Guide - The Privacy Commissioner's Oversight role in internal reviews of privacy complaints

1. What are internal reviews?

This is a guideline under the Privacy Commissioner’s general functions in section 36(2)(b) of the Privacy and Personal Information Protection Act 1998 (PPIP Act).

The legislation

Part 5 of the PPIP Act contains the provisions allowing an aggrieved person (complainant) to make a privacy complaint to a respondent public sector agency (agency), enabling the investigation of complaints by agencies. The PPIP Act describes an investigation of a privacy complaint as an “internal review” by the agency. 

The provisions also describe the role of the Privacy Commissioner in those investigations and the rights of complainants to have their complaints heard and determined by the Tribunal when:

• the agency does not undertake the relevant internal review, or
• the complainant is dissatisfied with the findings of the internal review or any action(s) taken by the agency in relation to their complaint.

The PPIP Act provides the internal review procedures regarding “personal information” under the PPIP Act, and “health information” under the Health Records and Information Privacy Act 2002 (HRIP Act). The HRIP Act does not have separate internal review management provisions.

The benefit of internal reviews

The legislation provides an opportunity for agencies to deal with privacy complaints efficiently, as opposed to complainants commencing litigation. This enables important public interest outcomes, such as agencies:

• taking responsibility for their governance systems regarding personal and health information
• having an opportunity to investigate and respond to apparent shortcomings quickly and efficiently
• having an opportunity to deal directly with complainants and achieve mutually beneficial outcomes, thus avoiding the costs of litigation.

2. What do internal reviews examine?

Typically, internal reviews examine procedural issues such as:

• whether the complaint was lodged within the specified timeframe
• whether the complaint clearly identifies conduct that must be investigated under privacy legislation
• the investigative activities that enable the reviewer to deal with the complaint:
  • searching for records
  • reviewing policies and procedures
  • interviewing relevant people for information
• the relevant facts that the investigation activities establish and the legal effect of those facts on relevant questions such as whether the agency contravened its privacy obligations
• the findings made and the recommended actions the agency proposes to take.

The structure of the review

Typically, agencies may complete internal reviews in the style of investigation reports that contain: 

• an account of the complaint
• the evidence gathered and considered
• an assessment of that evidence
• findings of fact, conclusions as to whether or not the agency contravened its privacy obligations
• any proposed actions. 

Proposed actions may include: 

• systems improvements
• training for employees or contractors
• policy changes
• remedial or disciplinary actions regarding specific employees
• referrals to licencing bodies regarding employees who require specific licences to practice their profession
• removal of approval to access and/or use information systems
• referral to police for criminal investigation
• apologies to complainants
• payment of compensation.

Privacy legislation is principle-based and so facilitates flexibility in the presentation of those findings and recommendations required (section 53(8) of the PPIP).

3. What are the agency’s responsibilities?

The responsibilities of an agency when they receive an internal review application are outlined in sections 53 and 54 of the PPIP Act. Agencies are encouraged to have regard to the Administrative Review Council publications and best practice guides to ensure sound decision-making.

Accepting an application

The agency does not have a discretionary power to decline to conduct the internal review. Such discretion would undermine the public interest outcomes intended. Section 53(2) states:

“The review is to be undertaken by the public sector agency concerned.”

Importantly, the threshold required for a “valid” privacy complaint is low; put simply it need only be reasonably clear what the conduct at issue is and what breach the applicant considers to have occurred (see KO and KP v Commissioner of Police, NSW Police (GD) [2005] NSWADTAP 56). The legislation is beneficial legislation, meaning that the provisions under Part 5 of the PIPP Act operate in a remedial fashion and agencies do not have the discretionary power to decline to deal with an complaint. 

A defensible internal review

The onus is on the agency to undertake fact finding of the complainant’s privacy complaint and establish the factual issues for review. There is no onus for applicants to establish factual issues in seeking review of an agency’s conduct. 

An agency must conduct an appropriately “thorough” investigation to address all relevant factual issues (see EEC v Federation Council [2020] NSWCATAD 169) and in cases where the facts of an incident are unclear, the agency must express a preference or view about whether factual inferences can be drawn based on the available evidence (see RL v Department of Education and Training [2009] NSWADT 257 and BYW v Commissioner of Police, NSW Police Force [2014] NSWCATAD 53).

Managing conflicts

Agencies have a duty to manage all actual and perceived conflicts of interest and conflicts of duties, regardless of the agency’s size or resources. The reviewing officer should be independent and not involved with the alleged conduct, to allow for an impartial review wherever possible. If it is not possible for the reviewing officer to be completely impartial, any conflicts must be declared and managed appropriately.

In cases where a conflict cannot be managed, the agency should consider whether an external consultant should be procured to conduct the review (CRE v Blacktown City Council [2017] NSWCATAD 285).

The NSW Ombudsman’s guideline on Good conduct and administrative practice provides further guidance in respect of conflicts.

Providing an outcome

When an internal review is conducted by an agency, section 53(7) provides that at the completion of the review, the agency may do one or more of the following:

1. take no further action on the matter,
2. make a formal apology to the applicant,
3. take such remedial action as it thinks appropriate (e.g. payment of monetary compensation to the applicant),
4. provide undertakings that the conduct will not occur again,
5. implement administrative measures to ensure that the conduct will not occur again. 

A decision to take no further action still requires the agency to make a finding on the alleged breach of the privacy principle.

Agencies should give due consideration to the recommendation which may be appropriate in the circumstance. Given the remedial nature of the internal review function an apology for any hurt may be a valuable resolution in many circumstances. See the NSW Ombudsman’s guideline on Apologies – A practical guide for further information.

Communication of delay

Internal reviews should be completed as soon as practicable and within 60 days at the latest. It is best practice for an agency to notify the complainant of any expected delays. Any notification should include an explanation for the delay and an updated date by which the complaint should expect the review to be completed. In addition to ensuring appropriate updates are provided to the complainant, the Privacy Commissioner should also be informed of the new due date and any updates given to the complainant as relevant to the performance of her oversight function.

4. What is the role of the Privacy Commissioner?

As the provisions of Part 5 of the PIPP Act include the oversight functions of the Privacy Commissioner, agencies have certain obligations during the conduct of internal reviews. 

Notifying the Privacy Commissioner

Under section 54(1)(a) agencies must notify the Privacy Commissioner as soon as practicable after they receive the application.

Under section 54(1)(b) agencies must “keep the Privacy Commissioner informed of the progress of the internal review.” The system envisages that the Privacy Commissioner will receive progress information from agencies in a variety of circumstances.

For example:

• when agencies clarify the particulars of complaints and need to send the Privacy Commissioner updated terms of allegations to be investigated
• when alternative decisions may need to be made on the question of whether or not an application for internal review was made within the six months’ time stated in section 53(3)(d)
• when agencies resolve questions as to when an internal review was actually lodged with the agency
• when agencies confront delays in completing internal reviews
• when agencies complete their fact-finding work and have draft findings of fact and proposed actions.

Section 54(1)(c) states that agencies must “inform the Privacy Commissioner of the findings of the review and of the action proposed to be taken by the agency in relation to the subject matter of the application.”

This provides for the Privacy Commissioner to receive information from agencies before the internal review is formally completed and the relevant report has been sent to the complainant.

Actioning a submission from the Privacy Commissioner

The Privacy Commissioner has a statutory function of oversighting the internal review. Section 54(2) states:

“The Privacy Commissioner is entitled to make submissions to the agency in relation to the subject matter of the application.”

The corresponding obligation of the reviewing agency is in section 53(5), which relevantly states:

“In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by … the Privacy Commissioner.”

This is not equal to adopting the Privacy Commissioner’s views. It is an obligation to take the Privacy Commissioner’s submissions into account, in order to ensure improvements to the work of internal reviewers.

The Parliament has intended that agencies will potentially have the benefit of the Privacy Commissioner’s views at various times during the course of conducting internal reviews and before they are completed and reports are sent to complainants. This enables the Privacy Commissioner to perform the oversight functions that the Parliament intended. 

Submissions after the final internal review reports have already been sent to complainants lack that capacity.

The Parliament chose the term “subject matter of the application” for its particularly wide meaning.

The Tribunal has taken a wide approach to the Privacy Commissioner’s oversight role. In discussing the Privacy Commissioner’s statutory right to appear in the Tribunal, the Appeal Panel stated:

“Section 55(7) should be given a construction which is consistent with the beneficial objects of this landmark piece of human rights legislation and the central role given to the Privacy Commissioner in the legislation to make it work. The Privacy Commissioner has an oversight role in relation to the way agencies handle complaints. 

There are many other powers and responsibilities given to the Privacy Commissioner by other parts of the Privacy Act of similar significance. It would make a mockery of these arrangements for the Privacy Commissioner to be cut out of the appeals environment of the Tribunal, where quite possibly some of the most significant questions touching on the scope and operation of the legislation might arise.” (Vice Chancellor, Macquarie University v FM [2003] NSWADTAP 43, at [41])

The Tribunal also commented on the ability of the oversight function in correcting errors and said:

“It is appropriate to read section 54(1)(d) as requiring the decision-maker to update the Commissioner as to the progress of the review in fact being conducted, as this allows the Commissioner to effectively exercise the oversight function – including that of advising the agency that a review has exceeded its appropriate scope, where necessary.” (ALZ v Safework (No 2) [2016] NSWCATAD 121, [70])

A significant aspect of the capacity of the Privacy Commissioner’s role is to review draft findings and proposed actions.

The oversight function of the Privacy Commissioner

The Privacy Commissioner does not take sides in internal reviews of complaints and is not a party in proceedings in the Tribunal. The oversight function aims at encouraging investigations to produce quality outcomes, adequately deal with privacy issues and lead to better compliance with the legislation.

The legislation does not envisage an engagement of the Privacy Commissioner with applicants. For this reason the Privacy Commissioner declines to offer opinions to applicants regarding the merits of their complaints or the correctness of internal review findings. Nevertheless, many complainants lack specialised knowledge of their privacy rights and/or how to articulate their grievances. In many instances, persons who feel aggrieved at the conduct of agencies contact the Privacy Commissioner by telephone or correspondence requesting assistance regarding their rights.

The Privacy Commissioner’s assistance to aggrieved persons has the potential to remove the anxiety that complainants may experience when dealing with agencies, especially when unrepresented by a legal practitioner. It also has the potential to alleviate errors that may result in unnecessary workload burdens upon the privacy complaints scheme.

In order for the Privacy Commissioner to effectively exercise the oversight role, when an agency notifies the Privacy Commissioner of receipt of a privacy complaint, it is general practice for an agency to include the applicant’s details, such as their name. The recorded details of internal review applicants are relevant and significant to the Privacy Commissioner’s functions, including handling privacy complaints under section 45 of the PPIP Act and contributing to Tribunal administrative review proceedings as per section 55 of the PPIP Act. As such, it is important that the Privacy Commissioner can link relevant cases and applications.

Whilst some agencies may give the option to an applicant to remain anonymous, there is no requirement for an agency to seek an applicant’s permission to provide their details to the Privacy Commissioner when providing the draft review findings to the Privacy Commissioner. 

However, in circumstances where the agency cannot provide the applicant’s full name, the agency must be able to provide an alternative, such as a first name and initial of a last name or an agreed pseudonym which will remain consistent in future applications.

5. What does the Privacy Commissioner review?

At the stage of reviewing draft reports, the Privacy Commissioner’s oversight function typically involves the following aspects of the work done by reviewers. Whether the draft:

• correctly identified all of the privacy complaints
• correctly identified all of the privacy principles that need to be considered
• examined all of the relevant records information and/or engaged all of the persons who could assist the enquiries
• discussed the available information and whether the findings of fact reasonably follow from that discussion
• discussed appropriate findings of law reasonably following from findings of fact, e.g. whether or not the facts as found should result in findings of contraventions of agency privacy obligations
• discussed proposed actions that appear to be a necessary response to findings of contravention of privacy principles; whether they are actions beneficial to the applicant or systems issues.

Submitting a draft report to the Privacy Commissioner

Making submissions to agencies at a time before receipt of draft reports does not enable the Privacy Commissioner to make a contribution to quality outcomes in the public interest. This is because at that early stage the Privacy Commissioner lacks necessary information and is unable to make submissions in a vacuum.

When agencies omit to send draft reports to the Privacy Commissioner, the opportunity for any improvements in the quality of reports sent to applicants and ultimately placed before the Tribunal is lost.

Such omission results in the Privacy Commissioner’s inability to contribute to the overall aim that the oversight scheme in sections 53 to 54 intends to achieve in the public interest.

If complainants receive reports that do not show a sufficient treatment of the issues that the complaint generates, the risk is that they may not feel the agency took their matter seriously and they may embark on administrative review with the Tribunal.

6. How else does the Privacy Commissioner assist?

Agencies, especially those without specially dedicated staff to deal with privacy matters, seek the Privacy Commissioner’s advice on the operation of the Act and best practice approaches to review at various stages of the internal review process.

In the course of the internal review on a request for advice, the Privacy Commissioner may provide some general guidance to assist the agency internal reviewer. Further, the Commissioner has available published resources, especially Tribunal decisions, which may guide reviewers as to the correct approach to various issues. Importantly, the Privacy Commissioner does not provide legal advice. 

7. Timeframes

Whilst the scheme envisages that internal reviews should be completed within 60 days, an applicant does not have an express right to take action to force the agency to complete the review.

When an agency does not complete the review, the legislation provides other processes may result in the agency conducting the requested review. For example, if the Privacy Commissioner considers that there is a “privacy related matter” involved in the way agencies handle requests for internal reviews, the Privacy Commissioner may exercise functions under Part 4 of the PPIP Act. These may assist agencies to put in place a system to ensure they meet the expectations of the scheme, or to conduct enquiries to ascertain reasons why agencies do not meet those expectations and make recommendations for systems improvements.

Right of Tribunal review

One of the circumstances under section 55 that give a complainant a right to apply for Tribunal review of the alleged conduct is where the agency has not completed the requested internal review within the envisaged 60 day period. The Tribunal has noted that the 60 day period is not “strict” and that it is only a trigger to seek Tribunal review (BKM v Sydney Local Health District [2015] NSWCATAD 87, at [18 – 20]).

In some cases when complaints have reached the Tribunal and the agency had not completed the internal review, the Tribunal returned the matter to the agency in order to undertake the review before a next listing date.

When should a draft report be provided to the Privacy Commissioner?

As a result of the Privacy Commissioner’s oversight role, it is recommended that the agency provide a draft copy of the internal review with a minimum of two weeks prior to the date the agency’s findings report to the applicant is due. This allows the Privacy Commissioner sufficient time to consider the draft internal review report and if appropriate provide submissions to the agencies in order to effectively carry out the oversight role. 

Appendices

Appendix A: Process Workflow