Handling privacy complaints
This resource will help organisations and agencies covered by the Privacy Act 1988 (Cth) (Privacy Act) address privacy complaints they receive.
Are you covered by the Privacy Act?
Under the Privacy Act, businesses (including non-profit organisations) with an annual turnover of more than $3 million, some small businesses (including all private health service providers) and most Australian Government agencies must comply with the Australian Privacy Principles (APPs).
An alleged breach of the APPs can be investigated by the Australian Information Commissioner (Commissioner).
As well, some other interferences with privacy, for example in relation to the handling of consumer credit reporting information, tax file numbers or spent conviction information, can be investigated by the Commissioner. Some additional organisations (to those covered by the APPs) are subject to these obligations.
More information on whether your organisation or agency is covered by the Privacy Act is available on our Rights and responsibilities webpage.
When is your organisation/agency involved?
The Privacy Act says that an individual who considers that an organisation or agency has interfered with their privacy should make their complaint to that organisation or agency first and allow an adequate opportunity for the complaint to be dealt with by the organisation or agency (generally giving 30 days for a response).
If not satisfied with the response the individual may, if the complaint is about an organisation, take their complaint to a relevant external dispute resolution (EDR) scheme of which the organisation is a member.
The individual may then make their complaint to the Commissioner if: an EDR scheme is not an option; if the individual is not satisfied with the outcome of an EDR process; if the individual would prefer to complain directly to the regulator; or if the complaint is about an agency.
How does the OAIC handle privacy complaints?
Where appropriate the Commissioner can make preliminary enquiries into the matter, investigate and/or attempt to resolve the complaint by conciliation.
The Commissioner also has the power to decline to investigate complaints (or not to investigate further) in a number of circumstances, including where:
- it is clear that there has not been an interference with privacy
- the matter has been, or is being, adequately dealt with by the organisation/agency or a recognised EDR scheme, or
- it has been more than 12 months since the complainant became aware of the issue that may be an interference with privacy.
If a complaint is not resolved, or is not finalised on some other basis, the Commissioner may make a determination about whether an interference with privacy has occurred.
For more information, see the OAIC’s Privacy Regulatory Action Policy and the Guide to OAIC Privacy Regulatory Action — Chapter 1: Privacy complaint handling process.
How does your organisation/agency handle privacy complaints?
Consider the following:
- Is it easy to make a privacy complaint to your organisation/agency? For example:
- Is information about who to contact to make a privacy complaint easy to find?
- Does your organisation/agency have feedback or complaint forms in print and electronic formats?
- Are privacy complaints identified and directed to staff with appropriate knowledge of the Privacy Act?
- Consider whether it is possible to resolve a privacy complaint informally by talking to the individual and, if appropriate, providing an explanation and/or apology.
- Are there regular reviews of the issues raised by privacy complaints (including in relation to your complaint handling procedures)?
- Does your organisation/agency have a data breach policy and response plan (that includes consideration of whether to notify affected individuals and the OAIC of a data breach)? Being prepared to react to data breaches may assist to mitigate damage to the affected individuals, and avoid potential complaints. The OAIC has published a guide to handling personal information security breaches that deals with how to effectively prepare for and respond to data breaches.
Below is a checklist to help your organisation/agency address privacy complaints.
Checklist for addressing privacy complaints
|Steps to follow||Completed|
1. Is the complaint about the organisation or agency’s handling of an individual’s personal information?
2. Is the personal information involved in the complaint the personal information of the individual making the complaint?
3. Does the complaint involve any of the following?
If the complaint is not one to which the Privacy Act applies or the Commissioner can investigate, consider whether you can deal with the matter under the organisation or agency’s usual complaint handling procedures.
4. Contact the complainant to advise:
|Investigating the issues raised|
5. Matters to consider:
|Communication with the complainant|
6. Your response to the complaint
7. Complainant’s reply
If the complainant remains unsatisfied with the outcome, refer the complainant to your EDR scheme (if it deals with privacy issues) or, if you are not a member of an EDR scheme, to the OAIC.
8. Consider any systemic issues raised by the complaint and possible responses, such as:
Make a record of any changes made.
Evaluate the changes within 12 months as well as against any future privacy complaints.
 ‘Personal information’ is defined as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not’.
 If the complaint is from a Member of Parliament on behalf of a constituent or from a lawyer on behalf of a client, it is assumed that the individual has consented for the writer to act on their behalf. In all other circumstances, you should check that the writer has the complainant’s consent to act on their behalf.
 ‘Sensitive information’ is an important category of personal information. Sensitive information includes information of an opinion about an individual’s health, genetic or biometric information, racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record. The Privacy Act imposes stricter rules about when sensitive information can be collected and how it should be handled. Usually, sensitive information can only be collected with the individual’s consent and there are tighter restrictions on how this type of information can be used and disclosed.