsman SA (EWOSA)

6/8/21

Energy and Water Ombudsman QLD (EWOQ)

4/8/21

Energy and Water Ombudsman WA (EWOWA)

5/8/21

Public Transport Ombudsman, VIC (PTO)

6/8/21

ACT Civil and Administrative Tribunal (ACAT)23/6/22

Footnotes

[1] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, page 243.

[2] EDR Guidelines, paragraph 4.20.

[3] The Policy, paragraph 42.

[4] The complainant must also have given the entity an adequate opportunity to respond (s 41(2)(b)), which the OAIC interprets to be generally 30 days from the date on which the complainant has complained to the respondent entity.

[5] The Policy, paragraph 43.

[6] Section 21D of the Privacy Act.

[7] Section 21.2 of the Privacy (Credit Reporting) Code 2014.

[8] EM, page 188.

[9] Privacy Act, s 36.

[10]For a list of recognised EDR schemes, please visit the OAIC’s website “Recognised external dispute resolution (EDR) schemes register https://www.oaic.gov.au/privacy/privacy-registers/recognised-edr-schemes-register.

[11]FPrivacy Act, s 50(3).