Published: 19 Oct 2023
Purpose
The purpose of this document is to provide EDR schemes with practical guidance on handling privacy-related complaints about a notifiable data breach, which the members of an EDR scheme may experience.
An EDR scheme’s handling of the complaints
To effectively manage the high volume of complaints that an EDR scheme may experience in the wake of a data breach, consistent assessment and progression of the complaints is required. The team handling the complaints should consider whether:
- The complaint could be finalised on the basis that the respondent has adequately dealt with or is adequately dealing with the complaint (taking into consideration the EDR scheme's terms of reference, rules/guidelines and its complaints processes).
- The complaint could be resolved at an early stage between the parties through written submissions and negotiation or mediation. This can include referring the complaint to the respondent advising it should take steps to resolve the complaint while it awaits allocation within the EDR scheme.
- The complaint could be suitable for a conciliation where an experienced conciliator assists the parties to explore options to resolve the matter.
If the Office of the Australian Information Commissioner (OAIC) has commenced a Commissioner initiated investigation (CII) into the data breach and an EDR scheme is at a stage where it has privacy-related complaints about that data breach which are unable to be resolved and it is required to make a decision on the complaints, the EDR scheme can advise the complainants that they may raise a complaint with the OAIC. It is our preference for the complainants to lodge privacy complaints to the OAIC via webform[1] on the OAIC’s website, Lodge a privacy complaint with us.[2] The EDR scheme may convey information to the complainants that it usually provides when it refers a complainant to an external body.
If required, the OAIC’s Dispute Resolution Branch[3] can work with the EDR scheme in developing communications, to assist the EDR scheme in providing appropriate information to the complainants at the time the EDR scheme advises them to lodge a complaint with the OAIC.
Regular contact with the affected member of an EDR scheme
It is important to have regular dialogue and discussions with a member of your scheme that has experienced a data breach (the affected member), to work through any issues including ensuring consistent messaging to complainants or consumers about their complaints lodged with the EDR scheme about the data breach, and next steps.
Considerations for the affected member of an EDR scheme
As well as generally following OAIC’s guidance in relation to data breach preparation and response[4], the affected member of the EDR scheme would need to consider and assess whether it needs to notify the affected individuals and the OAIC about the data breach under the Notifiable Data Breaches Scheme[5].
Seeking legal advice
It remains open to the member of your scheme or an EDR scheme to seek independent legal advice regarding any complaints, including representative complaints, it receives. If appropriate and available, the OAIC may share relevant information about its handling of representative complaints with the EDR scheme.
Complaint referrals
Under section 50 of the Privacy Act 1988, the OAIC may transfer privacy complaints to an EDR scheme if the matter falls within the EDR scheme’s terms of reference and the complainant has not yet complained to the relevant EDR scheme. When the Commissioner refers a complaint to an EDR scheme, the Commissioner must have decided not to investigate the matter, or not to investigate the matter further, as the case may be. Please see the Information Sharing Arrangement for referring privacy complaints between the OAIC and external dispute resolution schemes[6] for further information.
Meeting with the OAIC
An EDR scheme is welcome to contact the OAIC’s EDR Schemes Coordinator[7] at edrschemes@oaic.gov.au. An EDR scheme may also request to meet with OAIC representatives to discuss any complaint handling issues arising from data breaches.
Other matters and further information
If the OAIC determines that it has information concerning matters which may be relevant to an EDR scheme receiving complaints about data breaches experienced by a member of that EDR scheme, the OAIC may, subject to certain conditions, share information with that EDR scheme for the purpose of that EDR scheme exercising its powers, or performing its functions.
Please see the following links for further information about:
- Notifiable Data Breach Scheme[8]
- Commissioner initiated investigations[9]
- OAIC’s Privacy regulatory action policy[10]
- OAIC’s Guide to privacy regulatory action[11]
- OAIC’s privacy decisions[12]
- Handling privacy complaints.[13]
[1] forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=APC_PC&tmFormVersion
[2] www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us
[3] A request to contact the appropriate staff at the OAIC’s Dispute Resolution Branch can be made via email to edrschemes@oaic.gov.au. The EDR Schemes Coordinator will ask the appropriate staff in the OAIC’s Dispute Resolution Branch to contact the EDR scheme.
[5]www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme
[7] The OAIC’s EDR Schemes Coordinator can be contacted at edrschemes@oaic.gov.au.
[10] www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/privacy-regulatory-action-policy
[11]www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/guide-to-privacy-regulatory-action
[12]www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions
