Complaint handling processes and requirements under the Australia Privacy Act

The Australia Privacy Act of 1988 applies to businesses, including non-profit organizations, with an annual turnover of more than $3 million, some small businesses (including all private health service providers) and most Australian Government agencies. An organization is broadly defined under the Privacy Act. An organization can be: 

  • An individual, including a sole trader
  • A body corporate
  • A partnership
  • Any other unincorporated association, or 
  • A trust. 

In this article, we will discuss how the Office of the Australian Information Commissioner (OAIC) handles privacy complaints starting from the investigatory phase through the resolution phase of a complaint. Unique to the Australia Privacy Act is the requirement that an organization or agency’s privacy policy must include instructions on how an individual can lodge a complaint against the entity. The OAIC’s website includes a complaint template for individuals to use when contemplating whether to initiate a complaint. 

How does the OAIC handle privacy complaints? 

The Office of the Australian Information Commission (OAIC) oversees and investigates all alleged breaches of the Australian Privacy Principles (APPs). A complaint about an act or practice can be made by an individual on their own behalf and on behalf of other individuals with their consent. The Privacy Act also allows for representative complaints whereby a class of people lodge a complaint so long as each member of the class is affected by the entity’s misuse of information. Members of the staff of the Commissioner can provide assistance to a person who wants to make a complaint

First, the Privacy Act stipulates that an individual should send their complaint to the organization or agency that they feel has interfered with their privacy rights. Generally, the individual should give the entity thirty days to deal with the complaint.Because the entity has the responsibility of designing the complaint handling process, their privacy policy will outline their response to any complaint and what that response includes. Next, if the individual is not satisfied with the organization’s response to the complaint, the individual can take the complaint to a relevant external dispute resolution (EDR) scheme to which the organization is a member. If an EDR scheme is not an option or, if the individual is not satisfied with the outcome of the EDR process, then the individual may bring their complaint to the Commissioner. An individual may also bring their complaint directly to the Commissioner if the complaint is about a government agency, or, if the individual would prefer to complain directly to the regulator from the onset. 

Once the OAIC receives a complaint, they may need additional information before they can investigate the complaint from the complainant, the organization or agency at issue, or any relevant third party. If the OAIC determines the complaint addresses something they cannot investigate, they will close the complaint. Individuals are allowed, however, to appeal this decision to the Federal Court of Australia or the Federal Circuit Court. The OAIC may not investigate complaints if: 

  • The complaint does not include the complainant’s personal information
  • The complainant has not first complained to the organization or agency or has not had an opportunity to respond to the complaint
  • An individual is complaining about something they have knowledge of for more than 12 months 
  • The matter is best dealt with under another law, governmental agency, or organization, such as by a recognized EDR scheme, and 
  • The matter involves an organization not covered by the Privacy Act 

The OAIC’s investigatory phase 

Once the OAIC has decided to investigate a complaint, they begin by reaching out to the organization or agency at issue. The Commissioner will provide the entity a copy of the complaint and will also ask for a response from the entity. The OAIC also has discretionary power to disclose the complainant’s personal information to a third party they deem to be relevant during the investigation. If this third party is an overseas entity, the OAIC will discuss possible disclosure with the complainant first. An entity residing outside of Australia could still have obligations under the Privacy Act if the entity has an Australian link. Additionally, the OAIC may disclose information, with consent from the complainant, that relates to the complaint or the investigation it has undertaken to other Australian or international regulators, or to EDR schemes. Throughout the investigatory phase, the OAIC provides updates on the progress of the individual’s complaint. 

Resolution of a complaint 

The complaint should explicitly state the outcome sought. The OAIC then works to mediate an agreement between the complainant and the organization or agency at fault. Legal representation is not required in the complaint handling process or during the determination process. The OAIC’s main focus is to provide a forum where the parties, in good faith, can come to a resolution through conciliation. If no agreement can be reached, the OAIC will decide the outcome. If, however, the OAIC determines the entity has proposed a reasonable outcome, despite the complainant thinking otherwise, the OAIC may dismiss the complaint because they believe the entity has provided an adequate solution. On the other hand, if the OAIC does not believe the entity has adequately dealt with the matter, the Commissioner will make a formal decision stipulating what the entity must do to rectify the issue. If an APP entity is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the APP entity can face penalties of up to $1.8 million for corporate bodies and $360,000 for non-corporate bodies.  The complainant has the right to seek judicial review of the OAIC’s decision about a complaint with the Commonwealth Ombudsman

If the Australia Privacy Act of 1988 applies to you, your Privacy Policy must include the way in which an individual may complain if you breach the APPs or any registered binding APP code, and how the complaint will be handled. To ensure that your privacy policy covers all of the procedures and contact details, as well as informs individuals of the different stages in the complaint handling process, use Termageddon’s Privacy Policy generator to get your Privacy Policy today.