Chapter 1: Privacy complaint handling process

Introduction

1.1 Chapter 1 of the Guide to Regulatory Action sets out general principles and procedures for privacy complaints as set out in Part V of the Privacy Act 1988. Chapter 1 also provides guidance to parties with respect to steps in the complaint process and relevant review rights.

1.2 The OAIC takes a harm-focussed approach to the privacy complaint handling process, which is informed by the Office of the Australian Information Commissioner’s (OAIC) regulatory priorities. [1] We have used ‘the OAIC’ unless the power or function can only be performed by the Commissioner.

What complaints can be made to the Information Commissioner?

1.3 Section 36(1) of the Privacy Act allows an individual (the complainant) to complain to the Commissioner about an act or practice of certain Australian Government agencies or private sector organisations (the respondent) that may be an interference with their privacy. [2]

1.4 An individual can make a complaint or nominate or authorise a representative to make a complaint on their behalf. The Commissioner may require information about the complainant’s identity and/or written authority that the representative will be acting for the complainant for the purpose of the complaint.

1.5 The Privacy Act also allows representative complaints to be made on behalf of a class of people where all the class members are affected by an alleged privacy interference (s 38(1)).

1.6 Section 13 of the Privacy Act sets out the acts and practices that may be an interference with the privacy of an individual. These include:

• a breach of an Australian Privacy Principle (APP) or a registered APP privacy code[3]
• a breach of the rules made under s 17 in relation to tax file number information
• a breach of a provision of Part IIIA or the registered CR code, [4] and
• a breach of prescribed NDB scheme requirements.[5]

1.7 Other legislation can also provide that an act or practice is an interference with privacy and therefore can be investigated by the Commissioner:

• s 73 of the My Health Records Act 2012 (Cth)
• s 29 of the Healthcare Identifiers Act 2010 (Cth)
• s 35L of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
• s 135AB of the National Health Act 1953 (Cth)
• s 38 of the Digital ID Act 2024 (Cth)
• s 173 of the Personal Property Securities Act 2009 (Cth), and
• s 22A of the National Cancer Screening Register Act 2016 (Cth).

1.8 In addition, the Commissioner is empowered to:

• investigate an act or practice that may be a breach of a Privacy Safeguard or a privacy or confidentiality related Consumer Data Right (CDR) Rule under the CDR scheme (s 56ET(3) of the Competition and Consumer Act 2010 (Cth))
• investigate complaints about the Commonwealth spent conviction scheme under Part VIIC of the Crimes Act 1914 (Cth) and s 13 of the Data-Matching Program (Assistance and Tax) Act 1990.

1.9 Further information is available on the OAIC website about the OAIC's role in investigating breaches of privacy provisions contained in other legislation. [6]

1.10 The OAIC will consider the relevant legislation together with the OAIC’s regulatory priorities when deciding how a complaint will be addressed. This might involve seeking to resolve the complaint between the parties (including by conciliation), making preliminary inquiries, or conducting an investigation. The OAIC may decide not to investigate or further investigate a complaint at any stage of the complaint process.

1.11 The OAIC will communicate with the parties to a complaint about the applicable processes and decisions.

Representative complaints

1.12 The Privacy Act allows for representative complaints to be made where an act or practice may be an interference with the privacy of a number of individuals. Particular conditions apply to a representative complaint, which are outlined in ss 38 and 39 of the Privacy Act. A representative complaint does not need to identify the class members by name or specify the number of class members. However, an individual who is part of a class where a representative complaint has been made cannot bring an individual complaint unless they withdraw from the representative complaint.

1.13 Conditions for making a representative complaint include:

• that the class members have a complaint against the same respondent
• the complaints all arise out of the same or similar circumstances, and
• the complaints give rise to a substantial common issue of law or fact.

1.14 A representative complaint must address each of these conditions in the complaint and also identify the remedy or relief sought. A representative complaint may be lodged by a complainant who is a class member or a person or organisation who is not a class member.

1.15 The OAIC may not accept or continue with a representative complaint where the OAIC is not satisfied the complainant can adequately represent the interests of the class members.

The OAIC’s complaint-handling powers

1.16 To facilitate the complaint handling process, the Commissioner delegates complaint powers  and functions to OAIC staff, including the power to make a determination following an investigation. [7]

1.17 The OAIC has a wide range of powers relating to the privacy complaint handling process. Those powers are largely contained in Part V of the Privacy Act and include:

• assisting a person to formulate and make a complaint (s 36(4))
• making preliminary inquiries of any person (s 42)
• transferring matters to an alternative complaint body in certain circumstances (s 50)
• attempting to conciliate the complaint (s 40A)
• investigating the complaint (s 40)
• deciding not to investigate, or not to investigate further, the complaint on various grounds (ss 41, 49, 49A).
• requiring a person to give information or documents, or to attend a compulsory conference (ss 44, 45, 46, 47)
• entering premises to inspect documents (s 68)
• accepting an enforceable undertaking (s 80V)
• making a determination about the complaint (s 52)
• seeking to enforce a determination in a court (s 55A).

1.18 Not all of these powers will be used to resolve any particular complaint. These powers are explained further throughout this Chapter or elsewhere in this Guide.

General approach to handling privacy complaints

1.19 The OAIC provides an informal complaint process. Parties do not require legal representation to participate in the process.[8] Parties generally bear their own costs in the complaint handling process, including any legal expenses. Generally parties may not seek to recover these costs, either from the OAIC or the other party.

1.20 Where possible and appropriate, the OAIC seeks to assist the parties to resolve the complaint through early resolution or conciliation. Where a complaint appears to raise a genuine privacy issue and cannot be resolved, the complaint may be investigated. An investigation may lead to the Commissioner or their delegate making a determination. The OAIC may close a complaint at any stage.

1.21 The OAIC has an impartial role in the complaint process and does not advocate for any party.

1.22 In carrying out its complaint handling functions the OAIC will:

• seek to be accessible, flexible and timely
• comply with the principles of procedural fairness.

How the OAIC handles privacy complaints

1.23 Complaints must be made in writing. The complaint must identify the person making the complaint, the respondent and the act or practice that is an alleged interference with privacy. The OAIC cannot accept anonymous complaints. Usually, the OAIC requires a complainant to have complained to the respondent in the first instance.

1.24 Complaints are assessed on receipt. If a matter is not within the OAIC’s jurisdiction or does not meet the requirements of s 36 of the Privacy Act, the OAIC will contact the complainant and advise them why their matter cannot be dealt with as a complaint. The OAIC may provide appropriate assistance to the complainant to help them formulate the complaint. Where appropriate the OAIC may refer the complainant to another agency or organisation that may be able to assist them. [9]

1.25 The OAIC may, at any stage of the process,  decide not to investigate or investigate further the complaint based on the information available to the OAIC.

1.26 Generally, a complainant must have complained to the respondent[10] and given them a chance to address the complaint before the OAIC can consider whether or not to investigate the complaint (s 40(1A)). [11] The complainant should do so in accordance with the complaint process detailed in the respondent’s privacy policy. In limited circumstances the OAIC may decide to investigate the complaint if the delegate considers that it is not appropriate for the complainant to first complain to the respondent. This may occur where:

• there is a significant power imbalance between the complainant and respondent and the complainant may be disadvantaged in a direct approach to the respondent to resolve the issues in the complaint
• there is a history of similar issues associated with the respondent
• the complaint raises a systemic issue.[12]

1.27 Section 40(1B) of the Privacy Act also outlines additional circumstances in which the OAIC can open a complaint without requiring a complainant to first complain to the respondent. This relates to complaints about access to and correction of credit reporting information.

1.28 Where a complaint raises an issue that could be an interference with their privacy, the OAIC may make preliminary inquiries of any person to obtain relevant information to assist with the handling of the complaint. [13] These inquiries may be made, for example, to clarify the allegations raised by the complainant or to confirm that the OAIC has jurisdiction to handle the complaint.

1.29 Where the OAIC intends to exercise the Commissioner’s discretion under s 41 of the Privacy Act and close a complaint without an investigation or further investigation, [14] the OAIC will generally contact the complainant to advise them of that intention and provide them with the opportunity to respond. The OAIC will carefully consider any response, including any additional information, before making a decision.

1.30 When the OAIC has opened an investigation into the complaint, the OAIC can compel the production of relevant documents and information or require witnesses to attend and answer questions (s 44). Following an investigation, the Commissioner may make a determination under s 52 of the Privacy Act.

1.31 A complainant can withdraw their complaint at any time.

Confidentiality

1.32 The OAIC is bound by the APPs when handling personal information. As such, the OAIC does not generally disclose the particulars of a complaint during the complaint handling process to persons other than the parties to a complaint or third parties with information relevant to the inquiry that can assist the inquiry. This is to ensure that parties participate fully and frankly in the complaint process.

1.33 The Privacy Act does not impose an obligation of confidentiality on the parties to a complaint. However, APP obligations do apply to APP entities and information they obtain during the course of a complaint. If the parties have settled the matter with an agreement that includes a confidentiality clause they may be bound by that agreement.

1.34 In addition, conciliations are conducted on the basis that they will be confidential to the extent that the law allows.

Deciding not to investigate a complaint

1.35 The OAIC may, at any time during the complaint handling process, exercise the discretion to decide not to investigate a complaint, or not to investigate a complaint further, for a reason provided for in s 41 of the Act.

1.36 The OAIC will consider all the information provided by the parties and any other relevant information in deciding whether to decide not to investigate or further investigate a complaint.

1.37 The OAIC may decide not to investigate or further investigate for a range of reasons outlined in s 41, which include circumstances where:

• the act or practice is not an interference with privacy[15]
• investigation, or further investigation is not warranted having regard to all of the circumstances including[16]:
  • the nature of the alleged privacy breach
  • the strength of the available evidence
  • whether any harm or loss was suffered by the complainant as a result of the alleged privacy breach
  • the steps taken by the respondent to remedy the alleged breach
  • the practicality and utility of conducting an investigation, and
  • whether an investigation would be an efficient use of the OAIC’s powers and resources.
• the complaint was made more than 12 months after the complainant became aware of the act or practice
• the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith
• a recognised external dispute resolution scheme has dealt with, or would more effectively deal with, the act or practice, for example, the Telecommunications Industry Ombudsman, Financial Ombudsman Service, Credit and Investments Ombudsman or a state or territory-based energy, water or transport related Ombudsman
• the act or practice is subject to an application, or would be more appropriately dealt with, under another Commonwealth, state or territory law, for example, this might include discrimination law or other court proceedings, or
• the respondent has dealt with, or is adequately dealing with the complaint, for example, where a deed of release about the same subject matter has previously been entered into.

1.38 Where the OAIC is intending to exercise the discretion to decide not to investigate or further investigate a complaint, the OAIC may advise the complainant of that view and the reasons for it and provide an opportunity for the complainant to submit any further information they think is relevant. The OAIC will consider any additional information before making a decision.

1.39 A decision not to investigate or further investigate a complaint for one of the reasons in s 41 may be subject to review under the Administrative Decisions (Judicial Review) Act 1977 (Cth).

Referral of complaints

1.40 Section 50 of the Privacy Act allows the OAIC to decide not to investigate, or investigate further, a matter and to transfer it to an ‘alternative complaint body’ where the OAIC forms the opinion that:

• a complaint (or application where applicable) relating to that matter has been, or could have been, made by the complainant to the alternative complaint body, and
• the matter could be more conveniently or effectively dealt with by that alternative complaint body.

1.41 The ‘alternative complaint bodies’ to which the OAIC may transfer matters include the Australian Human Rights Commission, the Commonwealth Ombudsman, and an external dispute resolution (EDR) scheme recognised by the Commissioner under s 35A of the Privacy Act. Alternatively the OAIC may decline a complaint and recommend the complainant go directly to an alternative complaint body

The OAIC’s complaint referral powers

1.42 Under s 35A of the Privacy Act, the Commissioner may recognise an EDR scheme to handle particular privacy related complaints. EDR schemes constitute the second tier of a three-tiered complaint process:

• an individual should first make a complaint to a respondent entity (using the complaints process that the respondent has outlined in its privacy policy) and allow the entity a reasonable time to respond
• an individual who is not satisfied with the response or outcome may complain to a recognised EDR scheme of which the entity is a member (if any)
• an individual who is not satisfied with the outcome of the EDR process may complain to the OAIC. The OAIC will consider whether to accept the complaint or to decline to investigate under s 41 of the Privacy Act.

1.43 A complainant who has not first complained to a recognised EDR scheme of which the respondent entity is a member may be advised to do so before the OAIC will accept the complaint. The OAIC will generally decide not to investigate complaints that are being dealt with by a recognised EDR scheme (s 41(1)(dd)). [17]

1.44 The OAIC may also transfer CDR complaints to the ACCC, or to a recognised EDR scheme, it if considers the matter is best dealt with by such entities (Australian Information Commissioner Act s 29(2)(aa)(iv); Privacy Act s 50). This is in line with the CDR scheme’s ‘no wrong door’ policy, whereby if the OAIC or ACCC, as co-regulators of the scheme, receive a matter that is best dealt with by the other, or by an EDR scheme, the matter is transferred across to that body.

1.45 Otherwise, referral of a complaint to an alternative complaint body can arise where the OAIC’s jurisdiction overlaps with that of an alternative complaint body, and the complaint (or application) may be made about the act or practice to either the OAIC or the other body and the referral will ensure that the complaint is dealt with in the most convenient and effective manner.

1.46 In those circumstances, the Commissioner may transfer a complaint to an alternative complaint body where:

• they form the opinion that a complaint or application relating to the matter has been, or could have been made, to an alternative complaint body, and
• the complaint or application could be more conveniently or effectively dealt with by the alternative complaint body, and
• the Commissioner decides not to investigate the matter, or not to investigate the matter further, as the case may be.

1.47 The OAIC can require a complainant or respondent or other relevant party to attend a conference to provide information relevant to a matter (s 46). A person who has been directed to attend and fails to attend is guilty of an offence.

Early resolution and conciliation

1.48 The OAIC will seek to resolve complaints at the earliest opportunity via early resolution.

1.49 If a complaint cannot be resolved through early resolution, the OAIC may offer a confidential conciliation process.  However, the OAIC is not required to attempt to resolve the complaint through conciliation where the OAIC has decided not to investigate or further investigate a complaint.

1.50 Factors the OAIC may take into account in assessing whether it is possible to successfully conciliate a complaint may include:

• the approach taken by the parties to conciliation i.e. willingness to discuss conciliation, whether resolution proposals are generally appropriate and proportionate to the nature of the complaint and outcomes generally applicable to privacy complaints
• previous resolution attempts and any outcomes achieved or actions taken by either party regarding the complaint
• the responsiveness of the parties to the OAIC’s attempts to assist the parties to resolve a complaint, and
• the length of time the OAIC and the parties have taken to try to resolve a complaint.

1.51 Conciliations are generally conducted via a teleconference with all the parties.

1.52 Where a conciliation is offered and the matter is resolved, the parties may enter into a conciliation agreement or deed of release prepared by one of the parties to the complaint or the OAIC. This is usually on the basis that the conciliation is confidential and terms are not to be disclosed. Outcomes from a conciliation may include process changes, apologies or the sharing of information.

1.53 Sometimes a party to a complaint may be legally represented. To ensure fairness in the process the OAIC may recommend to the parties that they seek legal or other professional advice if they are entering into a legal deed or agreement.

Use of conciliation information

1.54 Materials exchanged prior to or after a conciliation form part of the Commonwealth record and are subject to FOI legislation.

1.55 Conciliations are confidential and are not transcribed or recorded.

1.56 Anything said or done in the course of conciliation cannot be used in any legal proceedings or in any hearing before the Commissioner (including where the Commissioner decides to determine the matter under s 52 of the Privacy Act), except where the parties otherwise consent. Conciliation information may also be used in circumstances where something was said or done to advance the commission of a fraud or an offence, or renders a person liable to a civil penalty.

1.57 Generally, this will mean that the Commissioner will not consider anything said or done in conciliation in any determination hearing or determination decision. If a party seeks a review, by the Administrative Review Tribunal (ART) or Federal Court, of a decision in a determination the Commissioner cannot refer to information about the conciliation process in those proceedings.

Investigating privacy complaints

1.58 In many cases a complaint can be quickly resolved early in the investigation. This occurs in circumstances where a respondent is willing to try to resolve the complaint with the complainant.

1.59 Generally, before commencing an investigation under s 40 of the Privacy Act, the OAIC conducts preliminary inquiries. In many cases, those inquiries result in information or an explanation that resolves the issue the subject of the complaint. This may lead the complainant to withdraw the complaint because they are satisfied with the information or explanation that has been provided. The OAIC may also decide not to investigate a complaint.

1.60 Where the OAIC investigates a complaint it will generally notify a respondent of the complaint under the investigation power (s 40). The respondent will be provided with a copy of the complaint, asked to respond to the specific issues in the complaint and to tell the OAIC whether they are willing to try to resolve the complaint.

1.61 The OAIC may issue a notice under s 44 of the Privacy Act requiring a person to provide information or produce documents, or to give evidence to the Commissioner in person.

1.62 Where the respondent is an agency, or a contracted service provider for an agency, and s 44 is proposed to be used, the Minister for the agency will need to be notified of the investigation under s 43(7), if they have not already been notified.

1.63 In the interests of fairness and transparency, any substantive information provided by a party to a complaint will generally be provided to the other party where it is appropriate to do so. This may include a copy of the complaint, the respondent’s response to the complaint, any offers of resolution and other relevant information.

1.64 Generally, the OAIC does not accept confidential submissions and any submissions will form part of the Commonwealth record and are subject the Freedom of Information Act 1982 (Cth). If information that is commercially sensitive or is sensitive for some other reason is to be provided to assist the OAIC with its investigation the OAIC will ask that the information be provided in a form that can be provided to the other party. If a part wishes to make confidential submissions, it is often good practice to make this clear prior to providing the information to the OAIC.[18]

1.65 At each stage of the complaint process the officer handling the matter will assess the available information and keep the parties informed of the progress of the complaint.

1.66 Where the OAIC’s investigation obtains evidence which indicates that an interference with privacy has occurred, then the OAIC will consider what enforcement action to take. The OAIC will review the matter against either the Privacy regulatory action policy or the CDR regulatory action policy or the My Health Records Enforcement Guidelines 2016 as applicable to assess the appropriate enforcement response.

Determination

1.67 The OAIC may consider that the appropriate enforcement response is for the Commissioner or her delegate to make a determination. Where a complaint is substantiated, the Commissioner can make one or more declarations. For example, the Commissioner may declare that the respondent has interfered with the complainant’s privacy and must take specified steps to ensure that the conduct is not repeated or continued. In some cases, the Commissioner may declare that a complainant is entitled to compensation. This will only occur if a complainant has provided sufficient evidence of loss or damage as a direct result of the privacy breach and will seek to restore the complainant to the position that they would have been in had the privacy breach not occurred. Further information about the determination process is outlined at Chapter 5.

Civil Penalty Proceedings

1.68 In some cases, other enforcement action may also be considered, such as seeking a civil penalty for a serious or repeated interference with privacy. Where the OAIC considers there is a likelihood it will decide to seek a civil penalty for a serious or repeated interference with privacy, the investigation will be conducted with a view to ensuring that sufficient admissible evidence will be available to allow that case to be pursued in court if necessary. For more information see Chapter 7 on civil penalties.