-
On this page
Publication date: January 2023
Legislative framework
1.1 Section 36(1) of the Privacy Act provides for an individual (the complainant) to complain to the Commissioner about an interference with their privacy by certain Australian Government agencies or private sector organisations (the respondent).[1]
1.2 A complaint about an act or practice that may be an interference with privacy can be made by an individual on their own behalf, and on behalf of other individuals with their consent.
1.3 The Privacy Act also provides for representative complaints to be made on behalf of a class of people where all the class members are affected by an interference with privacy (s 38(1)).
1.4 Section 13 of the Privacy Act sets out the acts and practices that may be an interference with the privacy of an individual. These include:
- a breach of an Australian Privacy Principle (APP) or a registered APP privacy code[2]
- a breach of rules under s 17 in relation to tax file number information
- a breach of a provision of Part IIIA or the registered CR code,[3] and
- a breach of prescribed NDB scheme requirements.[4]
1.5 Other legislation can also provide that an act or practice is an interference with privacy and therefore can be investigated by the Commissioner:
- s 73 of the My Health Records Act 2012 (Cth)
- s 29 of the Healthcare Identifiers Act 2010 (Cth)
- s 35L of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
- s 135AB of the National Health Act 1953 (Cth)
- s 173 of the Personal Property Securities Act 2009 (Cth), and
- s 22A of the National Cancer Screening Register Act 2016 (Cth).
1.6 Section 56ET(3) of the Competition and Consumer Act extends the Commissioner’s investigative powers under Part V of the Privacy Act to apply to the handling of CDR data for CDR consumers, which includes individuals and small businesses.[5] This means the Commissioner can investigate an act or practice that may be a breach of a Privacy Safeguard and privacy or confidentiality related CDR Rules under the CDR scheme.
1.7 The Commissioner also has power to investigate complaints made under Part VIIC of the Crimes Act 1914 (Cth) concerning the Commonwealth spent convictions scheme and s 13 of the Data-Matching Program (Assistance and Tax) Act 1990, and exercises some of the functions of the ACT Information Privacy Commissioner under the Information Privacy Act 2014 (ACT).
1.8 Further information on the OAIC's role in investigating breaches of privacy provisions contained in other legislation is available at Related legislation.[6]
1.9 Part V of the Privacy Act outlines the processes by which privacy complaints can be handled. This may include one or more of the following steps — conducting preliminary inquiries, opening an investigation, attempting to conciliate a complaint, and making a determination.
1.10 The Commissioner has a wide range of powers relating to the privacy complaint handling process including to:
- assist a person to formulate and make a complaint (s 36(4))
- make preliminary inquiries of any person (s 42)
- transfer matters to an alternative complaint body in certain circumstances (s 50)
- attempt to conciliate the complaint (s 40A)
- conduct an investigation into the complaint (s 40)
- at any stage, not investigate, or cease to investigate or not investigate further, the complaint on various grounds (generally referred to as a ‘decline’) (ss 41, 49, 49A)
- require a person to give information or documents, or to attend a compulsory conference (ss 44, 45, 46, 47)
- enter premises to inspect documents (s 68)
- accept an enforceable undertaking (s 80V)
- make a determination about the complaint (s 52)
- seek to enforce a determination in a court (s 55A).
1.11 Not all of these powers will be used in resolving any particular complaint. These powers are explained further throughout this Chapter or elsewhere in this Guide.
1.12 To facilitate the complaint handling process the Commissioner delegates complaint handling functions to OAIC staff, including the s 52 power to determine a matter.[7] Throughout the rest of this Chapter we have used ‘the OAIC’ unless the power or function can only be performed by the Commissioner.
1.13 The Commissioner also has an agreement with the ACT Government to handle complaints under the Information Privacy Act 2014 (ACT) about breaches of the Territory Privacy Principles by ACT public sector agencies. The powers in relation to handling those complaints are outlined in the ACT legislation and, in some respects differ from the Privacy Act powers. For more information see Privacy in the ACT.
General approach to handling privacy complaints
1.14 The OAIC provides a free, informal and accessible complaint process. Parties do not require legal representation to participate in the complaint handling process or the determination process. [8] Parties generally bear their own costs in the complaint handling process, including any legal expenses.
1.15 Where appropriate, the OAIC endeavours to resolve complaints through conciliation. Generally, where a complaint is not declined for some reason, or it cannot be resolved through conciliation, the complaint may be determined by the Commissioner under s 52.
1.16 The OAIC has an impartial role so does not advocate for any party in handling a privacy complaint.
1.17 In carrying out the OAIC 's functions to investigate and, if appropriate, to attempt to resolve privacy complaints through conciliation, the OAIC will:
- use a process that is accessible, flexible and timely, and done in accordance with the principles of natural justice and procedural fairness
- focus on providing an opportunity for the parties to resolve complaints through conciliation.
How the OAIC handles privacy complaints
1.18 Complaints must be in writing and must identify the person making the complaint, the respondent and the alleged act or practice that is an interference with privacy. The OAIC cannot accept anonymous complaints.
1.19 Complaints are assessed on receipt. If the complaint does not reach the threshold required because it does not identify an interference with privacy the OAIC will contact the complainant and advise them why their matter cannot be dealt with as a complaint. The OAIC may provide appropriate assistance to the complainant to help formulate the complaint. Where appropriate the OAIC may refer the complainant to another agency or organisation that may be able to assist them.[9]
1.20 Where a matter reaches the required threshold to be a complaint under s 36 the OAIC will consider how best to deal with it. The OAIC may, at any stage of the process, attempt to conciliate the complaint or decline to investigate the complaint based on the information available to the OAIC.
1.21 Generally a complainant must have complained to the respondent[10] and given them a chance to respond to the complaint before the OAIC can investigate (s 40(1A)).[11] In limited circumstances the OAIC may decide to investigate the complaint if it is considered that it is not appropriate for the complainant to first complain to the respondent, for example:
- where there is a significant power differential between the complainant and respondent and the complainant may be disadvantaged in a direct approach to the respondent to resolve the issues in the complaint
- where there is a history of similar issues associated with the respondent
- where the complaint identifies a systemic issue.[12]
1.22 Section 40(1B) of the Privacy Act also provides for additional circumstances in which the OAIC can investigate a complaint without requiring a complainant to first complain to the respondent. This relates to complaints about access to and correction of credit reporting information.
1.23 Where a complaint raises an issue that could be an interference with privacy the OAIC may conduct preliminary inquiries to obtain relevant information of any person to assist with the handling of the complaint.[13] These inquiries may be made, for example, to clarify the allegations in the complaint or to confirm that the OAIC has jurisdiction.
1.24 Where the OAIC is unlikely to open an investigation for a reason provided for by s 41 of the Privacy Act[14] the OAIC will contact the complainant and advise them of our view. The OAIC will generally write to the complainant outlining our reasons for that view and ask if they have any further relevant information that they wish to provide. In these cases the OAIC does not generally advise the respondent of the complaint unless a decision to proceed to investigation is made.
1.25 The Privacy Act obliges the OAIC to make a reasonable attempt to conciliate the complaint where the OAIC is of the view it is reasonably possible that a complaint could be successfully conciliated (s 40A). Conciliation can be attempted at any stage of the complaint handling process.
1.26 When the OAIC has opened an investigation into the complaint, under s 40, the OAIC can compel the production of relevant documents and information or require witnesses to attend and answer questions (s 44), if that will assist the investigation. Where a complaint is not declined or finalised on some other basis, and cannot be resolved through conciliation, and an investigation has been opened, the Commissioner may determine the complaint under s 52 of the Privacy Act.
1.27 A complainant can withdraw a complaint at any time without penalty.
Representative complaints
1.28 The Privacy Act allows for representative complaints to be made where an act or practice may be an interference with the privacy of a number of individuals. Particular conditions apply to a representative complaint and these are outlined in ss 38 to 39 of the Act. A representative complaint does not need to identify the class members by name or specify how many class members there are, however, an individual who is part of a class where a representative complaint has been lodged cannot bring an individual complaint unless they withdraw from the representative complaint.
1.29 Conditions for making a representative complaint include:
- that the class members have a complaint against the same respondent
- the complaints all arise out of the same or similar circumstances, and
- the complaints give rise to a substantial common issue of law or fact.
1.30 A representative complaint must address each of these conditions in the complaint and also identify the remedy or relief sought. A representative complaint may be lodged by a complainant who is a class member or a person or organisation who is not a class member.
1.31 The OAIC may not accept or continue with a representative complaint where the OAIC is not satisfied the complainant can adequately represent the interests of the class members.
Confidentiality
1.32 The OAIC is bound by the APPs when handling complaint related personal information, and manages complaints confidentially. As such, the OAIC does not generally disclose the particulars of a complaint during the complaint handling process to persons other than the parties to a complaint or third parties with information relevant to the inquiry that can assist the inquiry. This is to ensure that parties will participate fully and frankly in the complaint process.
1.33 The Privacy Act does not impose an obligation of confidentiality on the parties to a complaint. However, APP obligations do apply to APP entities and information they obtain during the course of a complaint. If the parties have settled the matter with an agreement that includes a confidentiality clause they may be bound by that agreement.
1.34 In addition, conciliation, where that is occurring, works best in an atmosphere where parties can raise issues in a frank way without fear of the information being disseminated further and the OAIC encourages parties not to disseminate information while involved in the conciliation process.
Investigating privacy complaints
1.35 Where possible the OAIC tries to handle privacy complaints informally and flexibly. In some cases, before commencing an investigation under s 40 of the Privacy Act, the OAIC may conduct preliminary inquiries and obtain information that will assist the OAIC to explain an issue to a complainant that may resolve an issue or lead the complainant to withdraw the complaint on the basis they are satisfied with the explanation that has been provided.
1.36 Where the OAIC has established jurisdiction to investigate it will generally notify a respondent of the complaint under the investigation power (s 40). The respondent will be provided with a copy of the complaint, asked to respond to the specific issues in the complaint and to tell the OAIC whether they are willing to try to resolve the complaint through conciliation.
1.37 In many cases a complaint can be quickly resolved prior to a detailed written response being provided. This occurs in circumstances where a respondent is willing to try to resolve the complaint on the terms the complainant has identified, or is willing to negotiate terms of resolution with the complainant.
1.38 For procedural fairness and transparency, generally any substantive information provided by a party to a complaint will be provided to the other party to facilitate the handling of the complaint. This includes the complaint, the respondent’s response, offers of resolution and other relevant information.
1.39 Generally, the OAIC does not accept confidential submissions. If information that is commercially sensitive or is sensitive for some other reason has to be provided to assist the OAIC with its investigation the OAIC will usually ask that the information be provided in a form that can be provided to the other party.[15]
1.40 At each stage of the complaint process the officer handling the matter will assess the available information and keep the parties advised of the OAIC’s views on the matter. Where an investigation has been commenced the OAIC may decline to continue to investigate a matter, or attempt to conciliate a matter, at any stage during the investigation where that appears to be the appropriate course of action.
1.41 Where the OAIC’s investigation indicates that it is likely that an interference with privacy has occurred and conciliation is not considered appropriate or conciliation has been attempted without resolution, then the OAIC may investigate the matter and will consider what enforcement action to take. The OAIC will review the matter against either the Privacy regulatory action policy or the CDR regulatory action policy or the My Health Records Enforcement Guidelines 2016 as applicable to assess the appropriate enforcement response.
1.42 Generally the appropriate enforcement response for a complaint, where an investigation has been opened, conciliation has not resolved the matter and the complaint has not been declined, will be a determination under s 52. However other enforcement action may also be considered appropriate for example seeking a civil penalty for a serious or repeated interference with privacy.
1.43 Where the OAIC considers that there is a likelihood that it will decide to seek a civil penalty for a serious or repeated interference with privacy, the complaint investigation will be conducted with a view to ensuring that sufficient admissible evidence will be available to allow that case to be pursued in court if necessary. For more information see Chapter 7 on civil penalties.
Conciliating a complaint
1.44 Where the OAIC considers it is reasonably possible a complaint may be conciliated successfully there must be a reasonable attempt to conciliate (s 40A(1)).
1.45 The OAIC is not required to attempt to resolve the complaint through conciliation where the OAIC has decided not to investigate, or not to further investigate, a complaint.
1.46 Factors the OAIC may take into account in assessing whether it is possible to successfully conciliate a complaint may include:
- the approach taken by the parties to conciliation i.e. willingness to discuss conciliation, whether resolution proposals are generally appropriate and proportionate to the nature of the complaint and outcomes generally applicable to privacy complaints
- previous resolution attempts and any outcomes achieved or actions taken by either party regarding the complaint
- the responsiveness of the parties to the OAIC’s attempts to assist the parties to resolve a complaint, and
- the length of time the OAIC and the parties have taken to try to resolve a complaint.
1.47 The OAIC will generally ask the complainant to outline what they are seeking to resolve the complaint and ask the respondent to consider that proposal or propose an alternative basis for resolution.
Types of outcomes in conciliated matters
1.48 Outcomes that may be achieved in privacy complaints may include:
- change in practice, procedure or policy
- access to information
- staff training
- review of privacy policies and procedures
- statement of regret or a private or public apology
- financial compensation.
1.49 Parties will be advised of resources and information to help them develop or respond to a proposal for resolution, for example, determinations by the Commissioner, information about conciliated matters the OAIC has published in annual reports or on its website, and complaint outcomes in similar jurisdictions, for example, New Zealand and New South Wales privacy jurisdictions and the Commonwealth discrimination jurisdiction.
How the OAIC tries to conciliate matters
1.50 The OAIC generally tries to resolve privacy complaints through conciliation by:
- phone and email based shuttle negotiations - where the parties are separately communicated with
- teleconferences involving all parties
- face to face meetings with the parties (where practicable and appropriate).
1.51 In each case the officer handling the matter will contact the parties to discuss the issues in the complaint and the outcome being sought. The officer will try to assist the parties to negotiate a satisfactory resolution to the complaint.
1.52 Where a matter is resolved the parties may enter into a conciliation agreement or deed of release prepared by one of the parties to the complaint or the OAIC. In limited situations the Commissioner may accept an enforceable undertaking from the respondent as part of the resolution of a complaint (for more information see Chapter 4 Enforceable undertakings).
1.53 Sometimes a party to a complaint may be legally represented. To ensure fairness in the process the OAIC may recommend to the parties that they get legal or other professional advice if they are entering into a legal deed or agreement.
1.54 Where conciliation is successful the file will be closed on the basis the matter has been adequately dealt with.
1.55 Where a complaint is not able to be resolved through conciliation the matter will generally move to determination under s 52 or be declined under the powers available in s 41. Although the matter could be finalised under s 40A on the basis there is no reasonable likelihood that the matter will be resolved by conciliation, this discretionary power would only be used in limited circumstances.
Compulsory conciliation conference
1.56 The OAIC can require a complainant or respondent or other relevant party to attend a conciliation conference (s 46). A person who has been directed to attend and fails to attend is guilty of an offence.
1.57 Generally, the OAIC relies on voluntary participation in a conciliation process as resolution generally relies on the understanding that parties are participating in good faith to genuinely resolve the matter.
1.58 In some cases where a matter is not able to be resolved through voluntary participation the OAIC may consider compelling a person to attend a conciliation conference where the OAIC is of the view the matter may be able to be resolved if the parties were to deal directly with each other over the complaint. Factors that may contribute to this view are where:
- the proposals for resolution are appropriate to the interference with privacy raised by the complaint
- a party indicates they are willing to resolve a complaint but are unwilling to commit to a resolution process or outcome
- the parties have been involved in extended negotiations and it is likely the matter may resolve if the parties are required to deal with the remaining issues at hand.
1.59 The OAIC may advise the parties of the intention to issue a notice compelling their attendance at a conciliation conference where the matter has been unable to be resolved through usual conciliation processes.
1.60 The OAIC may take into account the parties’ circumstances in issuing a notice to compel attendance at a conciliation conference, for example, whether the parties are legally represented, geographic considerations, and constraints on time to ensure the parties are able to comply with the notice to attend.
Use of conciliation information
1.61 Anything said or done in the course of conciliation cannot be used in any legal proceedings or in any hearing before the Commissioner (including where the Commissioner decides to determine the matter under s 52 of the Privacy Act), except where the parties otherwise consent. Conciliation information may also be used in circumstances where something was said or done to advance the commission of a fraud or an offence, or renders a person liable to a civil penalty.
1.62 Generally, this will mean that the Commissioner will not consider anything said or done in conciliation in any determination hearing or determination decision. If a party seeks a review, by the AAT or Federal Court, of a decision in a determination the Commissioner cannot refer to information about the conciliation process in those proceedings.
Deciding not to investigate a complaint
1.63 The OAIC may at any time during the complaint process exercise the discretion not to investigate a complaint or not to investigate a complaint further for a reason provided for in s 41 of the Act. This is commonly referred to as ‘declining a complaint’.
1.64 The OAIC will consider all the information provided by the parties and any other relevant information in deciding whether to decline to investigate or further investigate a complaint.
1.65 The Commissioner or delegate may decide not to investigate or investigate further for a range of reasons provided for by s 41 which include where he or she is satisfied that:
- the act or practice is not an interference with privacy
- the complaint was made more than 12 months after the complainant became aware of the act or practice
- ·the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith
- a recognised external dispute resolution scheme has dealt with, or would more effectively deal with, the act or practice, for example, the Telecommunications Industry Ombudsman, Financial Ombudsman Service, Credit & Investments Ombudsman or a state or territory-based energy, water or transport related Ombudsman
- the act or practice is subject to an application, or would be more appropriately dealt with, under another Commonwealth, state or territory law, for example, this might include discrimination law or other court proceedings, or
- the respondent has dealt with, or is adequately dealing with the complaint, for example, where a deed of release about the same subject matter has previously been entered into.
1.66 A decision to decline a complaint for one of the reasons in s 41 is a discretion exercised by the Commissioner or the Commissioner’s delegate and consequently subject to review under the Administrative Decisions (Judicial Review) Act 1977 (Cth). Given this, there is a requirement that a decision to decline a complaint is subject to due care and based on information that can withstand rigorous review.
1.67 Where the OAIC is intending to decline a complaint the OAIC will advise the complainant, in writing, of that view and the reasons for it and provide an opportunity for the complainant to provide any further information they think is relevant. The OAIC will consider any additional information before making a final decision on how to proceed with the complaint.
Referral of matters
1.68 Section 50 of the Privacy Act allows the OAIC to not investigate, or not investigate further, a matter and to transfer it to an ‘alternative complaint body’ where the OAIC forms the opinion that:
- a complaint (or application where applicable) relating to that matter has been, or could have been, made by the complainant to the alternative complaint body, and
- the matter could be more conveniently or effectively dealt with by that alternative complaint body.
1.69 The ‘alternative complaint bodies’ to which the OAIC can transfer matters include the Australian Human Rights Commission, the Commonwealth Ombudsman, and an external dispute resolution scheme recognised by the Commissioner under s 35A of the Privacy Act.
Purpose of the OAIC’s complaint referral powers
1.70 Referral of a complaint to an alternative complaint body can arise where the OAIC’s jurisdiction overlaps with that of an alternative complaint body, and the complaint (or application) may be made about the act or practice to either the OAIC or the other body and the referral will ensure that the complaint is dealt with in the most convenient and effective manner.
1.71 The Commissioner must transfer a complaint to an alternative complaint body where:
- they form the opinion that a complaint or application relating to the matter has been, or could have been made, to an alternative complaint body, and
- the complaint or application could be more conveniently or effectively dealt with by the alternative complaint body, and
- the Commissioner decides not to investigate the matter, or not to investigate the matter further, as the case may be.
1.72 Affording an individual the opportunity to first withdraw their complaint and make a complaint or application to the alternative complaint body themselves is intended to allow an individual to, as much as possible, retain responsibility and control over how their matter is dealt with.
1.73 From 1 July 2020, the OAIC may transfer CDR complaints to the ACCC, or to a recognised EDR scheme, if it considers the matter is best dealt with by such entities. The transfer of complaints to the ACCC is permitted by s 29(2)(aa)(iv) of the Australian Information Commissioner Act 2010, and to EDRs under s 50 of the Privacy Act as outlined above. This is also in line with the ‘no wrong door’ policy of the CDR scheme, whereby if the OAIC or ACCC, as co-regulators of the scheme, receive a matter that is best dealt with by the other, or by an EDR scheme, the matter is transferred across to that body.
Footnotes
[1] The Privacy Act also coversthe Norfolk Islandpublic sector. For information aboutwhat agencies and organisations are covered by the Privacy Act see Rights and responsibilities.
[2] For acts that occurred on or after 12 March 2014. For events that occurred prior to 12 March 2014 the relevant principles are, for government agencies, the Information Privacy Principles and, for organisations, the National Privacy Principles.
[3] For acts that occurred on or after 12 March 2014. Forevents that occurred prior to 12 March 2014 thelaw as it was at 11 March 2014 applies.
[4] Contained in s 26WH(2), s 26WK(2), s 26WL(3), and s 26WR(10).
[5] Note that this only appliesin relation to CDR complaints, and that small businesses cannotmake complaints aboutany other act or practice that may be an interference with privacy as defined in s 13 of the Privacy Act, as individuals can under s 36 of the Privacy Act. “Individual” is defined in s 6 of the Privacy Act to mean a naturalperson.
[6] How a complaint is handledunder legislation otherthan the PrivacyAct may vary according to any specifichandling requirements of that legislation.
[7] The Commissioner can only delegate powers under s 52 of the Privacy Act to Senior Executive Service (SES) staff of the OAIC (permanent or acting) (see s 25(2) of the Australian Information Commissioner Act 2010 (Cth)).
[8] For more information about the determination processsee Chapter 5.
[9] See the ‘Referral of matters’ section towards the end of this Chapter.
[10] Organisations and agenciesmay find our resource Handling privacy complaints useful in dealing with privacy complaints.
[11] In addition, complainants are encouraged to use the services of a recognised EDR scheme, of which the respondent is a member, before approaching the OAIC, but this is not mandatory. The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 stated (on page 4) that (relevant) amendments proposed to the Privacy Act (and now enacted) were intended to recognise and encourage the use of external dispute resolution services.
[12] See definition of systemic privacy issues in the Privacyregulatory action policy (paras 12–13).
[13] Section 42 of the PrivacyAct.
[14]Formore information about the OAIC’spower to decline acomplaintsee ‘Deciding notto investigate acomplaint’later in this Chapter.
[15] See Chapter 5as well in relationto confidential information, in the context of making a determination.