Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Question 8

Is your complaint about:

  • a business or not-for-profit organisation with an annual turnover of more than $3 million; or
  • a private sector health service provider; or
  • a business that deals in personal information for profit; or
  • a credit provider or credit reporting body?

It is likely that the Commissioner is able to investigate your complaint.

If you would like to make a complaint please go to our Making a privacy complaint page.

More information

The types of private sector organisations that are covered by the Privacy Act include:

  • all businesses and not-for-profit organisations with an annual turnover more than $3 million
  • all private sector health service providers. Organisations providing a health service include:
    • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
    • complementary therapists, such as naturopaths and chiropractor
    • gyms and weight loss clinic
    • child care centres, private schools and private tertiary educational institutions.
  • participants in the credit reporting system (such as, credit providers (which includes banks, energy and water utilities and telecommunication providers), credit reporting bodies and certain other third parties)
  • contracted service providers for a Commonwealth contract
  • small business operators that sell or purchase personal information
  • small business operators that have opted-in to the Privacy Act 
  • small business operators that are related to a business covered by the Privacy Act
  • small business operators are an association of employees registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • organisations listed in the Privacy Regulations 2013.

The Commissioner is able to investigate most complaints about these types of organisations.

Particularly acts and practices of some small business operators are also covered by the Privacy Act including:

The Commissioner is able to investigate complaints about these activities.

For more information see Rights and responsibilities.

If your complaint is about credit reporting, please note that the credit reporting provisions in Part IIIA of the Privacy Act only apply to consumer (personal) credit. If you have a complaint about commercial credit, we will look at whether the respondent has met its obligations under the Australian Privacy Principles.

If your complaint is about:

  • your past or current employer and their handling of your employment record; or
  • how a politician or a political party has handled your information; or
  • the journalistic practices of a media organisation

the Commissioner will not be able to investigate. You can find out more information about these exemptions to the Privacy Act at Question 7.

Have you complained to the respondent?

Usually, the Commissioner will not investigate your complaint unless you have already complained to the agency your complaint is about (the respondent). In limited circumstances, the Commissioner may investigate even though you have not complained to the respondent, for example where:

  • you have been unable to contact the respondent after repeated attempts; or
  • the person who would investigate your complaint is the same person you are complaining about.

You should allow the respondent a reasonable time in which to respond to your complaint. The Commissioner usually considers 30 days to be a reasonable time. If you receive no reply and have been unable to chase up a response, you can complain to the Commissioner. If you are not satisfied with the response to your complaint, you can complain to the Commissioner, even if 30 days has not passed. (Section of the Privacy Act to read: 40(1A))

The OAIC may not investigate your complaint if it is reasonable for the respondent to continue trying to resolve your complaint, even after 30 days has passed.

Exceptions

  • The handling of personal information in employee records is not covered by the Privacy Act.
  • Politicians and political parties are not covered by the Privacy Act.
  • Acts of journalism by media organisations are not covered by the Privacy Act.
  • The credit provisions in Part IIIA of the Privacy Act only apply to consumer (personal) credit, not commercial credit.
  • The Privacy Act does not apply to letters or other articles in the course of transmission by post.

Key points

  • Before making a complaint to the Commissioner you should complaint to the respondent.
  • You should allow the respondent a reasonable time (30 days) to respond to your complaint.
  • If you receive no response from the respondent or it has not resolved your privacy complaint you can complain to the Commissioner.

The end

This the end of the Complaint Checker. If you are still unsure about whether or not the Commissioner can investigate your complaint, please contact our Enquiries Line for assistance.

Sorry, it is unlikely that the Commissioner can investigate your complaint, though there are some exceptions (see further information).

If you are unsure of your answer, for example you do not know whether the annual turnover of the respondent organisation is greater than $3 million, please contact our Enquiries Line.

More information

Not all organisations are covered by the Privacy Act.

Generally small business do not have responsibilities under the Privacy Act. However, there are some exceptions. See further information for details.

The end

This the end of the Complaint Checker. If you are still unsure about whether or not the Commissioner can investigate your complaint, please contact our Enquiries Line for assistance.

Further information

The types of private sector organisations that are covered by the Privacy Act include:

  • all businesses and not-for-profit organisations with an annual turnover more than $3 million
  • all private sector health service providers. Organisations providing a health service include:
    • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
    • complementary therapists, such as naturopaths and chiropractor
    • gyms and weight loss clinics
    • child care centres, private schools and private tertiary educational institutions.
  • participants in the credit reporting system such as, credit providers (for example banks, energy and water utilities and telecommunication providers), credit reporting bodies and certain other third parties
  • contracted service providers for a Commonwealth contract (see below)
  • small business operators that sell or purchase personal information (see below)
  • small business operators that have opted-in to the Privacy Act (see below)
  • small business operators that are related to a business that is covered by the Privacy Act (see below)
  • small business operators that are an association of employees registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • organisations that are listed in the Privacy Regulation 2013.

The Commissioner is able to investigate most complaints about these types of organisations.

As well particularly acts and practices of some small business operators are also covered by the Privacy Act including:

The Commissioner is able to investigate complaints about these activities.

For more information see Rights and responsibilities.

If your complaint is about credit reporting, please note that the credit reporting provisions in Part IIIA of the Privacy Act only apply to consumer (personal) credit. If you have a complaint about commercial credit, we will look at whether the respondent has met its obligations under the Australian Privacy Principles.

Businesses that trade in personal information

The Commissioner may be able to investigate your complaint if the respondent trades in personal information even if they are a small business.

Trading in personal information happens when businesses collect or disclose your personal information for a benefit, service or advantage. For example, they buy or sell a list of personal information for income, concessions or some other return. However, the Privacy Act does not apply where the trading happens with your consent or is authorised or required by law (Sections of the Privacy Act to read: 6D(4)(c) & (d) and 6D (7) & (8)).

Contracted service providers or subcontractors to Australian Government contracts

At times Australian Government agencies contract out (outsource) a function that requires a small business contractor to collect and handle personal information on behalf of the agency. However, in these circumstances, only the acts and practices of the business relating to the contract with the government agency are regulated by the Privacy Act (Section of the Privacy Act to read: 6D (4)(e)).

Related organisations

If a smaller business is related to an organisation that carries on a business that is covered by the Privacy Act, the smaller business is required to abide by the Privacy Act due to its relationship with the organisation.

A smaller business is related to an organisation if it is the holding company, subsidiary or subsidiary of a holding company of that organisation.

Please note that in some circumstances businesses appear to be large organisations, but are in fact numerous small businesses that are part of a franchise. In this case, the businesses are not usually related to each other (Section of the Privacy Act to read: 6D (9)).

Businesses that have opted into the Privacy Act

The Privacy Act allows businesses that would not otherwise be regulated by the Privacy Act to choose to be bound by it to show their commitment to privacy. More information about how small businesses can opt to be bound by the Privacy Act and a register of those businesses can be found on our Opt-in-register page (Section of the Privacy Act to read: 6EA).

If your complaint is about:

  • the handling of your employment record by your past or current employer; or
  • how a politician or a political party has handled your information; or
  • the journalistic practices of a media organisation

the Commissioner will not be able to investigate. You can find out more information about these exemptions to the Privacy Act at Question 7.

More information: Rights and responsibilities.

Disclaimer