The Australia Privacy Act of 1988 applies to businesses, including non-profit organizations, with an annual turnover of more than $3 million, some small businesses (including all private health service providers) and most Australian Government agencies. An organization is broadly defined under the Privacy Act. An organization can be:
- An individual, including a sole trader
- A body corporate
- A partnership
- Any other unincorporated association, or
- A trust.
How does the OAIC handle privacy complaints?
The Office of the Australian Information Commission (OAIC) oversees and investigates all alleged breaches of the Australian Privacy Principles (APPs). A complaint about an act or practice can be made by an individual on their own behalf and on behalf of other individuals with their consent. The Privacy Act also allows for representative complaints whereby a class of people lodge a complaint so long as each member of the class is affected by the entity’s misuse of information. Members of the staff of the Commissioner can provide assistance to a person who wants to make a complaint
Once the OAIC receives a complaint, they may need additional information before they can investigate the complaint from the complainant, the organization or agency at issue, or any relevant third party. If the OAIC determines the complaint addresses something they cannot investigate, they will close the complaint. Individuals are allowed, however, to appeal this decision to the Federal Court of Australia or the Federal Circuit Court. The OAIC may not investigate complaints if:
- The complaint does not include the complainant’s personal information
- The complainant has not first complained to the organization or agency or has not had an opportunity to respond to the complaint
- An individual is complaining about something they have knowledge of for more than 12 months
- The matter is best dealt with under another law, governmental agency, or organization, such as by a recognized EDR scheme, and
- The matter involves an organization not covered by the Privacy Act
The OAIC’s investigatory phase
Once the OAIC has decided to investigate a complaint, they begin by reaching out to the organization or agency at issue. The Commissioner will provide the entity a copy of the complaint and will also ask for a response from the entity. The OAIC also has discretionary power to disclose the complainant’s personal information to a third party they deem to be relevant during the investigation. If this third party is an overseas entity, the OAIC will discuss possible disclosure with the complainant first. An entity residing outside of Australia could still have obligations under the Privacy Act if the entity has an Australian link. Additionally, the OAIC may disclose information, with consent from the complainant, that relates to the complaint or the investigation it has undertaken to other Australian or international regulators, or to EDR schemes. Throughout the investigatory phase, the OAIC provides updates on the progress of the individual’s complaint.
Resolution of a complaint
The complaint should explicitly state the outcome sought. The OAIC then works to mediate an agreement between the complainant and the organization or agency at fault. Legal representation is not required in the complaint handling process or during the determination process. The OAIC’s main focus is to provide a forum where the parties, in good faith, can come to a resolution through conciliation. If no agreement can be reached, the OAIC will decide the outcome. If, however, the OAIC determines the entity has proposed a reasonable outcome, despite the complainant thinking otherwise, the OAIC may dismiss the complaint because they believe the entity has provided an adequate solution. On the other hand, if the OAIC does not believe the entity has adequately dealt with the matter, the Commissioner will make a formal decision stipulating what the entity must do to rectify the issue. If an APP entity is found to have engaged in a serious, or repeated, interference with an individual’s privacy, the APP entity can face penalties of up to $1.8 million for corporate bodies and $360,000 for non-corporate bodies. The complainant has the right to seek judicial review of the OAIC’s decision about a complaint with the Commonwealth Ombudsman.
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.