Guidelines for recognising external dispute resolution schemes

Part 2: The external dispute resolution scheme benchmarks

2.1 Under s 35A(2)(a) to (g) of the Privacy Act, when considering whether to recognise an EDR scheme, the Information Commissioner must consider the accessibility, independence, fairness, accountability, efficiency and effectiveness of the EDR scheme, and any other matter the Commissioner considers relevant (for the latter see Part 3 of these guidelines).

2.2 The matters that the Information Commissioner must take into account are based on the Benchmarks for Industry based Customer Dispute Resolution (Benchmarks), which set out the underlying principle for each benchmark. The purpose of each benchmark and key practices that could be used to assess whether an EDR scheme meets the benchmarks is also available in the Key Practices for Industry-based Customer Dispute Resolution.

2.3 Outlined below is some detail about the benchmarks and key practices. Most existing schemes will already be able to demonstrate that they meet these criteria by providing information about their existing recognition process (or their statutory basis where relevant). More information about how existing schemes can practically demonstrate they meet these criteria is outlined in Part 5 of these guidelines.

Accessibility

2.4 An EDR scheme can demonstrate accessibility through, for example:

• actively promoting its services to individuals
• ensuring access to and ease of use of its services
• generally providing its services to individuals free of charge
• training its staff to handle complaints and to explain the functions and powers of the EDR scheme in simple and clear terms
• encouraging informal and alternative methods of dispute resolution
• encouraging parties to only involve legal representatives if special circumstances require this expertise.

Independence

2.5 An EDR scheme must be able to undertake its dispute resolution work independent of those sectors of industry that fall within its jurisdiction and provide it funding. Approaches demonstrating an EDR scheme’s independence from its members may include, for example:

• establishing a governance body to oversee the EDR scheme’s operation
• having a principal decision-maker responsible for deciding complaints and appropriate delegations in place
• ensuring the principal decision-maker and staff of the EDR scheme are not able to be inappropriately influenced by EDR scheme members in relation to the EDR scheme’s decisions or operation
• being resourced appropriately to carry out the EDR scheme’s functions
• consulting widely with relevant stakeholders in developing or changing the EDR scheme’s scope.

Fairness

2.6 An EDR scheme’s procedures should accord procedural fairness and should be transparent to all parties to a complaint. An EDR scheme can achieve fairness through, for example:

• basing decisions on what is fair and reasonable in all the circumstances
• affording procedural fairness to all parties using the EDR scheme
• requiring EDR scheme members to provide all information that they hold, relevant to a complaint, to the EDR scheme
• ensuring the EDR scheme appropriately respects the confidentiality of information provided to it for the purposes of resolving complaints.

Accountability

2.7 Accountability ensures continuing public confidence in the EDR scheme. It also assists EDR scheme members to assess and improve their personal information handling practices. An EDR scheme can publicly account for its operations by, for example, publishing:

• notable decisions
• the EDR scheme’s rules
• an annual report.

2.8 This information should be published in an accessible format.

Efficiency

2.9 An EDR scheme operates efficiently when it, for example:

• deals only with complaints within its scope
• does not handle complaints that have been dealt with, or are being dealt with, by another appropriate dispute resolution forum
• keeps track of complaints
• regularly reviews its performance.

Effectiveness

2.10 An EDR scheme can demonstrate its effectiveness by, for example:

• ensuring the scope of the EDR scheme is clear and sufficient to deal with privacy-related complaints
• ensuring systems are in place to refer complaints about the EDR scheme to an overseeing entity (where applicable)
• having mechanisms in place to bind EDR scheme members to the rules and decisions of the EDR scheme
• having periodic independent reviews of its performance.

Part 3: Privacy and other considerations

3.1 Under s 35A(2)(g) of the Privacy Act, the Information Commissioner must take into account  any other matter they consider relevant when deciding whether to recognise an EDR scheme.

3.2 Matters considered relevant for this purpose are related to an EDR scheme’s ability to handle privacy-related complaints and the benefits of recognising EDR schemes that operate under existing regulatory regimes. These include:

• the remedies the EDR scheme can provide for privacy-related complaints
• the EDR scheme’s commitment to privacy
• the impact on credit providers of not recognising a particular EDR scheme.

Remedies

3.3 The Information Commissioner will consider whether the EDR scheme has appropriate powers to provide individuals with sufficient remedies for their privacy-related complaints. The Information Commissioner will consider the extent to which those remedies are consistent with remedies that may be:

• available to the individual if the individual complained to the Information Commissioner rather than the EDR scheme
• awarded if the individual complained to the Information Commissioner rather than the EDR scheme.

3.4 An EDR scheme should be able to provide information to the parties on appropriate remedies to assist them in their attempt to settle their dispute. The EDR scheme should be open and transparent about the types of remedies it can order when deciding how to resolve a complaint.

Remedies in the course of settling a dispute

3.5 The aim of an alternative dispute resolution process, such as conciliation, negotiation or mediation, is to reach a settlement that will resolve the complaint of the individual. In general, a resolution that the parties reach together, rather than having imposed upon them, leads to a greater commitment to the outcome and to a greater likelihood of compliance.

3.6 In resolving the complaint, the parties can reach an arrangement that includes any remedy that is lawful. The facilitator overseeing the alternative dispute resolution process should consider and provide information to parties on the range of remedies that could be pursued.

3.7 Remedies for privacy-related complaints may include one or more of the following: ¹⁵

• an apology to the individual
• being provided with access to information or reducing charges for access
• compensation
• correction or amendment of a record
• extra services or services at reduced costs
• the respondent improving systems or procedures, including security arrangements for personal information
• privacy notices being changed or updated
• staff training for the respondent.

Remedies in the course of making a decision

3.8 An EDR scheme’s decision-maker should have the power to make binding decisions on the respondents. Those powers should include the ability to provide remedies that are generally consistent with the declarations available to the Information Commissioner when they makes a determination under s 52 of the Privacy Act.

Review of dispute resolution process

3.9 An EDR scheme may conduct an internal review of the outcome if an individual is not satisfied with the EDR scheme’s alternative dispute resolution process or decision. EDR schemes should conduct internal reviews in line with the EDR scheme’s policies and procedures.

3.10 If an individual is not satisfied with the outcome, including any internal review, an EDR scheme should provide the individual with information about how to make a complaint to the Information Commissioner.

Commitment to privacy

3.11 Some EDR schemes may not be APP entities and so will not be subject to the APPs in the Privacy Act (although state or territory laws for handling personal information may apply). Where an EDR scheme is not bound by the APPs the Information Commissioner will, before recognising the EDR scheme, require them to have a privacy policy explaining:

• how the scheme manages the personal information it collects
• the information flows associated with that information.

3.12 Without limiting the contents of the privacy policy, the policy should include information similar to that required by APP 1.4.¹⁶

3.13 If there are significant differences between the way the EDR scheme handles personal information and the requirements of the Privacy Act, the EDR scheme should draw this to the Commissioner’s attention and outline those differences.

3.14 An EDR scheme must take such steps as are reasonable in the circumstances to make its privacy policy available free of charge, in an appropriate and readily accessible form.

Impact on credit providers

3.15 A credit provider must be a member of, or subject to, a recognised EDR scheme to be able to disclose credit information to a credit reporting body (s 21D(2)(a)(i) of the Privacy Act). Therefore, the Information Commissioner will consider the impact on credit providers of not recognising a particular EDR scheme. For the credit reporting system to function as intended, at least one EDR scheme that credit providers can join must be recognised.

Avoiding the need for credit providers to join an additional EDR scheme

3.16 Credit providers, as defined in s 6G of the Privacy Act, include entities from a range of industries including banks, utility providers and telecommunication service providers. Many credit providers are already members of EDR schemes. In some instances, other regulatory regimes require credit providers to be a member of an EDR scheme .¹⁷

3.17 The Information Commissioner is mindful of the burden that would be imposed on credit providers if they were required to join an additional EDR scheme for the purposes of participating in the credit reporting system. The Information Commissioner is also mindful that privacy-related complaints are often part of a wider complaint about the provision of goods or services. If a credit provider was required to join an EDR scheme in relation to privacy-related complaints but was a member of a different EDR scheme in relation to other complaints, there would be the risk of fragmenting the individual’s complaints between two or more EDR schemes. This may make resolving disputes more difficult, impose extra costs on industry, and lead to confusion for individuals making privacy-related complaints. This outcome will be avoided where possible.

Ensuring that all credit providers are eligible to join a recognised EDR scheme

3.18 EDR schemes may limit their membership to certain entities for legitimate reasons. However, if a credit provider is not eligible to join any recognised EDR scheme, or otherwise be subject to a recognised EDR scheme, the credit provider will be unable to participate in the credit reporting system.

3.19 While it is not the responsibility of the Information Commissioner to ensure that a recognised EDR scheme exists for each credit provider to join, the Information Commissioner will take this into account. The Information Commissioner may, for example, conditionally recognise an EDR scheme as outlined in Part 4 of these guidelines.

Part 4: The conditions for continuing recognition

4.1 Under s 35A(3) of the Privacy Act, the Information Commissioner may:

• specify a period for which the recognition of an EDR scheme is in force
• make the recognition of an EDR scheme subject to specified conditions, including requiring an independent review of the operation of the EDR scheme.

4.2 The Information Commissioner will generally recognise EDR schemes on an on-going basis. However, the recognition will be subject to specified conditions with which the EDR scheme must continue to comply for the recognition to remain in force.

Specified period of recognition

4.3 In some circumstances, the Information Commissioner may recognise an EDR scheme for a specified period, and review the EDR scheme’s recognition at the end of that period. These circumstances include when:

• the EDR scheme’s role in the regulatory framework for the industry is changing
• the EDR scheme is at risk of having its recognition revoked under another regulatory regime
• the EDR scheme will cease operating, or cease to handle the types of complaints that the EDR scheme is recognised for.

4.4 The Information Commissioner may also recognise an EDR scheme for a specified period, or subject to additional conditions where the EDR scheme substantially meets the Commissioner’s requirements for recognition, but requires more time to fully implement the necessary changes to meet those requirements. In such circumstances, the Information Commissioner may recognise the EDR scheme in a limited capacity, to minimise the risk of fragmenting the handling of complaints related to the same goods and services that involve both privacy and service delivery related aspects.

Specified conditions of recognition

4.5 The Information Commissioner will make the recognition of all EDR schemes subject to the following specified conditions. The EDR scheme must:

• provide the Information Commissioner with an independent review of the EDR scheme at least once every five years
• report serious or repeated interferences with privacy and systemic issues and data on privacy-related complaints
• comply with other general conditions appropriate for handling privacy-related complaints.

Independent review

4.6 Regular and independent review of an EDR scheme’s performance is a key practice to indicate an EDR scheme’s efficiency and effectiveness, in line with the Benchmarks. The Information Commissioner may make the recognition of an external dispute resolution scheme subject to specified conditions, including the conduct of an independent review of the operation of the EDR scheme (s 35A(3)(b) of the Privacy Act).

4.7 The Information Commissioner requires a recognised EDR scheme to commission an independent review of the EDR scheme’s privacy-related complaint-handling, operations and procedures at least once every five years. This review can be conducted as part of a broader independent review of the EDR scheme.

4.8 The EDR scheme must consult the Information Commissioner about the terms of the review before the review commences.

4.9 The review should be undertaken in consultation with relevant stakeholders (such as the EDR scheme’s members and relevant consumer groups) and should examine:

• the EDR scheme’s ongoing ability to satisfy the matters the Information Commissioner must take into account when recognising an EDR scheme as outlined in Parts 2 and 3 of these guidelines
• the EDR scheme’s ongoing ability to satisfy the conditions of the EDR scheme’s recognition as outlined in Part 4 of these guidelines
• how satisfied individuals and EDR scheme members are with the operation of the scheme
• any other relevant matters, including matters the Commissioner considers relevant following notification by the EDR scheme to the Commissioner of the independent review’s terms of reference.

The EDR scheme should provide the report of the review to the Information Commissioner. The Information Commissioner may publish relevant parts of the report on its website after consultation with the EDR scheme.

Reporting data on privacy-related complaints

4.10 The Information Commissioner considers that systematic monitoring and regular reporting of privacy-related complaints by EDR schemes will improve industry practice and help reduce the risk of privacy-related issues occurring.

4.11 In general, the objectives of requiring EDR schemes to monitor and report privacy-related complaint information is to:

• improve the privacy practices of members of the EDR schemes
• ensure high-risk issues or conduct are identified and addressed in a timely manner
• enable the Information Commissioner to identify potentially systemic issues across a range of sectors
• assist the Information Commissioner to target community and industry awareness programs about appropriate personal information handling practices.

Annual reporting on privacy-related complaints

Download the EDR Scheme Annual Reporting Workbook.

4.12 EDR schemes should provide privacy-related complaint information to the OAIC on an annual basis for inclusion in the OAIC’s Annual Report.¹⁸ The information should be placed in its appropriate context – for example, by explaining why there may have been an increase in privacy-related complaints compared to the previous year.

4.13 Where possible EDR schemes should provide information about:

• the number of privacy-related complaints received in the financial year
• the average time taken to resolve privacy-related complaints in the financial year
• for privacy-related complaints finalised in the financial year, statistical information about:
  • the outcomes (e.g. conciliations, withdrawals)
  • the nature of remedies in conciliation or by decision (e.g. compensation, apology, staff training)
  • any systemic privacy-related issues or trends identified in the financial year.

Monitoring and reporting serious or repeated interferences with privacy and systemic issues¹⁹

4.14 The Information Commissioner requires the EDR scheme to have processes in place to identify serious or repeated interferences with privacy,²¹ and systemic privacy issues of the EDR scheme’s members. An EDR scheme should also have processes in place to refer serious or repeated interferences with privacy and systemic privacy issues to relevant EDR scheme members for response and action, or to the industry regulator where applicable and appropriate (e.g. Australian Communications and Media Authority or Australian Securities and Investments Commission).

4.15 Serious or repeated interferences with privacy and systemic privacy issues should be reported to the Information Commissioner when an EDR scheme has confirmed that such events have occurred. See Annexure 1 for more details on reporting serious or repeated interferences with privacy and systemic privacy issues.

4.16 If EDR scheme members do not rectify serious or repeated interferences with privacy or systemic issues within a reasonable period, the Information Commissioner may investigate the act or practice of an entity on the Commissioner’s own initiative under Part V of the Privacy Act. The Commissioner may also choose to investigate the act or practices of an entity under certain circumstances, such as when it is in the public interest to do so.

4.17 Serious or repeated interferences with privacy can attract a civil penalty under s 13G of the Privacy Act. More information in relation to serious or repeated interferences with privacy is available on the OAIC’s website.

Other general conditions

4.18 An EDR scheme’s recognition will also be subject to the following general conditions. An EDR scheme must:

• accept privacy-related complaints referred to the EDR scheme by the Information Commissioner, provided the complaint falls within the EDR scheme’s scope or terms of reference (see paragraph 1.12 of these guidelines)²⁰
• advise the Information Commissioner if there is an anticipated change to the EDR scheme that is relevant to its role as a recognised EDR scheme under the Privacy Act. For example, if the EDR scheme will cease operating, cease to be the EDR scheme for a specific industry, or is at risk of having its recognition revoked under another regulatory regime
• advise the Information Commissioner if the EDR scheme anticipates it will no longer be able to satisfy any of the matters in Parts 2, 3 or 4 of these guidelines
• inform the Information Commissioner if there is an anticipated change to the EDR scheme’s ability to deal with privacy-related complaints
• have a process in place for handling privacy-related complaints about EDR scheme members who cease to carry on a business, become insolvent or are liquidated.

Consumer Data Right

4.19 In the CDR scheme, the Minister may specify a period for which the recognition of the EDR scheme is in force. The Minister may also make the recognition of the EDR scheme subject to specified conditions.

4.20 While there are currently no mandated reporting requirements under the CDR for EDR schemes, the OAIC considers that there are important benefits for CDR participants, consumers, and the wider CDR in ensuring that information about CDR-related complaints, including repeated, serious or systemic CDR issues, is reported to the OAIC and the Australian Competition and Consumer Commission (ACCC) on a regular basis.

4.21 As a matter of best practice, the OAIC aligns CDR reporting with the privacy reporting as set out in Part 4 of these Guidelines.

Part 5: The registration process for recognition of an EDR scheme

5.1 An EDR scheme seeking to be recognised should make a written application which includes all relevant documentation. Relevant documentation, for this purpose, will be dependent on whether the EDR scheme is already recognised under another recognition scheme or has a statutory basis for its operation.

5.2 After consultation with the EDR scheme, the Information Commissioner may publish an EDR scheme’s application, and any relevant documentation, on the OAIC website in the interests of transparency of the application process. Any information provided as part of an EDR scheme’s application may be subject to obligations under the Freedom of Information Act 1982.

Schemes already recognised and/or with a statutory basis

5.3 Existing EDR schemes that are already recognised under another recognition scheme, and/or have a statutory basis for their operation, should include in their application:

• a covering letter addressed to the Information Commissioner requesting recognition
• details of previous recognition under another regulatory EDR recognition scheme and any conditions attached to that recognition (this will be met by a copy of any certificate of recognition) and/or the statutory basis for their operation
• documentation that demonstrates adherence with the Benchmarks, or a declaration from the Chief Executive Officer (or equivalent) that the EDR scheme works or will work within these benchmarks
• an outline of how the EDR scheme will implement the additional privacy-related requirements set out in these guidelines
• the relevant parts of the most recent independent review of the EDR scheme (if any)
• if relevant:
  • how and why conditions for reporting data on privacy-related complaints should be tailored to the EDR scheme’s membership and complaints profile
  • details of communications with members, potential members, consumer representatives and other regulatory bodies regarding the EDR scheme’s application to be recognised by the Information Commissioner and any outstanding issues from those consultations.

Other schemes

5.4 EDR schemes not already recognised under another recognition system or not having a statutory basis should include the following in their application:

• a covering letter addressed to the Information Commissioner requesting recognition
• detailed and specific information about how the EDR scheme satisfies or will satisfy the matters in Parts 2, 3 and 4 of these guidelines
• membership details of the EDR scheme and including any membership conditions
• the articles of association, constitution and terms of reference, where applicable, and details of any proposals to amend these
• the relevant parts of the most recent independent review of the EDR scheme (if any)
• the EDR scheme’s most recent annual report
• a summary of the complaint information the EDR scheme collects
• if relevant:
  • information around any other EDR scheme that the new scheme intends to join, and information about why a new EDR scheme should enter that industry, including the benefit to individuals
  • details of the membership of, and appointment to, an overseeing body
  • how and why conditions for reporting data on privacy-related complaints should be tailored to the EDR scheme’s membership and complaints profile
• details of any consultation with members, potential members, consumer representatives and other regulatory bodies about the EDR scheme being recognised by the Commissioner and any outstanding issues from those consultations.

All schemes

5.5 The Information Commissioner may request further documents and information from the EDR scheme during the registration process. The Information Commissioner may also consider information provided by industry, consumer representatives and other interested stakeholders. If the Information Commissioner considers material that was not provided by the EDR scheme, the EDR scheme will have an opportunity to respond.

5.6 The Information Commissioner will provide a written notice of recognition to each recognised EDR scheme. The notice will be a public document available on a register of recognised EDR schemes maintained by the OAIC on its website and will contain details of:

• the entity, class of entities or purpose for which the EDR scheme is recognised
• the period for which recognition of the EDR scheme is in force
• any specified conditions under which the EDR scheme is recognised.

5.7 The EDR scheme should notify its members in writing that it has been recognised.

5.8 For the recognition to remain in force, the EDR scheme must continue to satisfy the matters in Parts 2, 3 and 4 of these guidelines and any additional conditions imposed by the Information Commissioner.

Part 6: Varying and revoking recognition

6.1 Under s 35A(3)(c) of the Privacy Act, the Information Commissioner may vary or revoke:

• the recognition of an EDR scheme
• the period for which the recognition is in force
• a condition to which the recognition is subject.

6.2 Matters that may cause the Information Commissioner to vary or revoke an EDR scheme’s recognition include, but are not limited to:

• if the EDR scheme has not complied with a condition of its recognition, for instance where the EDR scheme:
  • has not been independently reviewed within the last five years (see paragraph 4.7 of these guidelines)
  • is unable to satisfy the Information Commissioner it meets the matters in Parts 2, 3 and 4 of these guidelines
  • persistently fails to provide annual reports to the Information Commissioner and/or to report any serious or repeated interferences with privacy or systemic issues
  • fails to notify the Information Commissioner of a change affecting its ability to deal with privacy-related complaints
• an independent review finds the EDR scheme does not meet one or more of the matters in Parts 2, 3 and 4 of these guidelines
• the EDR scheme is no longer adequately funded to handle privacy-related complaints
• conditions previously imposed by the Information Commissioner on the EDR scheme’s recognition are no longer warranted.

The Information Commissioner’s process for varying or revoking recognition

6.3 The Information Commissioner will provide a notice of intention in writing to the recognised EDR scheme outlining the proposed changes to its recognition and providing reasons. The Information Commissioner may also request that the EDR scheme consult its members about the proposed changes.

6.4 The EDR scheme will be given a specified period to respond to the Information Commissioner’s notice and provide any information that it would like the Information Commissioner to consider.

6.5 In addition to the information provided by the EDR scheme, the Information Commissioner may consider information provided by industry, consumer representatives and other interested stakeholders as part of this process. The EDR scheme will be given an opportunity to respond to the information and evidence provided by other stakeholders.

6.6 In considering whether to vary or revoke an EDR scheme’s recognition, the Information Commissioner will consider whether:

• the EDR scheme is able or willing to demonstrate the matters the Information Commissioner must take into account under s 35A(2) of the Privacy Act (see Parts 2 and 3 of these guidelines)
• the EDR scheme is able or willing to comply with conditions imposed on its recognition by the Information Commissioner under s 35A(3) of the Privacy Act, (see in Part 4 of these guidelines)
• the EDR scheme is able or willing to comply with any other conditions the Information Commissioner considers appropriate
• varying or revoking the EDR scheme’s recognition would have an impact on its members and on individuals who have existing complaints lodged with the EDR scheme.

6.7 An EDR scheme may also write to the Information Commissioner requesting that its terms of recognition be varied or revoked. The request should be made in writing and give reasons for its request, including details of any consultation the EDR scheme has had with its members and any supporting documentation.

6.8 If the Information Commissioner considers varying or revoking an EDR scheme’s recognition to be appropriate they will provide a written notice with reasons outlining why the decision was made. The notice will set out the changes to the EDR scheme’s recognition and date the change takes effect. The EDR scheme will be required to inform its members in writing of the variation or revocation of its recognition.

6.9 The notice and reasons will be publicly available and will be made available on the OAIC’s website and the EDR scheme’s details on the OAIC’s register of recognised EDR schemes will be updated.

Transitional arrangements

6.10 If the Information Commissioner varies or revokes an EDR scheme’s recognition, the EDR scheme may be required to take steps to ensure existing privacy-related complaints it is processing are dealt with appropriately. For example, that individuals with complaints being handled by the EDR scheme are notified of the revocation or variation to the EDR scheme’s recognition and are notified of their right to lodge their complaint with the Information Commissioner or, if relevant, another EDR scheme.

Annexure 1 - Reporting serious or repeated interferences with privacy and systemic privacy issues

1.1 This annexure provides advice to recognised EDR schemes regarding the practices and procedures for reporting serious or repeated interferences with privacy and systemic privacy issues, as required by para 4.17 of the Guidelines.

Systemic privacy issues

1.2 A systemic privacy issue is a privacy issue that may have implications or an effect beyond a particular incident. This may occur where an incident indicates there is an ongoing or underlying problem with practices, procedures or systems that relate to privacy compliance, adherence to those practices, procedures or systems, or with attitudes to privacy compliance.

1.3 A privacy issue may be systemic within a single entity, or more broadly within an industry sector. A systemic privacy issue may be identified from an incident which is brought to an EDR scheme’s attention by a single complaint or multiple complaints of a similar nature against one or several of its members.

Serious or repeated interference with privacy

1.4 Whether an interference with privacy is ‘serious’ is objectively determined by what a reasonable person would consider serious. This means that what is considered a serious interference with privacy may vary over time as technology and community expectations change.

1.5 ‘Repeated interference with privacy’ means that an entity has interfered with the privacy of an individual or individuals on two or more separate occasions. These repeated interferences with privacy could arise from:

• the same act or practice done on two or more occasions
• different acts or practices done on two or more occasions.

Procedure for reporting incidents

1.6 Where an EDR scheme becomes aware of a potential systemic privacy issue or serious or repeated interference with privacy by one of its members, it should notify that member of the issue to confirm:

• whether the systemic privacy issue or serious or repeated interference with privacy has occurred
• the action and response (if any) by the member.

1.7 If an EDR scheme confirms that a serious or repeated interference with privacy or a systemic privacy issue has occurred, the EDR scheme must report it to the OAIC. All such issues can be reported to the OAIC on a quarterly basis, using the reporting template below, via the EDR scheme mailbox (EDRschemes@oaic.gov.au). EDR schemes may report a serious or repeated interference with privacy or a systemic privacy issue more frequently where they consider that it would be appropriate for it to be brought to the OAIC’s attention sooner.

1.8 To the extent possible, the EDR schemes should include the following information in its quarterly report to the OAIC:

• the details of the serious or repeated interference with privacy, or systemic privacy issue
• the identity of the reported EDR member(s)
• the action taken by the reported EDR member(s), and also by the EDR scheme, in response to the serious or repeated interference with privacy, or systemic issue
• any resolution or outcome to the serious or repeated interference with privacy, or systemic privacy issue.

1.9 An EDR scheme should continue to report quarterly on a serious or repeated interference with privacy or systemic privacy issue, while the EDR scheme is still engaging with the EDR scheme member(s) in relation to the issue.

1.10 Upon receipt of a quarterly report from an EDR scheme, the OAIC will provide an acknowledgement email to the EDR scheme. The OAIC will consider whether:

• the OAIC has received any other complaints against, or is otherwise aware of potential breaches by, the reported EDR member(s)
• similar complaints have been made, or similar breaches have occurred, for other entities.

1.11 If necessary, the OAIC may request further information from an EDR scheme about the report. The OAIC will treat any information it receives from EDR schemes as confidential.

1.12 The OAIC will report de-identified, aggregated statistics in its Annual Report on the serious or repeated interferences with privacy, or systemic privacy issues.

Template for reporting repeated, serious or systemic privacy or CDR issues

¹ The Australian Information Commissioner is the head of the Office of the Australian Information Commissioner, an independent statutory agency which has functions in relation to information policy and independent oversight of privacy protection and freedom of information. The Commissioner is supported by two other statutory officers: the Privacy Commissioner and the Freedom of Information Commissioner. More information about the OAIC is available at: www.oaic.gov.au.

² s 21D(2)(a)(i) of the Privacy Act.

³ The Benchmarks, and the related Key Practices are published here: Benchmarks for Industry-based Customer Dispute Resolution.

⁴ Note that, unless otherwise indicated, legislative references in these guidelines are to the Privacy Act 1988, including amendments by the Privacy Amendment (Enhancing Privacy Protection) Act 2012

⁵ CDR Rules, Schedule 4 – Provisions relating to the energy sector 5.2(3)(b).

⁶Guide to privacy regulatory action

⁷Consumer data right regulatory action policy

⁸ The Australian Privacy Principles (APPs) are defined in s 14 of the Privacy Act as the principles set out in Schedule 1 to the Privacy Act.

⁹ See s 6 of the Privacy Act ‘definition of an APP entity’.

¹⁰ See s 21D(2) of the Privacy Act which outlines that the disclosure of credit information to a credit reporting body is a permitted disclosure if the credit provider is a member of an EDR scheme and the individual involved is over 18 years of age.

¹¹ CDR Rule 7.2(6).

¹² In the energy sector, the EDR requirements apply to energy retailers, excluding secondary data holders, such as AEMO, AER and the Victorian agency.

¹³Recognised external dispute resolution schemes register

¹⁴ These guidelines have been most closely aligned with the Australian Securities and Investments Commission (ASIC)’s regulatory process for the registration and oversight of EDR schemes. For information on that scheme see ASIC’s Regulatory Guides 139 and 271.

¹⁵Privacy Complaints Practice and Procedure Manual, 2011

¹⁶ See ‘Guidelines for Australian Privacy Principle 1 - Open and transparent management of personal information’ for further guidance on what is required for a privacy policy.

¹⁷ For example, s 47 of the National Consumer Credit Protection Act 2009 requires credit licensees to be members of an EDR scheme approved by the Australian Securities and Investments Commission.

¹⁸ In order to meet the OAIC’s annual report publication deadline EDR schemes will be requested to provide this information by 31 July for the preceding 12 month period ending on 30 June.

¹⁹ Systemic privacy issues are issues that are inherent in the overall way an industry operates and has a wider effect than just the immediate parties to a complaint. Systemic privacy issues arise from the overall conduct of entities or the way an industry operates. Systemic privacy issues may be identified by an EDR scheme from a single complaint or from multiple complaints. At other times, systemic privacy issues may only be identifiable once the Commissioner has collected data from a number of EDR schemes.

²⁰ See the OAIC’s ‘Enforcement guidelines’ for further guidance on serious or repeated interferences with privacy.

²¹ Details of how the Commissioner will refer and transfer complaints to EDR schemes are detailed in the enforcement guidelines issued by the OAIC.