1. What is this notice about?
1.1. On 28 May 2024, the Australian Information Commissioner accepted a representative complaint against Dymocks Pty Limited ( Dymocks ).
1.2. The representative complaint was lodged by Gordon Legal (on behalf of the representative complainant) against Dymocks under section 36 of the Privacy Act 1988 (Cth) ( Privacy Act ). The representative complainant alleges that the Dymocks has interfered with the privacy of individuals pursuant to s 13(1)(a) of the Privacy Act by breaching Australian Privacy Principle ( APP ) 11.
1.3. The representative complaint relates to the Dymocks data breach that occurred in September 2023 (the Data Breach ). The Data Breach involved the unauthorised access by a third party of customer records containing personal information. Some of this information has been released on the dark web.
1.4. This notice has been published for the information of individuals who might be class members.
2. What is a representative complaint?
2.1. A representative complaint is a complaint brought by an individual, a complainant, on behalf of a group of people (class members) against an entity covered by the Privacy Act, where the complainant and the class members have similar complaints against the same respondent entity whose acts or practices may be an interference with the privacy of those individuals (see Chapter 1: Privacy complaint handling process).
3. Am I a class member?
3.1. You are a class member if you are or have been a customer of Dymocks whose data has been accessed, stolen or compromised by the Data Breach.
3.2. If you are unsure whether you are a class member, you should contact Gordon Legal. This will enable Gordon Legal to provide you with advice as to whether you are a class member. You can register via the Gordon Legal website.
4. What does it mean if I remain a class member?
4.1. The representative complainant does not need to seek the consent of class members to lodge a representative complaint.
4.2. If a representative complaint is investigated by the Australian Information Commissioner, and the Commissioner finds the complaint against Dymocks substantiated, she may make a determination that includes a declaration that class members are entitled to an amount of money in respect of any loss or damage (including injury to a person’s feelings or humiliation) suffered by reason of Dymocks’s acts or practices the subject of the representative complaint.
4.3. If you choose to remain a class member, any determination made by the Australian Information Commissioner, including any declaration that class members are entitled to compensation, will apply to you.
4.4. If you are a class member of a representative complaint you are not entitled to lodge a complaint in your own capacity about the matter which is the subject of the representative complaint (unless you have already lodged an individual privacy complaint – see below).
4.5. If you want to remain a class member you do not need to do anything at the present time . The representative complainant, represented by Gordon Legal, will continue to bring the representative complaint on your behalf, and your complaint will be dealt with as part of the representative complaint process. However, you are invited to register with Gordon Legal so that further information about the representative complaint can be sent to your preferred address.
4.6. Class members can stop being class members by withdrawing from the representative complaint process. If you do not want to remain a class member you can withdraw from the representative complaint process at any time by following the instructions below under “Representative complaint – how to withdraw”.
5. How can I withdraw from the representative complaint?
5.1. If you qualify as a class member and wish to withdraw from the representative complaint, you must do so by following the instructions below under “Representative complaint – how to withdraw”.
5.2. Each individual seeking to withdraw from the representative complaint should complete their own separate form.
5.3. Please note that if you withdraw, any determination made by the Australian Information Commissioner, including any declaration that class members are entitled to compensation, will not apply to you. You will also not be able to rejoin the representative complaint once you withdraw.
6. What do I need to do if I have already lodged an individual privacy complaint?
If you no longer wish to proceed with your individual privacy complaint in light of the representative complaint
6.1. Please notify the OAIC Early Resolution team (early.resolution@oaic.gov.au) that you wish to withdraw your individual privacy complaint. You should include your complaint reference (commencing with CP).
If you wish to proceed with an individual privacy complaint
6.2. If you have already made an individual privacy complaint against Dymocks about the Data Breach and wish to proceed with it on an individual basis despite the representative complaint, what you need to do will depend on the date you made your individual complaint.
6.3. The representative complaint was made on 25 September 2023.
6.4. If you made your individual privacy complaint after 25 September 2023, your individual complaint was not validly made. This is because under s 39 of the Privacy Act, where you are already a class member for the representative complaint you are not entitled to lodge a complaint in respect of the same subject matter. Therefore, if you wish to pursue your individual complaint made after 25 September 2023 you must withdraw from the representative complaint and advise you are lodging an individual complaint by following the instructions below under “Representative complaint – how to withdraw”.
6.5.If you made your individual privacy complaint before 25 September 2023, you do not need to withdraw from the representative complaint in order for your individual complaint to proceed. This is because you were not a class member at the time you lodged your individual complaint. Please be aware that the Australian Information Commissioner or her delegate may decide not to investigate (or further investigate) any individual privacy complaint (or part of your complaint) under s 41(1) of the Privacy Act), in light of the representative complaint. Any such decision would be made in consideration of the individual circumstances raised in your complaint, and the issues common to both your complaint and the representative complaint.
7. What if I want to lodge an individual privacy complaint?
7.1. You cannot make an individual privacy complaint if you are already a class member of the representative complaint. If you wish to lodge an individual privacy complaint against Dymocks in relation to the Data Breach (see Lodge a privacy complaint with us), you must first withdraw from the representative complaint by following the instructions below under “Representative complaint – how to withdraw” .
8. Collection, use and disclosure of your personal information by the OAIC
8.1. We will handle your personal information in accordance with the APPs.
8.2. We will collect your personal information for the purposes of removing you as a class member of the representative complaint, such as your name and contact information.
8.3. We may also collect personal information about you, which is relevant to the representative complaint, indirectly from Dymocks and other third parties relevant to the representative complaint process.
8.4. We will use the information you provide us for the purposes of removing you as a class member of the representative complaint. This may include review of your personal information by contractors engaged to assist us with this matter.
9. Further information
9.1. For further information about how we handle your personal information please see our privacy policy.
9.2. If you have any questions about the personal information we collect and how we will handle your information, please contact the OAIC via the methods set out here: Contact us. Please note that you will not be able to withdraw from the representative complaint using our online enquiry form or over the phone.
9.3. If you have any questions about the representative complaint, we encourage you to contact Gordon Legal. As noted above, you can also register with Gordon Legal for further information and updates.
Dymocks representative complaint - how to withdraw
Please provide the below information to the OAIC via email to representativecomplaints@oaic.gov.au
Name of class member:
Email address:
Individual complaint reference number (starting with CP) if applicable:
The class member named above gives notice that they withdraw from the Dymocks representative complaint.
Please indicate if you also wish for your invalid complaint (lodged after 25 September 2023) to be relodged as a valid complaint.
