Complaint handling processes and requirements under the Australia Privacy Act

Privacy Policy

Australia, Australia Privacy Act 1988

Complaint handling processes and requirements under the Australia Privacy Act.

Most privacy laws are very broad in the sense that they apply to businesses outside of the state or country in which they were enacted, and the Australia Privacy Act 1988 is no exception to the rule. This privacy law applies to Australian organizations with an annual turnover of more than AUD $3,000,000. The law defines “organization” as:

  • An individual, including a sole trader (acting in a commercial capacity);
  • A body corporate;
  • A partnership;
  • Any other unincorporated association; or
  • A trust.

While this privacy law primarily applies to medium and large businesses due to the revenue requirement, it is important to note that there are a few exceptions which would require small businesses to comply as well. The following small businesses with an annual turnover of AUD $3,000,000 need to comply with this privacy law:

  • A private-sector health care provider – an organization that provides a health service and includes:
    • A traditional health care provider (hospital, medical practitioner, or pharmacy);
    • A complimentary therapist, such as a naturopath or a chiropractor;
    • A gym or weight loss clinic;
    • A childcare center, a private school, and a tertiary educational institution.
  • A business that sells or purchases personal information;
  • A credit reporting body;
  • A contracted service provider for an Australian Government contract;
  • An employee association registered or recognized under the Fair Work (Registered Organisations) Act 2009;
  • A business that has opted-in to the Privacy Act 1988;
  • A business that is related to a business that is covered by this privacy law;
  • A business prescribed by the Privacy Regulation 2013.

In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia.

In this article, we will discuss how the Office of the Australian Information Commissioner (OAIC) handles privacy complaints starting from the investigatory phase through the resolution phase of a complaint. Unique to the Australia Privacy Act is the requirement that an organization or agency’s privacy policy must include instructions on how an individual can lodge a complaint against the entity. The OAIC’s website includes a complaint template for individuals to use when contemplating whether to initiate a complaint. 

How does the OAIC handle privacy complaints? 

The Office of the Australian Information Commission (OAIC) oversees and investigates all alleged breaches of the Australian Privacy Principles (APPs). A complaint about an act or practice can be made by an individual on their own behalf and on behalf of other individuals with their consent. The Privacy Act also allows for representative complaints whereby a class of people lodge a complaint so long as each member of the class is affected by the entity’s misuse of information. Members of the staff of the Commissioner can provide assistance to a person who wants to make a complaint.

First, the Privacy Act stipulates that an individual should send their complaint to the organization or agency that they feel has interfered with their privacy rights. Generally, the individual should give the entity thirty days to deal with the complaint.Because the entity has the responsibility of designing the complaint handling process, their Privacy Policy will outline their response to any complaint and what that response includes. Next, if the individual is not satisfied with the organization’s response to the complaint, the individual can take the complaint to a relevant external dispute resolution (EDR) scheme to which the organization is a member. If an EDR scheme is not an option or, if the individual is not satisfied with the outcome of the EDR process, then the individual may bring their complaint to the Commissioner. An individual may also bring their complaint directly to the Commissioner if the complaint is about a government agency, or, if the individual would prefer to complain directly to the regulator from the onset. 

Once the OAIC receives a complaint, they may need additional information before they can investigate the complaint from the complainant, the organization or agency at issue, or any relevant third party. If the OAIC determines the complaint addresses something they cannot investigate, they will close the complaint. Individuals are allowed, however, to appeal this decision to the Federal Court of Australia or the Federal Circuit Court. The OAIC may not investigate complaints if: 

  • The complaint does not include the complainant’s personal information
  • The complainant has not first complained to the organization or agency if the organization or agency has not had an opportunity to respond to the complaint
  • An individual is complaining about something they had knowledge of for more than 12 months 
  • The matter is best dealt with under another law, governmental agency, or organization, such as by a recognized EDR scheme, and 
  • The matter involves an organization not covered by the Privacy Act 

The OAIC’s investigatory phase 

Once the OAIC has decided to investigate a complaint, they begin by reaching out to the organization or agency at issue. The Commissioner will provide the entity a copy of the complaint and will also ask for a response from the entity. The OAIC also has discretionary power to disclose the complainant’s personal information to a third party they deem to be relevant during the investigation. If this third party is an overseas entity, the OAIC will discuss possible disclosure with the complainant first. An entity residing outside of Australia could still have obligations under the Privacy Act if the entity has an Australian link. Additionally, the OAIC may disclose information, with consent from the complainant, that relates to the complaint or the investigation it has undertaken to other Australian or international regulators, or to EDR schemes. Throughout the investigatory phase, the OAIC provides updates on the progress of the individual’s complaint. 

Resolution of a complaint 

The complaint should explicitly state the outcome sought. The OAIC then works to mediate an agreement between the complainant and the organization or agency at fault. Legal representation is not required in the complaint handling process or during the determination process. The OAIC’s main focus is to provide a forum where the parties, in good faith, can come to a resolution through conciliation. If no agreement can be reached, the OAIC will decide the outcome. If, however, the OAIC determines the entity has proposed a reasonable outcome, despite the complainant thinking otherwise, the OAIC may dismiss the complaint because they believe the entity has provided an adequate solution. On the other hand, if the OAIC does not believe the entity has adequately dealt with the matter, the Commissioner will make a formal decision stipulating what the entity must do to rectify the issue. If an organization or agency is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the organization or agency can face penalties of up to $1.8 million for corporate bodies and $360,000 for non-corporate bodies.  The complainant has the right to seek judicial review of the OAIC’s decision about a complaint with the Commonwealth Ombudsman. 

If the Australia Privacy Act of 1988 applies to you, your Privacy Policy must include the way in which an individual may complain if you breach the APPs or any registered binding APP code, and how the complaint will be handled. To ensure that your Privacy Policy covers all of the procedures and contact details the use Termageddon’s Privacy Policy generator to get your Privacy Policy today. 

Photo of author
About the Author
Skylar Young

I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist.  I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association's Cyber Law and Data Privacy Committee.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.