Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter 1: Privacy complaint handling process

pdfPrintable version207.11 KB

Legislative framework

1.1 Section 36(1) of the Privacy Act provides for an individual (the complainant) to complain to the Commissioner about an interference with their privacy by certain Australian Government agencies or private sector organisations (the respondent).[1]

1.2 A complaint about an act or practice that may be an interference with privacy can be made by an individual on their own behalf, and on behalf of other individuals with their consent.

1.3 The Privacy Act also provides for representative complaints to be made on behalf of a class of people where all the class members are affected by an interference with privacy (s 38(1)).

1.4 Section 13 of the Privacy Act sets out the acts and practices that may be an interference with the privacy of an individual. These include:

  • a breach of an Australian Privacy Principle (APP) or a registered APP privacy code[2]
  • a breach of rules under s 17 in relation to tax file number information, and
  • a breach of a provision of Part IIIA or the registered CR code.[3]

1.5 Other legislation can also provide that an act or practice is an interference with privacy and therefore can be investigated by the Commissioner:

  • s 73 of the Personally Controlled Electronic Health Records Act 2010 (Cth) (PCEHR Act)
  • s 29 of the Healthcare Identifiers Act 2010 (Cth)
  • s 35L of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
  • s 135AB of the National Health Act 1953 (Cth), and
  • s 173 of the Personal Property Securities Act 2009 (Cth).

1.6 The Commissioner also has power to investigate complaints made under Part VIIC of the Crimes Act 1914 (Cth) concerning the Commonwealth spent convictions scheme and s 13 of the Data-Matching Program (Assistance and Tax) Act 1990, and exercises some of the functions of the ACT Information Privacy Commissioner under the Information Privacy Act 2014 (ACT).

1.7 Further information on the OAIC's role in investigating breaches of privacy provisions contained in other legislation is available at Other legislation <www.oaic.gov.au/privacy/privacy-act/other-legislation>.[4]

1.8 Part V of the Privacy Act outlines the processes by which privacy complaints can be handled. This may include one or more of the following steps - conducting preliminary inquiries, opening an investigation, attempting to conciliate a complaint, and making a determination.[5]

1.9 The Commissioner has a wide range of powers relating to the privacy complaint handling process including to:

  • assist a person to formulate and make a complaint (s 36(4))
  • make preliminary inquiries of any person (s 42)
  • transfer matters to an alternative complaint body in certain circumstances (s 50)
  • attempt to conciliate the complaint (s 40A)
  • conduct an investigation into the complaint (s 40)
  • at any stage, not investigate, or cease to investigate or not investigate further, the complaint on various grounds (generally referred to as a ‘decline’) (ss 41, 49, 49A)
  • require a person to give information or documents, or to attend a compulsory conference (ss 44, 45, 46, 47)
  • enter premises to inspect documents (s 68)
  • accept an enforceable undertaking (s 33E)
  • make a determination about the complaint (s 52)
  • seek to enforce a determination in a court (s 55A).

1.10 Not all of these powers will be used in resolving any particular complaint. These powers are explained further throughout this Chapter or elsewhere in this Guide.

1.11 To facilitate the complaint handling process the Commissioner delegates complaint handling functions to Office of the Australian Information Commissioner (OAIC) staff, other than the s 52 power to determine a matter. Throughout the rest of this Chapter we have used ‘the OAIC’ unless the power or function can only be performed by the Commissioner.

1.12 The Commissioner also has an agreement with the ACT Government to handle complaints under the Information Privacy Act 2014 (ACT) about breaches of the Territory Privacy Principles by ACT public sector agencies. The powers in relation to handling those complaints are outlined in the ACT legislation and, in some respects differ from the Privacy Act powers. For more information see our ACT privacy webpage.

Back to Contents

General approach to handling privacy complaints

1.13 The OAIC provides a free, informal and accessible complaint process. Parties do not require legal representation to participate in the complaint handling process or the determination process. Parties generally bear their own costs in the complaint handling process, including any legal expenses.[6]

1.14 Where appropriate, the OAIC endeavours to resolve complaints through conciliation. Generally where a complaint is not declined for some reason, or it cannot be resolved through conciliation, the complaint may be determined by the Commissioner under s 52.

1.15 The OAIC has an impartial role so does not advocate for any party in handling a privacy complaint.

1.16 In carrying out the OAIC 's functions to investigate and, if appropriate, to attempt to resolve privacy complaints through conciliation, the OAIC will:

  • use a process that is accessible, flexible and timely, and done in accordance with the principles of natural justice and procedural fairness
  • focus on providing an opportunity for the parties to resolve complaints through conciliation.

Back to Contents

How the OAIC handles privacy complaints

1.17 Complaints must be in writing and must identify the person making the complaint, the respondent and the alleged act or practice that is an interference with privacy. The OAIC cannot accept anonymous complaints.

1.18 Complaints are assessed on receipt. If the complaint does not reach the threshold required because it does not identify an interference with privacy the OAIC will contact the complainant and advise them why their matter cannot be dealt with as a complaint. The OAIC may provide appropriate assistance to the complainant to help formulate the complaint. Where appropriate the OAIC may refer the complainant to another agency or organisation that may be able to assist them.[7]

1.19 Where a matter reaches the required threshold to be a complaint under s 36 the OAIC will consider how best to deal with it. The OAIC can, at any stage of the process, attempt to conciliate the complaint or decline to investigate the complaint based on the information available to the OAIC.

1.20 Generally a complainant must have complained to the respondent[8] and given them a chance to respond to the complaint before the OAIC can investigate (s 40(1A)).[9] In limited circumstances the OAIC may decide to investigate the complaint if it is considered that it is not appropriate for the complainant to first complain to the respondent, for example:

  • where there is a significant power differential between the complainant and respondent and the complainant may be disadvantaged in a direct approach to the respondent to resolve the issues in the complaint
  • where there is a history of similar issues associated with the respondent
  • where the complaint identifies a systemic issue.[10]

1.21 Section 40(1B) of the Privacy Act also provides for additional circumstances in which the OAIC can investigate a complaint without requiring a complainant to first complain to the respondent. This relates to complaints about access to and correction of credit reporting information.

1.22 Where a complaint raises an issue that could be an interference with privacy the OAIC may conduct preliminary inquiries to obtain relevant information of any person to assist with the handling of the complaint.[11] These inquiries may be made, for example, to clarify the allegations in the complaint or to confirm that the OAIC has jurisdiction.

1.23 Where the OAIC is unlikely to open an investigation for a reason provided for by s 41 of the Privacy Act[12] the OAIC will contact the complainant and advise them of our view. The OAIC will generally write to the complainant outlining our reasons for that view and ask if they have any further relevant information that they wish to provide. In these cases the OAIC does not generally advise the respondent of the complaint unless a decision to proceed to investigation is made.

1.24 The Privacy Act obliges the OAIC to make a reasonable attempt to conciliate the complaint where the OAIC is of the view it is reasonably possible that a complaint could be successfully conciliated (s 40A). Conciliation can be attempted at any stage of the complaint handling process.

1.25 When the OAIC has opened an investigation into the complaint, under s 40, the OAIC can compel the production of relevant documents and information or require witnesses to attend and answer questions (s 44), if that will assist the investigation. Where a complaint is not declined or finalised on some other basis, and cannot be resolved through conciliation, and an investigation has been opened, the Commissioner may determine the complaint under s 52 of the Privacy Act.

1.26 A complainant can withdraw a complaint at any time without penalty.

Representative complaints

1.27 The Privacy Act allows for representative or class complaints to be made where an interference with privacy affects a large group of people. Particular conditions apply to a class complaint and these are outlined in ss 38 to 39 of the Act. A representative complaint does not need to identify the class members by name or how many class members there are, however, a person who is part of a class where a representative complaint has been lodged cannot bring an individual complaint unless they withdraw from the representative complaint.

1.28 Conditions for making a representative complaint include:

  • that the class members have a complaint against the same respondent
  • the complaints all arise out of the same or similar circumstances, and
  • the complaints give rise to a substantial common issue of law or fact.

1.29 A representative complaint must address each of these conditions in the complaint and also identify the remedy or relief sought. A representative complaint may be lodged by a complainant who is a class member or a person or organisation who is not a class member.

1.30 The OAIC may not accept or continue with a representative complaint where the OAIC is not satisfied the complainant can adequately represent the interests of the class members.

Confidentiality

1.31 The OAIC is bound by confidentiality in handling complaints, and by the APPs when handling complaint related personal information. As such, the OAIC does not disclose the particulars of a complaint during the complaint handling process to persons other than the parties to a complaint or third parties with information relevant to the inquiry that can assist the inquiry. This is to ensure that parties will participate fully and frankly in the complaint process.

1.32 The parties to a complaint, however, are not bound by any form of confidentiality during the complaint process as the Privacy Act does not impose an obligation of confidentiality on the parties to a complaint. However, APP obligations do apply to APP entities and information they obtain during the course of a complaint. If the parties have settled the matter with an agreement that includes a confidentiality clause they may be bound by that agreement.

1.33 In addition, conciliation, where that is occurring, works best in an atmosphere where parties can raise issues in a frank way without fear of the information being disseminated further and the OAIC encourages parties not to disseminate information while involved in the conciliation process.

Back to Contents

Investigating privacy complaints

1.34 Where possible the OAIC tries to handle privacy complaints informally and flexibly. In some cases, before commencing an investigation under s 40 of the Privacy Act, the OAIC may conduct preliminary inquiries and obtain information that will assist the OAIC to explain an issue to a complainant that may resolve an issue or lead the complainant to withdraw the complaint on the basis they are satisfied with the explanation that has been provided.

1.35 Where the OAIC has established jurisdiction to investigate it will generally notify a respondent of the complaint under the investigation power (s 40). The respondent will be provided with a copy of the complaint, asked to respond to the specific issues in the complaint and to tell the OAIC whether they are willing to try to resolve the complaint through conciliation.

1.36 In many cases a complaint can be quickly resolved prior to a detailed written response being provided. This occurs in circumstances where a respondent is willing to try to resolve the complaint on the terms the complainant has identified, or is willing to negotiate terms of resolution with the complainant.

1.37 For procedural fairness and transparency, generally any substantive information provided by a party to a complaint will be provided to the other party to facilitate the handling of the complaint. This includes the complaint, the respondent’s response, offers of resolution and other relevant information.

1.38 Generally the OAIC does not accept confidential submissions. If information that is commercially sensitive or is sensitive for some other reason has to be provided to assist the OAIC with its investigation the OAIC will usually ask that the information be provided in a form that can be provided to the other party.[13]

1.39 At each stage of the complaint process the officer handling the matter will assess the available information and keep the parties advised of the OAIC’s views on the matter. Where an investigation has been commenced the OAIC may decline to continue to investigate a matter, or attempt to conciliate a matter, at any stage during the investigation where that appears to be the appropriate course of action.

1.40 Where the OAIC’s investigation indicates that it is likely that an interference with privacy has occurred and conciliation is not considered appropriate or conciliation has been attempted without resolution, then the OAIC will consider whether to take enforcement action and, if so, what enforcement action to take. The OAIC will review the matter against either the Privacy regulatory action policy (including the factors set out in paragraph 38) or the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 as applicable to assess the appropriate enforcement response.

1.41 Generally the appropriate enforcement response for a complaint, where an investigation has been opened, conciliation has not resolved the matter and the complaint has not been declined, will be a determination under s 52. However other enforcement action may also be considered appropriate, in addition to a determination, for example seeking a civil penalty for a serious or repeated interference with privacy.

1.42 Where the OAIC considers that there is a likelihood that it will decide to seek a civil penalty for a serious or repeated interference with privacy, the complaint investigation will be conducted with a view to ensuring that sufficient admissible evidence will be available to allow that case to be pursued in court if necessary. For more information see Chapter 6 on civil penalties.

Back to Contents

Conciliating a complaint

1.43 Where the OAIC considers it is reasonably possible a complaint may be conciliated successfully there must be a reasonable attempt to conciliate (s 40A(1)).

1.44 The OAIC is not required to attempt to resolve the complaint through conciliation where the OAIC has decided not to investigate, or not to further investigate, a complaint.

1.45 Factors the OAIC may take into account in assessing whether it is possible to successfully conciliate a complaint may include:

  • the approach taken by the parties to conciliation i.e. willingness to discuss conciliation, whether resolution proposals are generally appropriate and proportionate to the nature of the complaint and outcomes generally applicable to privacy complaints
  • previous resolution attempts and any outcomes achieved or actions taken by either party regarding the complaint
  • the responsiveness of the parties to the OAIC’s attempts to assist the parties to resolve a complaint, and
  • the length of time the OAIC and the parties have taken to try to resolve a complaint.

1.46 The OAIC will generally ask the complainant to outline what they are seeking to resolve the complaint and ask the respondent to consider that proposal or propose an alternative basis for resolution.

Types of outcomes in conciliated matters

1.47 Outcomes that may be achieved in privacy complaints may include:

  • change in practice, procedure or policy
  • access to information
  • staff training
  • review of privacy policies and procedures
  • statement of regret or a private or public apology
  • financial compensation.

1.48 Parties will be advised of resources and information to help them develop or respond to a proposal for resolution, for example, determinations by the Commissioner, information about conciliated matters the OAIC has published in annual reports or on its website, similar jurisdictions, for example, New Zealand and New South Wales privacy jurisdictions and the Commonwealth discrimination jurisdiction.

How the OAIC tries to conciliate matters

1.49 The OAIC generally tries to resolve complaints through conciliation by:

  • phone and email based shuttle negotiations - where the parties are separately communicated with
  • teleconferences involving all parties
  • face to face meetings with the parties (where practicable and appropriate).

1.50 In each case the officer handling the matter will contact the parties to discuss the issues in the complaint and the outcome being sought. The officer will try to assist the parties to negotiate a satisfactory resolution to the complaint.

1.51 Where a matter is resolved the parties may enter into a conciliation agreement or deed of release prepared by one of the parties to the complaint or the OAIC. In limited situations the Commissioner may accept an enforceable undertaking from the respondent as part of the resolution of a complaint (for more information see Chapter 3 Enforceable undertakings).

1.52 Sometimes a party to a complaint may be legally represented. To ensure fairness in the process the OAIC will generally recommend to the parties that they get legal or other professional advice if they are entering into a legal deed or agreement.

1.53 Where conciliation is successful the file will be closed on the basis the matter has been adequately dealt with.

1.54 Where a complaint is not able to be resolved through conciliation the matter will generally move to determination under s 52 or be declined under the powers available in s 41. Although the matter could be finalised under s 40A on the basis there is no reasonable likelihood that the matter will be resolved by conciliation, this discretionary power would only be used in limited circumstances.

Compulsory conciliation conference

1.55 The OAIC can require a complainant or respondent or other relevant party to attend a conciliation conference (s 46). A person who has been directed to attend and fails to attend is guilty of an offence.

1.56 Generally, the OAIC relies on voluntary participation in a conciliation process as resolution generally relies on the understanding that parties are participating in good faith to genuinely resolve the matter.

1.57 In some cases where a matter is not able to be resolved through voluntary participation the OAIC may consider compelling a person to attend a conciliation conference where the OAIC is of the view the matter may be able to be resolved if the parties were to deal directly with each other over the complaint. Factors that may contribute to this view are where:

  • the proposals for resolution are appropriate to the interference with privacy raised by the complaint
  • a party indicates they are willing to resolve a complaint but are unwilling to commit to a resolution process or outcome
  • the parties have been involved in extended negotiations and it is likely the matter may resolve if the parties are required to deal with the remaining issues at hand.

1.58 The OAIC may advise the parties of the intention to issue a notice compelling their attendance at a conciliation conference where the matter has been unable to be resolved through usual conciliation processes.

1.59 The OAIC may take into account the parties’ circumstances in issuing a notice to compel attendance at a conciliation conference, for example, whether the parties are legally represented, geographic considerations, and constraints on time to ensure the parties are able to comply with the notice to attend.

Use of conciliation information

1.60 Where a complaint cannot be resolved through conciliation and the Commissioner decides to determine the matter under s 52 of the Privacy Act the Commissioner cannot consider any information provided in the course of conciliation in hearings or legal proceedings related to the complaint, unless all the parties consent.

1.61 Generally this will mean that the Commissioner will not consider anything said or done in conciliation in any determination hearing or determination decision. If a party seeks a review, by the AAT or Federal Court, of a decision in a determination the Commissioner cannot refer to information about the conciliation process in those proceedings.

Back to Contents

Deciding not to investigate a complaint

1.62 The OAIC may at any time during the complaint process exercise the discretion not to investigate a complaint or not to investigate a complaint further for a reason provided for in s 41 of the Act. This is commonly referred to as ‘declining a complaint’.

1.63 The OAIC will consider all the information provided by the parties and any other relevant information in deciding whether to decline to investigate or further investigate a complaint.

1.64 The Commissioner or delegate may decide not to investigate or investigate further for a range of reasons provided for by s 41 which include where he or she is satisfied that:

  • the act or practice is not an interference with privacy
  • the complaint was made more than 12 months after the complainant became aware of the act or practice
  • the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith
  • a recognised external dispute resolution scheme has dealt with, or would more effectively deal with, the act or practice , for example, the Telecommunications Industry Ombudsman, Financial Ombudsman Service, Credit & Investments Ombudsman or a state or territory based energy, water or transport related Ombudsman
  • the act or practice is subject to an application, or would be more appropriately dealt with, under another Commonwealth, state or territory law, for example, this might include discrimination law or other court proceedings, or
  • the respondent has dealt with, or is adequately dealing with the complaint, for example, where a deed of release about the same subject matter has previously been entered into.

1.65 A decision to decline a complaint for one of the reasons in s 41 is a discretion exercised by the Commissioner or his delegate and consequently subject to review under the Administrative Decisions (Judicial Review) Act 1977 (Cth). Given this, there is a requirement that a decision to decline a complaint is subject to due care and based on information that can be subject to rigorous review. As such, there are circumstances where the OAIC seeks information from a respondent to assist in that decision making process.

1.66 Where the OAIC is intending to decline a complaint the OAIC will advise the complainant, in writing, of that view and the reasons for it and provide an opportunity for the complainant to provide any further information they think is relevant. The OAIC will consider any additional information before making a final decision on how to proceed with the complaint.

Back to Contents

Referral of matters

1.67 Section 50 of the Privacy Act allows the OAIC to not investigate, or not investigate further, a matter and to transfer it to an ‘alternative complaint body’ where the OAIC forms the opinion that:

  • a complaint (or application where applicable) relating to that matter has been, or could have been, made by the complainant to the alternative complaint body, and
  • the matter could be more conveniently or effectively dealt with by that alternative complaint body.

1.68 The ‘alternative complaint bodies’ to which the OAIC can transfer matters include the Australian Human Rights Commission, the Commonwealth Ombudsman, and an external dispute resolution scheme recognised by the Commissioner under s 35A of the Privacy Act.

Purpose of the OAIC’s complaint referral powers

1.69 Referral of a complaint to an alternative complaint body is likely to arise in very limited cases where the OAIC’s jurisdiction overlaps with that of an alternative complaint body, and the complaint (or application) may be made about the act or practice to either the OAIC or the other body and the referral will ensure that the complaint is dealt with in the most convenient and effective manner.

1.70 The OAIC will generally only use the referral power where:

  • it considers that a complaint or application relating to the matter has been, or could have been made, to an alternative complaint body which provides a better or more effective remedy for the subject matter of the complaint
  • there is no relevant ground on which the OAIC should decline to investigate the complaint, and
  • the complainant does not accept the OAIC’s advice to withdraw their complaint and make a complaint or application to the alternative complaint body.

1.71 Affording an individual the opportunity to first withdraw their complaint and make a complaint or application to the alternative complaint body themselves is intended to allow an individual to, as much as possible, retain responsibility and control over how their matter is dealt with.

Back to Contents

Footnotes

[1] The Privacy Act also covers the Norfolk Island public sector. For information about what agencies and organisations are covered by the Privacy Act see the OAIC’s ‘Who is covered by privacy’ webpage.

[2] For acts that occurred on or after 12 March 2014. For events that occurred prior to 12 March 2014 the relevant principles are, for government agencies, the Information Privacy Principles and, for organisations, the National Privacy Principles.

[3] For acts that occurred on or after 12 March 2014. For events that occurred prior to 12 March 2014 the law as it was at 11 March 2014 applies.

[4] How a complaint is handling under legislation other than the Privacy Act may vary according to any specific handling requirements of that legislation.

[5] A flow chart is available at What happens to your privacy complaint <www.oaic.gov.au/privacy/what-happens-to-your-privacy-complaint>.

[6] For more information about the determination process see Chapter 4.

[7] See the ‘Referral of matters’ section towards the end of this Chapter.

[8] Organisations and agencies may find our resource on ‘Handling privacy complaints’ useful in dealing with privacy complaints.

[9] In addition, complainants are encouraged to use the services of a recognised EDR scheme, of which the respondent is a member, before approaching the OAIC, but this is not mandatory. The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 stated (on page 4) that (relevant) amendments proposed to the Privacy Act (and now enacted) were intended to recognise and encourage the use of external dispute resolution services.

[10] See definition of systemic privacy issues in the Privacy regulatory action policy (paras 12-13).

[11] Section 42 of the Privacy Act.

[12] For more information about the OAIC’s power to decline a complaint see ‘Declining a complaint’ later in this Chapter.

[13] See Chapter 4 as well in relation to confidential information, in the context of making a determination.

Back to Contents