Protocol for handling privacy complaints

Protocol for handling privacy complaints (PDF, 246kb)

Overview

The NSW Privacy Commissioner receives complaints from members of the public about breaches of privacy, which may be dealt with under the Privacy and Personal Information Protection Act 1998 (“PPIP Act”) or, in certain circumstances, the Health Records and Information Privacy Act 2002 (HRIP Act).

This Protocol describes how the Privacy Commissioner will deal with privacy complaints. This Protocol is intended as a guide only and should not be treated as a substitute for the terms of the PPIP Act.

Making privacy complaints

Complaints may be made to the Privacy Commissioner about an alleged violation of, or interference with, an individual’s privacy.[1]  Such complaints are to be dealt with under Pt.  4, Div.  3 of the PPIP Act .

A privacy complaint must be dealt with under the HRIP Act if it involves an alleged breach by a private sector person[2] of:

a Health Privacy Principle (“HPP”), which apply to health information and are contained in Sch.  1 of the HRIP Act;

Pt. 4 of the HRIP Act, which contains provisions for private sector persons; and/or

a health privacy code of practice.[3]

The process for dealing with complaints against private sector persons under the HRIP Act varies slightly to that under the PPIP Act and is discussed in Pt. 0 of this Protocol.

A complaint is to be made by the person whose privacy has allegedly been interfered with or violated.  The Privacy Commissioner may, however, accept a complaint made on behalf of a third person, for example, by a parent or guardian for a child, a lawyer for a client or a Member of Parliament for a constituent.  However, before dealing with such a complaint, the Privacy Commissioner will usually require the contact details of the person on whose behalf the complaint is made, and evidence to any legal lack of capacity if the consent of the person on whose behalf the complaint is made has not been provided.

Who may deal with the complaint

The Privacy Commissioner may deal with complaints personally.  Any member of the Commissioner’s staff, to whom complaint-handling functions are delegated, may also deal with complaints.[4]

Time for making complaints

A complaint must be made within 6 months from the time the complainant first became aware of the conduct or matter subject of the complaint.[5]

The Privacy Commissioner has discretion to extend the time for making a complaint beyond the 6-month period.[6]  If requested to do so, the Privacy Commissioner will consider whether to grant an extension of time, taking into account all relevant matters.  These might include:

  • the length of the delay;
  • whether the complainant is able to provide a reasonable explanation for the delay (such as ill-health or other reasons relating to incapacity);
  • whether the respondent has suffered any prejudice as a result of the delay; and
  • the merits of the complaint, which would encompass similar considerations as those on which basis the Commissioner may decide not to deal with a complaint.

If the Commissioner decides to grant an extension of time, the complaint is to be dealt with under the PPIP Act or HRIP Act, as applicable.

If the Commissioner decides not to grant an extension of time, no further action will be taken in respect of the complaint.

All complaints to be in written form

The Privacy Commissioner requires complaints under the PPIP Act to be made in writing.[7]  All complaints under the HRIP Act must be in writing.[8]  If a person makes a complaint verbally, he or she should be advised to put it in writing, addressed to the Privacy Commissioner.

Complaints will only be accepted by post, facsimile, or email. However for an e-mail complaint the Commissioner will require some other contact information (such as a valid telephone number).  The reasons for this are, first, to ensure that the complainant has a “real world” identity and, secondly, because emails are an insecure form of communication.  A complaint received by email will not be substantially progressed until some confirmation is provided to verify that the complainant is a real person.

The Privacy Commissioner may also require a complaint to be verified by statutory declaration.[9]

Does Pt.  5 of the PPIP Act apply to the complaint?

The first issue to be determined after receiving a complaint is whether it involves conduct to which Pt.  5 of the PPIP Act applies.  Part 5 deals with a person’s right to seek review of certain conduct: internally by public sector agencies and externally by the Administrative Decisions Tribunal (“Tribunal”).

Part 5 of the PPIP Act applies to the following conduct (or alleged conduct):

  • the contravention by a public sector agency of an Information Protection Principle or a HPP that applies to that agency;[10]
  • the contravention by a public sector agency of a privacy code of practice or a health privacy code of practice that applies to that agency;[11] and
  • the disclosure by a public sector agency of personal information kept in a public register.[12]

If a complaint involves any of the above matters, the Privacy Commissioner must advise the complainant of the review process under Pt.  5 of the PPIP Act and the remedial action available should the complainant decide to apply for internal review under s.  53 of the PPIP Act.[13]

If the conduct complained of is conduct to which Pt.  5 of the PPIP Act applies, a letter should be sent to the complainant advising of the review process and remedies available.  It should also be noted that the Privacy Commissioner does not usually deal with a complaint that is more appropriately dealt with by an application for internal review under s.  53.

Respondent to be advised of complaint

If the Privacy Commissioner deals with a complaint under the PPIP Act or HRIP Act, the complainant should be advised that the principles of fairness will require the respondent to be advised of the complaint’s identity, the nature of and circumstances giving rise to the complaint and any alleged breaches of privacy. 

The respondent will be given an opportunity to respond to the complaint.  Any such response will be taken into account, along with the complainant’s views, by the Privacy Commissioner in dealing with the complaint.

Amending complaints

All complaints may be amended or withdrawn by the individual at any time.[14]  The Privacy Commissioner requires any amendments to a complaint to be made in writing consistent with the provisions of 1.4 of this Protocol.

Privacy complaints under the PPIP Act

All complaints must be dealt with under the PPIP Act unless they are about the conduct of a private sector person, involving an alleged contravention of a HPP, code of practice or Pt.  4 of the HRIP Act.

The Commissioner may deal with a complaint even if it raises a matter that may be subject of internal and external review under Pt.  5 of the PPIP Act.[15]  In effect, therefore, the Commissioner can deal with a complaint even if the complainant would have a right of review by the Tribunal. 

However, as a general practice, the Privacy Commissioner will not deal with a complaint if it would be more appropriate for the complainant to make an internal review application.

Preliminary assessment

When a complaint is received, the Commissioner may decide to conduct a preliminary assessment of the complaint.[16]  The object of such an assessment will be to determine whether the complaint should be deal with.  The Commissioner is not required to conduct a preliminary assessment but may proceed directly to deal with the complaint under ss.  48 or 49 of the PPIP Act

Usually, a preliminary assessment will not be necessary if the application relates to conduct that occurred in the last 6 months and it appears plain that the complaint has merit and warrants further action.  However, a preliminary assessment may be appropriate if the complaint is ambiguous or there is some prospect that it should not be dealt with on one of the grounds in s.  46(3) of the PPIP Act.

Where a preliminary assessment of a complaint is undertaken, a decision will be made whether or not to deal with the complaint.  The Privacy Commissioner can only refuse to deal with the complaint if he or she is satisfied of the matters set out in s. 46(3).  These are discussed below.

Declining to deal with a complaint

The Privacy Commissioner may only decide not to deal with a complaint if he or she is satisfied of any of the following matters, which are in s.  46(3) of the PPIP Act:

1. The complaint is frivolous, vexatious or lacking in substance or is not in good faith.

A complaint may be "frivolous" or "vexatious" where it appears that a complainant is bringing it for some purpose other than a genuine concern about his or her privacy.[17]

A complaint will be "lacking in substance" if the conduct complained of raises no issues relating to the "interference with" or "violation of" the complainant’s "privacy".[18]  The notion of privacy in this context should not be considered as limited to mere compliance or non-compliance with the IPPs, HPPs or applicable codes or practice.  The broader notion of privacy should be borne in mind, which is commonly understood to be:

“The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion”.

One purpose of the Commissioner’s broad investigative functions is to enable complaints to be dealt with even though they involve no breach of a person’s privacy rights under the principles or codes.

A complaint will not be made in “good faith” if the complainant does not have honest intentions.  A subjective assessment will need to be made as to whether the complainant shows honesty and sincerity in making the complaint

2. The subject-matter of the complaint is trivial.

A subjective assessment should be made as to the seriousness of the conduct in the complaint.

3. The subject-matter of the complaint relates to a matter permitted or required by or under any law.

The subject-matter of the complaint may be conduct that a person or agency is obliged to take.  Examples of this may include disclosing personal information in answering a subpoena issued by a court or tribunal.  Similarly, the respondent may have acted under a discretionary power conferred by the common law or statute.

4. There is available to the complainant an alternative, satisfactory and readily available means of redress.

An alternative, satisfactory, readily available means of redress may exist where the complaint raises issues that are dealt with under privacy legislation of other jurisdictions (eg the Privacy Act 1988 (Cth), which contains privacy principles that apply to private individuals and organisations).

A complaint may also raise an issue that is dealt with under another statute or law, for example, the covert surveillance of employees at their place of work (see the Workplace Surveillance Act 2005).

A decision made on this ground would often be accompanied by a referral under s.  47 of the PPIP Act. In such cases, the Commissioner will, prior to making a decision to refuse to deal with a complaint, advise the complainant of his/her view that another person or body would appear to be in a better position to deal with the complaint.

5. It would be more appropriate for the complainant to make an application under section 53.

All complaints must be initially assessed as to whether it involves conduct to which Pt.  5 of the PPIP Act applies.

If the conduct complained of involves an alleged breach by a public sector agency of one or more of the IPPs, HPPs, codes of practice or disclosure of information on a register, the Commissioner usually takes the view that it would be more appropriate for an internal review application to be made.

This is because a person may seek external review with the Administrative Decisions Tribunal if he or she remains dissatisfied with the outcome of the internal review.  The Tribunal has powers to grant a broader range of relief than can the Commissioner (including making an award of damages of up to $40,000 and orders requiring or restraining the agency from taking certain conduct).

If the Privacy Commissioner decides not to deal with a complaint on any of the above grounds, he or she must advise the complainant of the reasons for that decision.[19]

If a decision is made not to deal with a complaint, a letter should be sent advising the complainant of this decision and reasons for it.

Referrals

The Privacy Commissioner may refer a complaint to a person or body as considered to be appropriate in the circumstances.[20]  Before making such a decision, the Commissioner must:

  • consult with the complainant and the authority to whom a referral is proposed to be made; and
  • take their views into consideration.

After considering the matter, the Commissioner may decide to refer the complaint and, in doing so, may provide to the authority any information obtained in relation to the complaint.[21] 

A decision to refer a complaint would ordinarily be accompanied by a decision not to deal with the complaint.

If the Commissioner decides not to refer the complaint, it may be dealt with under the PPIP Act or, if there are grounds to do so, not dealt with under s. 46(3). 

General power to deal with complaints

Under s.  48(1)(a) of the PPIP Act, the Privacy Commissioner may decide to deal with a complaint.  Although that provision does not specify the manner in which a complaint may be dealt with, the Commissioner is empowered to conduct further inquiries and investigations.[22] 

The Privacy Commissioner may make findings and recommendations on any complaint dealt with under the PPIP Act, which may be subject of a written report. 

In dealing with a complaint, the Privacy Commissioner must attempt to resolve it by conciliation. 

Conciliation

The Privacy Commissioner must endeavour to resolve all complaints dealt with under the PPIP Act by conciliation.[23]  The procedures to be adopted in the conciliation process are to be determined by the Privacy Commissioner, in his or her discretion.[24]

Although the Commissioner is obliged to endeavour to resolve a complaint by conciliation, where both parties do not agree to conciliation, it may be appropriate for the Commissioner to deal with a complaint generally under s.  48(1) or, where there are grounds to do so, decline to deal with the complaint.

Where a complaint is resolved through conciliation, the Privacy Commissioner may make a written report.[25]

1. Informal conciliation

The Privacy Commissioner seeks to informally resolve all complaints to the parties’ mutual satisfaction, through the exchange of written correspondence.  The complainant will be requested to confirm particulars of the complaint and the outcome sought.  The respondent will be given an opportunity to respond. 

Should the parties reach agreement on a mutually satisfactory resolution of the complaint, the Commissioner will take no further action (unless the Commissioner's further involvement is a matter upon which the parties have agreed).

Ordinarily, the Commissioner will allow the parties considerable time and flexibility to arrive at a conciliated agreement.  However, if, in the course of the conciliation process, it appears that there are limited prospects of a conciliated resolution (because, for example, the parties cannot agree on the outstanding issues), the Commissioner can terminate the conciliation.

2. Conciliation proceedings

The Privacy Commissioner has power to issue a notice to a complainant and respondent, requesting them to appear before the Commissioner in conciliation proceedings.[26]  If the respondent is a public sector agency (as defined in s. 3(1) of the PPIP Act), it must comply with the notice issued by the Commissioner.[27]

Complaints may ultimately not be resolved through conciliation proceedings, particularly in the absence of one or both parties’ consent.  This is because the Privacy Commissioner does not have power to grant enforceable remedies to a complainant and, accordingly, conciliation proceedings are based on the mutual cooperation of both parties.

Any conciliation proceedings will be conducted informally, with a view to assisting the parties reach an agreed resolution of the complaint.  Neither the complainant nor the respondent is entitled to be represented by another person, except with leave of the Privacy Commissioner.[28] 

Each party will be requested to bring to the proceedings information relevant to the complaint and seek its resolution in good faith.  Any person appearing for a public sector agency will be required to have authority to resolve the matter.

Inquiries and investigations

The Privacy Commissioner has broad powers to conduct investigations and inquiries.[29] The Privacy Commissioner may determine the procedures to be followed in conducting inquiries and investigations, must act informally, is not bound by the rules of evidence and may gather information in any way considered by the Commissioner to be just.[30] 

In conducting inquiries or investigations, the Commissioner must also act according to the substantial merits of the case, without undue regard to technicalities.[31]

Reports and recommendations 

The Commissioner may make a written report on any findings or recommendations in relation to a complaint dealt with under the PPIP Act.[32]  This includes any recommendations made in the course of conciliation, as well as those made in the course of dealing with the complaint generally under s. 48 of the PPIP Act.

However, the Commissioner is not obliged to make a written report for all complaints dealt with under the PPIP Act.

Complaints against private sector persons under the HRIP Act

Complaints must be dealt with under the HRIP Act where it involves an alleged breach by a private sector person of:

  • an HPP in Sch. 1 of the HRIP Act;
  • Pt. 4 of the HRIP Act; and/or
  • a health privacy code of practice.[33]

Any complaint that does not fall within one of the above categories must be dealt with under the PPIP Act (see Pt. 0 of this Protocol).

Preliminary assessment

When a complaint is received, the Commissioner may conduct a preliminary assessment of the complaint.[34]  The object of such an assessment will be to determine whether the complaint should be dealt with.

Generally, a preliminary assessment will be appropriate if the complaint is ambiguous or there is some prospect that the complaint should not be dealt with under s. 43(2) of the HRIP Act

The Privacy Commissioner is not required to conduct a preliminary assessment but may proceed directly to conduct a s. 44 assessment and, if there is a prima facie case for the complaint dealt with under s. 45(1).

Declining to deal with a complaint

After undertaking a preliminary assessment of a complaint, a decision will be made whether or not to deal with it.  The Privacy Commissioner can only refuse to deal with the complaint if he or she is satisfied of the matters set out in s. 43(2) of the HRIP Act, which are discussed below.

1. The complaint is frivolous, vexatious or lacking in substance or is not in good faith.

The sorts of complaints that can be dealt with under the HRIP Act are significantly more limited than the general matters about which complaints may be made under the PPIP Act

As with those under the PPIP Act, a complaint under the HRIP Act may be "frivolous" or "vexatious" where it appears that a complainant is bringing it for some purpose other than a genuine concern about his or her privacy.[35]

Similarly, a complaint will not be made in “good faith” if the complainant does not have honest intentions.  A subjective assessment will need to be made as to whether the complainant shows honesty and sincerity in making the complaint.

However, a complaint will only be "lacking in substance" only if it raises no issue relating to an alleged breach of an HPP, provision of Pt. 4 of the HRIP Act, or a health privacy code of practice.

2. The subject-matter of the complaint is trivial.

A subjective assessment should be made as to the seriousness of the conduct that is the subject of the complaint.

3. The subject-matter of the complaint relates to a matter permitted or required by or under any law.

The subject-matter of the complaint may be conduct that a person or agency is obliged to take.  Examples of this may include disclosing personal information in answering a subpoena issued by a court or tribunal.  Similarly, the respondent may have acted under a discretionary power conferred either the common law or by statute.

4. There is available to the complainant an alternative, satisfactory and readily available means of redress.

An alternative, satisfactory, readily available means of redress may exist where the complaint raises issues that are dealt with under privacy legislation of other jurisdictions (eg the Privacy Act 1988 (Cth), which contains privacy principles that apply to private individuals and organisations).

5. The matter should be referred to the Health Care Complaints Commission or another person or body under section 65, 66 or 67.

The Commissioner may refer a complaint to the Health Care Complaints Commission, the Commonwealth Privacy Commissioner or to any other person or body the Commissioner considers to be relevant in the circumstances (see para.  0 below).[36] Serious complaints about a health-care practitioner's professional conduct would fall under the Health Care Complaints Act 1993 and should be referred to the Health Care Complaints Commission.

If the Commissioner refers a complaint to the Health Care Complaints Commission or the Commonwealth Privacy Commissioner, the Commissioner is not obliged to consult with the complainant before so doing.  However, if the Commissioner refers the complaint to another person or body, the Commissioner must consult with the complainant.[37]

6. The person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the Privacy Act 1988 of the Commonwealth, and:

  • the complaint has not been withdrawn, or
  • the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or
  • the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act. 

Upon receiving a complaint against a private sector person under the HRIP Act, the Commissioner may check with the Commonwealth Privacy Commissioner to determine whether he or she has received a complaint and that the complaint has not been withdrawn or subject of a determination under s.  52 of the Privacy Act 1988 (Cth)

Section 44 assessment: is there a prima facie case?

If the Privacy Commissioner is satisfied that a complaint should be dealt with under the HRIP Act, an assessment must be carried out under s.  44.  In conducting this assessment, the Commissioner can make inquiries and investigations.[38]

Unlike a preliminary assessment, the sole focus of a s. 44 assessment is to determine whether there exists a prima facie case for the complaint.  A "prima facie" case should be understood as being "a serious, as opposed to a speculative, case which has a real possibility of ultimate success”.[39] 

That is, the Privacy Commissioner must form a view as to whether there is a real possibility the complainant can make good the complaint.  If it is determined that there exists such a "real possibility”, the Privacy Commissioner will proceed to deal with the complaint.  If there is no "real possibility", the Commissioner must cease dealing with the complaint.[40]

Referrals

The Privacy Commissioner has power to refer complaints about private sector persons.  Any such referral will usually be accompanied by a determination that the complaint has been resolved to the Privacy Commissioner’s satisfaction and no further action will be taken on the complaint[41].

Health Care Complaints Commission (“HCCC”)

The Privacy Commissioner may refer a complaint to the HCCC if the complaint concerns:

  • the professional conduct of a health-service provider; or
  • a health service that affects the clinical management or care of a person who uses or receives a health service (including a patient).[42]

If a complaint is referred to the HCCC, the Privacy Commissioner may provide it with any information obtained in relation to the complaint.

Commonwealth Privacy Commissioner

The Privacy Commissioner may refer a complaint to the Commonwealth Privacy Commissioner if it appears that the complaint should be dealt by him or her.[43]

If a complaint is referred to the Commonwealth Privacy Commissioner, the NSW Privacy Commissioner may provide him or her with any information obtained in relation to the complaint.[44]

Other persons or bodies

The Privacy Commissioner may refer a complaint to other persons or bodies (“relevant authority”), for investigation or other action, as considered to be relevant in the circumstances.[45]  All information obtained by the Commissioner in relation to the complaint may be provided to the relevant authority.[46]

A complaint may only be referred to a person or body, other than the HCCC or Commonwealth Privacy Commissioner, after consultation with the complainant and the relevant authority.

Dealing with complaints

If, after conducting a s.  44 assessment, the Privacy Commissioner is satisfied that there exists a prima facie case for the complaint, he or she may decide to deal with the complaint in one of the following three ways specified in 45(1) of the HRIP Act:

  • by endeavouring to resolve the complaint by conciliation under s.  46;
  • by further investigating the complaint and making a report under s.  47; or
  • by determining that the complaint has been resolved to his or her satisfaction.[47]

In deciding how to deal with the complaint, the Privacy Commissioner must take into account the nature of the complaint, the views of the complainant and the respondent, any action taken by the respondent to address the complaint and whether the complaint raises a matter of public interest.[48] 

No further action

If the Privacy Commissioner determines that the complaint has been resolved to his or her satisfaction, the complainant and respondent are to be advised of this determination and no further action is to be taken on the complaint.[49]

The determination that a complaint has been resolved to the Privacy Commissioner’s satisfaction is a discretionary matter, taking into account any relevant factors, which might include:

  • the nature and circumstances of the complaint, in particular where circumstances have changed since the making of the complaint;
  • the views of the complainant and respondent;
  • whether the agency has taken any action to remedy the conduct complained of (eg an apology has been given or a change made to the respondent’s practices or procedures); or
  • that the matter will be referred to the HCCC, Commonwealth Privacy Commissioner or another person or body.

In making a determination that a complaint has been resolved to the Privacy Commissioner’s satisfaction, it should be borne in mind that the complaint loses any right of inquiry by the Tribunal.[50]

  • If the Commissioner determines that the complaint has been satisfactorily resolved, a letter should be written to the complainant and respondent, advising them of this fact and that no further action will be taken.

Conciliation proceedings

One way in which the Privacy Commissioner may deal with a privacy complaint against a private sector person is to resolve it by conciliation under s.  46 of the HRIP Act.  Unlike the conciliation obligation under the PPIP Act, the Privacy Commissioner’s power to conciliate a complaint is discretionary.[51]

The form of conciliation contemplated by s.  46 of the HRIP Act is the conduct of conciliation proceedings.  The Privacy Commissioner may issue a written notice to the complainant and respondent, requesting them to appear before him or her.[52]  A person or body must not fail to comply with such a notice without reasonable excuse.[53]

Conciliation precludes inquiry by Tribunal

Prior to conducting a conciliation, the Privacy Commissioner should advise the complainant that, if conciliation is attempted and is unsuccessful, he or she will lose the right to have the Tribunal inquire into the complaint.

This is because the Commissioner is not permitted to take any further action after the conclusion of the conciliation proceedings, whether or not the parties reach any agreement as a result of the proceedings.[54]  Therefore, the Commissioner cannot investigate a complaint if conciliation is unsuccessful nor prepare a report under s. 47(1)(b) of the HRIP Act, which is a necessary pre-condition for a Tribunal inquiry into a complaint.[55]

Agreement of the parties to conciliation

The unavailability of a Tribunal inquiry if conciliation proceedings are conducted is a significant risk for complainants.  As a consequence, the Commissioner will ordinarily be reluctant to deal with a complaint in this manner, particularly in the absence of the complainant’s consent.

Nonetheless, if both parties (and, in particular, the complainant) prefer to have the complaint resolved by conciliation and there appears to be good prospects of settling the matter, it may be appropriate for the Commissioner to attempt conciliation.

If a complaint is to be resolved through conciliation proceedings, both parties are to be advised in writing of the following matters:

  • the date, time and venue at which the conciliation proceedings will be held;
  • the time allocated for the proceedings and the person who will preside over the proceedings;
  • that no further action will be taken after the conclusion of the proceedings, even if the parties do not reach agreement;
  • that electing to conciliate a complaint precludes the Privacy Commissioner from investigating and reporting on the matter, which in turn precludes the Tribunal from holding an inquiry into the complaint; and
  • confirming that conciliation proceedings are to be conducted confidentially.

Conduct of conciliation proceedings

As with conciliation conducted under the PPIP Act, the Commissioner will conduct proceedings in an informal manner.  The procedures to be adopted in the conciliation process are to be determined by the Privacy Commissioner, in his or her discretion.[56]  Usually, this would involve the complainant and respondent appearing at the Privacy Commissioner’s office on a specified date.  Neither the complainant nor the respondent is entitled to be represented by another person, except with leave of the Privacy Commissioner.[57] 

Each party will be requested to bring to the proceedings information relevant to the complaint and seek its resolution in good faith.  Any person appearing for the respondent person or body will be required to have authority to resolve the matter.

Both parties will be required to agree to the confidentiality of the conciliation proceedings.  Evidence of anything said or done, during the course of conciliation proceedings is not admissible in subsequent proceedings in the Tribunal in relation to the complaint.[58]  The parties’ involvement in conciliation proceedings before the Privacy Commissioner is therefore without prejudice to the parties’ rights in an inquiry by the Tribunal under Pt.  6, Div.  2 of the HRIP Act.

Conclusion of conciliation proceedings

During the course of conciliation proceedings, the Privacy Commissioner will encourage the parties to come to a mutually acceptable settlement of the complaint.  This might involve a respondent agreeing to take further action to remedy the conduct complained of.  In turn, a complainant may be requested not to take the complaint any further if some form of remedial action is taken.

The Privacy Commissioner will exercise particular caution before determining, (where the parties have not reached agreement), that conciliation proceedings have concluded.  This is because an unsuccessful conciliation will leave a complainant with no further avenues of redress under the HRIP Act

However, if in the course of the proceedings, it appears that there are limited prospects of settlement (because, for example, the parties cannot agree on the issues outstanding), the Commissioner will advise the parties that he or she intends to terminate the proceedings.  Each party will be given an opportunity to express a view as to why the proceedings should not be terminated. 

If, at the conclusion of the time allocated for the proceedings, no agreement has been reached, the conciliation will be terminated.  If this occurs, the Privacy Commissioner cannot take any further action.[59]

Only in exceptional circumstances, and where there is a real prospect of agreement, will the time for conducting the conciliation proceedings be extended.

  • At the conclusion of conciliation proceedings, the Privacy Commissioner will write to both the parties, confirming:

    • the nature of the complaint and the issues arising at the conciliation proceedings;
    • the outcome and agreed settlement of the complaint (if any); and
    • that no further action will be taken on the complaint.

Investigating complaints and reporting on findings

An alternative manner in which the Privacy Commissioner may deal with a complaint, under s.  45(1)(b) of the HRIP Act, is by conducting further investigations and making a report.  In so doing, the Commissioner has the same broad powers to undertake inquiries and investigations under the HRIP Act, as under the PPIP Act.[60] 

The Privacy Commissioner may determine the procedures to be followed in conducting inquiries and investigations, must act informally, is not bound by the rules of evidence and may gather information in any way considered by the Commissioner to be just.[61]   In conducting inquiries or investigations, the Commissioner must also act according to the substantial merits of the case, without undue regard to technicalities.[62]

  • If the Privacy Commissioner decides to further investigate a complaint, the parties should be advised in writing of this decision.

Report on findings and recommendations

Under s.  47(1), the Commissioner may make a written report as to any findings or recommendations in relation to a complaint dealt with by investigation.  A copy of such a report may be given to the complainant, respondent and other persons or bodies as are materially involved in the matters concerning the complaint.[63]

Once a report has been finalised, the complaint has been "dealt with”.  This means that the Commissioner can take no further action in relation to the matter.

Right to apply for Tribunal inquiry

Where the Privacy Commissioner makes a report under s.  47(1), the complainant has a right to apply to the Tribunal for an inquiry into the complaint.[64]  The Privacy Commissioner has a right to appear and be heard in any such proceedings.[65]

The Tribunal makes a fresh inquiry into the complaint and has broad powers to make orders remedying the complaint, including the award of damages.[66]

If a report is to be made under s.  47(1), the Privacy Commissioner will usually provide a copy of it to both the parties and advise them that the complainant will have a right to apply to the Tribunal for a fresh inquiry into the complaint. 

Appendix 1: Complaint Provisions of the PPIP Act

Part 4, Div. 3 of the Privacy and Personal Information Protection Act 1998 provides as follows:

“Division 3 Complaints relating to privacy

45        Making of privacy related complaints

A complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.

The subject-matter of a complaint may relate to conduct to which Part 5 applies (unless it is conduct that is alleged to have occurred before the commencement of that Part).

Note. Section 21 of the Health Records and Information Privacy Act 2002 provides that certain conduct under that Act by public sector agencies is conduct to which Part 5 of this Act applies.

(2A)     A complaint about a matter referred to in section 42 of the Health Records and Information Privacy Act 2002 is not to be dealt with under this Division but is to be dealt with by the Privacy Commissioner as a complaint under Part 6 of that Act.

Note. Section 42 of that Health Records and Information Privacy Act 2002 provides that a complaint may be made to the Privacy Commissioner about the alleged contravention by a private sector person of a Health Privacy Principle, a provision of Part 4 (Provisions for private sector persons) of that Act or a health privacy code of practice.

A complaint may be in writing or verbal, but the Privacy Commissioner may require a verbal complaint to be put in writing.

The Privacy Commissioner may require information about a complaint to be provided by the complainant in a particular manner or form, and may require a complaint to be verified by statutory declaration.

A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the complainant first became aware of the conduct or matter the subject of the complaint.

A complainant may amend or withdraw a complaint.

46        Preliminary assessment of privacy related complaints

The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Division for the purpose of deciding whether to deal with the complaint.

If the subject-matter of the complaint relates to conduct to which Part 5 applies, the Privacy Commissioner must inform the complainant of the review process under that Part and the remedial action that may be available if the complainant decides to make an application under section 53 in respect of that conduct.

The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that:

  • the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or
  • the subject-matter of the complaint is trivial, or
  • the subject-matter of the complaint relates to a matter permitted or required by or under any law, or
    • there is available to the complainant an alternative, satisfactory and readily available means of redress, or
    • it would be more appropriate for the complainant to make an application under section 53.

47        Referring privacy related complaints to other authorities

The Privacy Commissioner may refer a complaint made under this Division for investigation or other action to any person or body (the relevant authority) considered by the Privacy Commissioner to be appropriate in the circumstances.

The Privacy Commissioner may communicate to the relevant authority any information that the Privacy Commissioner has obtained in relation to the complaint.

The Privacy Commissioner may only refer a complaint to a relevant authority after appropriate consultation with the complainant and the relevant authority, and after taking their views into consideration.

48        Dealing with privacy related complaints

  • If the Privacy Commissioner decides to deal with a complaint made under this Division, the Privacy Commissioner may:

    • deal with the complaint, and
    • make such inquiries and investigations in relation to the complaint as the Privacy Commissioner thinks appropriate.
    • If the Privacy Commissioner declines to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for declining to deal with the complaint.

49        Resolution of privacy related complaints by conciliation

  • In dealing with a complaint made under this Division, the Privacy Commissioner must endeavour to resolve the complaint by conciliation.
  • The Privacy Commissioner may by written notice request the complainant, and the person or body against whom the complaint is made (the respondent), to appear before the Privacy Commissioner in conciliation proceedings.
  • If a respondent that is a public sector agency receives any such notice, the agency must comply with the terms of the notice.
  • Maximum penalty (subsection (3)): 50 penalty units.
  • The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.
  • The procedures for conciliation are to be determined by the Privacy Commissioner.

50        Reports and recommendations of Privacy Commissioner

The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Commissioner under this Division.

The Privacy Commissioner may give a copy of any such report to the complainant, and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.

51        Effect of dealing with privacy related complaints under this Division

Even though the Privacy Commissioner declines to deal with a complaint under this Division, or decides to refer the complaint to a relevant authority, the Privacy Commissioner may conduct an inquiry or investigation into any general issues or matters raised in connection with the complaint.”

Appendix 2: Complaint Provisions of the HRIP Act

Part 6 of the Health Records and Information Privacy Act 2002 provides as follows:

“Part 6 Complaints against private sector persons

Division 1 General

41        Definitions

In this Part:

complainant, in relation to a complaint, means the person who makes the complaint.

respondent, in relation to a complaint, means a person against whom the complaint is made.

42        Making of privacy related complaints

  • A complaint may be made to the Privacy Commissioner about the alleged contravention of any of the following by a private sector person:

    • a Health Privacy Principle,
    • a provision of Part 4,
    • a health privacy code of practice.
    • A complaint must be made:
      • in writing, and
      • in accordance with such regulations (if any) as may be made for the purposes of this section.
      • A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) after the time the complainant first became aware of the conduct the subject of the complaint.
      • A complainant may amend or withdraw a complaint.

This Part does not apply to any conduct that occurred before the commencement of this Part.

43        Preliminary assessment of complaints

  • The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Part for the purpose of deciding whether to deal with the complaint.
  • The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that:
    • the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or
    • the subject matter of the complaint is trivial, or
    • the subject matter of the complaint relates to a matter permitted or required by or under any law, or
    • there is available to the complainant an alternative, satisfactory and readily available means of redress, or
    • the matter should be referred to the Health Care Complaints Commission or another person or body under section 65, 66 or 67, or
    • the person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the Privacy Act 1988 of the Commonwealth, and:
      • the complaint has not been withdrawn, or
      • the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or
      • the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.
      • If the Privacy Commissioner decides not to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for deciding not to deal with the complaint.

44        Assessment of complaints

  • If the Privacy Commissioner decides to deal with a complaint made under this Part, the Privacy Commissioner:

    • is to carry out an assessment to determine whether there is a prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, and
    • for that purpose, may make such inquiries and investigations into the complaint as the Privacy Commissioner thinks appropriate.
    • If, after carrying out such an assessment, the Privacy Commissioner is satisfied that there is no prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, the Privacy Commissioner is to cease to deal with the complaint.
    • If the Privacy Commissioner ceases to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for ceasing to deal with the complaint.

45        Dealing with complaint

  • If the Privacy Commissioner is satisfied that there is a prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, the Privacy Commissioner may:

    • endeavour to resolve the complaint by conciliation under section 46, or
    • further investigate the complaint and make a report under section 47, or
    • determine that the complaint has been resolved to his or her satisfaction.
    • In deciding which course of action to take, the Privacy Commissioner is to take into consideration the following matters:
      • the nature of the complaint,
      • the views of the complainant and respondent,
      • any action taken by the respondent (or that the respondent gives an undertaking to take) to address the complaint,
      • whether the complaint raises a matter of public interest.

If the Privacy Commissioner determines that the complaint has been resolved to his or her satisfaction under subsection (1) (c), the Privacy Commissioner is to:

  • notify the complainant and the respondent of the determination, and
  • take no further action on the complaint.

46        Resolution of complaint by conciliation

  • The Privacy Commissioner may endeavour to resolve the complaint by conciliation.
  • The Privacy Commissioner may by written notice request the complainant and the respondent to appear before the Privacy Commissioner in conciliation proceedings.
  • A person or body must not without reasonable excuse fail to comply with the terms of a notice under subsection (2).
  • Maximum penalty: 50 penalty units in the case of a body corporate or 10 penalty units in any other case.
  • The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.
  • The procedures for conciliation are to be determined by the Privacy Commissioner.
  • Evidence of anything said or done in the course of conciliation proceedings under this section is not admissible in subsequent proceedings under this Part relating to the complaint.
  • The Privacy Commissioner is to take no further action after the conclusion of the conciliation proceedings, whether or not the parties reach any agreement as a result of the proceedings.

47        Reports and recommendations of Privacy Commissioner

  • The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Privacy Commissioner under section 45 (1) (b).
  • The Privacy Commissioner may give a copy of any such report to the complainant, the respondent and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.
  • A report under this section is admissible in subsequent proceedings under this Part relating to the complaint.

Division 2 Functions of the Tribunal

Note. The Administrative Decisions Tribunal Act 1997 contains provisions dealing with the procedure of the Tribunal, including matters such as who may be a party to proceedings for an original decision and representation of parties.

48        Application to Tribunal

  • A person who has made a complaint to the Privacy Commissioner under Division 1 may apply to the Tribunal for an inquiry into the complaint, but only if the complaint was the subject of a report of the Privacy Commissioner under section 47.

Note. This section confers jurisdiction on the Tribunal to make an original decision. It does not confer jurisdiction to review a decision of the Privacy Commissioner.

An application may only be made within 28 days after:

  • the day on which the complainant received the report of the Privacy Commissioner, or
  • the day (if any) recommended in the report of the Privacy Commissioner as the day after which an application may be made to the Tribunal,
  • whichever is later.

However, a person cannot apply to the Tribunal if the person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the Privacy Act 1988 of the Commonwealth, and:

  • the complaint has not been withdrawn, or
  • the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or
  • the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.

49        Inquiries into complaints

The Tribunal is to hold an inquiry into a complaint that is the subject of an application.

50        Appearance by Privacy Commissioner

  • The Privacy Commissioner is to be notified by the Tribunal of any application made to it under section 48.
  • The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an inquiry under this Part.

51        Proof of exemption

If in proceedings in relation to an inquiry into a complaint the respondent relies on an exemption under any provision of this Act or the regulations, the onus of proving that the exemption applies to the respondent in the circumstances lies on the respondent.

52        Tribunal may dismiss frivolous etc complaints

  • If, at any stage of an inquiry into a complaint, the Tribunal is satisfied that the complaint is frivolous, vexatious, misconceived or lacking in substance, or that for any other reason the complaint should not be dealt with, it may dismiss the complaint.
  • The Tribunal may dismiss a complaint if satisfied that the person does not wish to proceed with the complaint.
  • If the Tribunal dismisses a complaint under this section, it may order the complainant to pay the costs of the inquiry.

53        Relationship to Administrative Decisions Tribunal Act 1997

Nothing in section 52 limits the generality of the powers conferred on the Tribunal by Chapter 6 of the Administrative Decisions Tribunal Act 1997.

54        Order or other decision of Tribunal

After holding an inquiry, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

  • subject to subsection (2), an order requiring the respondent to pay to the complainant damages not exceeding $40,000 if the respondent is a body corporate, or not exceeding $10,000 in any other case, by way of compensation for any loss or damage suffered by reason of the respondent’s conduct,
  • an order requiring the respondent to refrain from any conduct or action in contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,
  • an order requiring the performance of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,
  • an order requiring health information that has been disclosed to be corrected by the respondent,
  • an order requiring the respondent to take specified steps to remedy any loss or damage suffered by the complainant,
  • such ancillary orders as the Tribunal thinks appropriate.

The Tribunal may make an order under subsection (1) (a) only if:

  • the application relates to conduct that occurs after the end of the 12-month period following the date on which Schedule 1 commences, and
  • the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the respondent.

In making an order for damages under this section concerning a complaint lodged on behalf of a person or persons, the Tribunal may make such order as it thinks fit as to the application of those damages for the benefit of the person or persons.

55        Costs

  • Except as provided by section 52 and subsection (2), each party to an inquiry is to pay his or her own costs.
  • If the Tribunal is of the opinion in a particular case that there are circumstances that justify it doing so, it may make such order as to costs and security for costs, whether by way of interim order or otherwise, as it thinks fit.

56        Compliance with order of Tribunal

A person must not refuse, neglect or for any reason fail to obey or comply with an order referred to in section 54 (1) (b)–(e), or an interim order, of the Tribunal.

Maximum penalty: 50 penalty units in the case of a body corporate or 10 penalty units in any other case.  

57        Appeals to Appeal Panel against decisions and orders of Tribunal

An order or other decision made by the Tribunal under this Division may be appealed to an Appeal Panel of the Tribunal under Part 1 of Chapter 7 of the Administrative Decisions Tribunal Act 1997 by a party to the proceedings in which the order or decision is made.

[1] PPIP Act, s.  45(1).

[2] A “private sector person” is defined in s.  4(1) of the HRIP Act to include natural persons and bodies corporate but not small business operators and agencies under the Privacy Act 1988 (Cth).

[3] HRIP Act, s.  42.

[4] Under s.  44 of the PPIP Act, the Commissioner may delegate any of his or her functions under any other Act to a member of his or her staff or to any other person prescribed by the Regulations.

[5] PPIP Act, s.  45(5) and HRIP Act s.  42(3).

[6] Id.

[7] Under s.  45(3) of the PPIP Act, the Privacy Commissioner may require a verbal complaint to be put in writing.

[8] PPIP Act, s.  42(2).

[9] PPIP Act, s.  45(4).

[10] PPIP Act, s.  52(1)(a) and HRIP Act s.  21(1)(a).

[11] PPIP Act, s.  52(1)(b) and HRIP Act s.  21(1)(b).

[12] PPIP Act, subs.  52(1)(c).

[13] PPIP Act, subs.  46(2).

[14] PPIP Act, s.  45(6) and HRIP Act s.  42(4). 

[15] PPIP Act, s.  45(2).

[16] This is done under s.  46 of the PPIP Act.

[17] For example, a complaint brought to intimidate, harass or to derive some collateral advantage: Williams v Spautz (1992) 107 ALR 635; Flower & Hart (A Firm) v White Industries (Qld) Pty Ltd [1999] FCA 773).

[18] In s.  45(1) of the PPIP Act, a complaint may be made about an alleged violation of, or interference with, an individual’s privacy.

[19] PPIP Act, s.  48(2).

[20] PPIP Act, s.  47(1).

[21] PPIP Act, s.  47(2).

[22] PPIP Act, s.  48(1)(b)

[23] PPIP Act, s.  49(1).

[24] PPIP Act, s.  49(5).

[25] PPIP Act, s. 50(1).

[26] PPIP Act, s.  49(2).

[27] PPIP Act, s.  49(3).

[28] PPIP Act, s.  49(4).

[29] See the Privacy Commissioner’s functions in Pt.  4, Div.  2 of the PPIP Act.

[30] PPIP Act, subs.  39(a)-(c).

[31] PPIP Act, s.  39(d).

[32] PPIP Act, s.  50.

[33] HRIP Act, s.  42.

[34] HRIP Act, s.  43(1).

[35] For example, a complaint brought to intimidate, harass or to derive some collateral advantage: Williams v Spautz (1992) 107 ALR 635; Flower & Hart (A Firm) v White Industries (Qld) Pty Ltd [1999] FCA 773).

[36] HRIP Act, ss.  65-67 respectively.

[37] HRIP Act, s.  67(3).

[38] HRIP Act, s.  44(1)(b).

[39] See the definition of “prima facie” in the Encyclopaedic Legal Dictionary and the following authorities cited therein: Beecham Group Ltd v Bristol Laboratories Pty Ltd (1968) 118 CLR 618 ; [1968] ALR 469; and Shercliff v Engadine Acceptance Corp Pty Ltd [1978] 1 NSWLR 729.

[40] HRIP Act, s.  44(2).

[41] HRIP Act, ss.  45(1)(c) and 45(3)(b).

[42] HRIP Act, s.  65(1).

[43] HRIP Act, s.  66(1).

[44] HRIP Act, s.  66(2).

[45] HRIP Act, s.  67(1).

[46] HRIP Act, s.  67(2).

[47] HRIP Act, s.  45(1).

[48] HRIP Act, s.  45(2).

[49] HRIP Act, s.  45(3).

[50] This is because the Tribunal has jurisdiction to inquiry into a complaint only where a written report is made under s.  47(1) of the HRIP Act, as to any findings or recommendations in relation to an investigation into a complaint under s.  45(2)(b).

[51] HRIP Act, s.  46(1).

[52] HRIP Act, s.  46(2).

[53] HRIP Act, subs.  46(2) and (3).

[54] HRIP Act, s.  46(7).

[55] HRIP Act, s.  48(1).

[56] HRIP Act, s.  46(5).

[57] HRIP Act, s.46(4).

[58] HRIP Act, s.  46(6).

[59] HRIP Act, s.  46(7).

[60] See the Privacy Commissioner’s functions under Pt.  7 of the HRIP Act, in particular, s.  60. 

[61] HRIP Act, subs.  61(a)-(c).

[62] HRIP Act, s.  61(d).

[63] HRIP Act, s.  47(2).

[64] HRIP Act, s.  48(1).

[65] HRIP Act, s.  50(2).

[66] The Tribunal’s powers are in s.  54(1) of the HRIP Act.

Rating: 
2 out of 5 star rating
Average: 2 (1 vote)
Archive: 
0
Teaser: 
This Protocol describes how the Privacy Commissioner will deal with privacy complaints. This Protocol is intended as a guide only and should not be treated as a substitute for the terms of the PPIP Act.

POPUP MINIPANEL