Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance

Information Sheet (Private Sector) 27 - 2008: A step-by-step guide to internal investigations of privacy complaints by organisations

document icon pdf (310.57 KB)

This information sheet assists organisations covered by the Privacy Act 1988 (Cth) (the Act) to address a privacy complaint by an individual.

Are you covered under the Act?

The Act requires that businesses (including non-profit organisations) with an annual turnover of more than $3 million, all private health service providers and some small businesses, comply with the National Privacy Principles (NPPs). For more information about the coverage of the NPPs see our Private Sector Information Sheet 12.

What is an interference with privacy?

Acts or practices of organisations that are not consistent with the NPPs may be an interference with an individual's privacy.

When are you involved?

The Act says that the complainant should take their complaint to the organisation before making a complaint to the Privacy Commissioner.

Under section 36 of the Act, individuals may complain to the Commissioner if they believe that their privacy has been interfered with.

How do we handle complaints?

If the complainant believes the matter has not been resolved by the organisation, they can complain to this Office.

The Commissioner may then investigate and attempt to conciliate the matter.

The Commissioner also has the power to decline to investigate complaints (or not to investigate further) in a number of circumstances.

These include situations where it is clear that there has not been an interference with privacy or where the matter has been ''adequately dealt with' by the organisation.

The Commissioner may make a determination if the matter is not resolved between the parties.

How do you handle privacy complaints?

Are individuals able to complain to your organisation?

Does your organisation have an enquiries line or provide feedback or complaint forms in both printed and electronic formats? Complaint forms should be easily accessible and available in a number of languages and formats.

Is there a process by which privacy complaints are identified and directed to staff with appropriate knowledge of the Act?

If an individual complains, are they being heard? It might be possible to resolve a complaint and avoid this Office becoming involved, especially where individuals just want to be heard or receive an apology.

Regular review of complaint handling processes and procedures will be useful.

Over the page you will find a checklist to assist your organisation in addressing privacy complaints.

Steps to follow	Date completed
Preliminary steps
1. Is the correspondence about a person's personal information?[1] â˜ Yes - treat the correspondence as a privacy complaint, and go to Question 2. â˜ No - follow the organisation's usual complaint handling procedures.
2. Is the information about the person who wrote the correspondence? â˜ Yes - go to Question 3. â˜ No - do you know if the writer is the representative of the person whose information is concerned in the correspondence[2]? â˜ Yes - go to Question 3. â˜ No - you should clarify the writer's authority to act either in writing or by telephone. If you proceed without the proper authority, there is a risk that you will be disclosing personal information and that you may be in breach of NPP 2 and NPP 4.
3. Does the complaint involve any of the following?[3] â˜ Collection of the complainant's personal information (NPP 1). â˜ Collection of the complainant's sensitive information (NPP 10). â˜ Security or storage of the complainant's personal information (NPP 4). â˜ Refusal to give the complainant access or find out about their personal information (NPP 6). â˜ Refusal to change or delete their personal information (NPP 6). â˜ Accuracy of the complainant's personal information (NPP 3). â˜ Use and/or disclosure of the complainant's personal information (NPP 2). â˜ Other/unsure - if this is the case, go back to the complainant and seek further information. If the complaint does not involve a matter to which the NPPs apply, consider whether the matter may be dealt with under the organisation's usual complaint handling procedures.
4. Appoint an investigating officer This should not be someone who was involved in the conduct complained about[4]. â˜ Insert the investigating officer's name here: ............................................................................
5. Contact the complainant, either by telephone or in writing, stating: â˜ Your understanding of the conduct complained about. â˜ Your understanding of the NPPs at issue (if appropriate). â˜ That the organisation is conducting an investigation (if appropriate). â˜ The name, title, and contact details of the investigating officer. â˜ How the investigating officer is independent of the person/s responsible for the alleged conduct. â˜ The estimated completion date for the investigation process. â˜ A request that the complainant outline what they expect as an outcome.
Now you can start the investigation
6. Issues for consideration: â˜ Does it appear that the alleged conduct occurred? â˜ Was the information collected by the organisation for inclusion in a record or a generally available publication? â˜ Was or is the information held by the organisation in a record? â˜ If so, did the organisation comply with the NPPs when dealing with the information?

7. Preliminary findings about the facts and the application of the law to the facts: â˜ Is there sufficient evidence to establish that the matters complained about actually occurred? For example, this may include the disclosure of information to a third party, use of personal information for a secondary purpose or failure to secure personal information. â˜ Which of the NPPs may be relevant and why? â˜ Does it appear that the conduct, decision or omission complied with the NPPs? â˜ If not, was non-compliance permitted by an exception or an exemption under the Act? â˜ If an exception or an exemption does not apply, consider whether the complainant's requests regarding outcomes can be met. This may include an apology, a change in procedures, improvement of security safeguards or payment of compensation for loss or damage suffered.
Communication with the complainant
8. Write to and, if possible, call the complainant providing: â˜ Your decision. Include as much detail about the investigation as possible. â˜ An invitation for the complainant to respond to your decision and if appropriate, the offer of a meeting. â˜ An apology if you did not comply with the relevant NPPs and consider whether any further remedy is appropriate. Consider whether a meeting to discuss the possible outcomes would assist, or whether it might be possible to resolve the matter by mediation.
9. Complainant's response â˜ Assess any response from the complainant. â˜ If you initially found that the organisation did comply with the NPPs, does the complainant's response alter your view? â˜ Are further discussions needed? â˜ If the organisation did not comply with the relevant NPPs would an external mediator be helpful? â˜ If the complainant remains unsatisfied with the outcome, refer the complainant to the Office of the Privacy Commissioner.

Systemic issues
10. Consider whether the complaint raises any systemic issues, such as: â˜ Privacy training. â˜ Amendment of forms and/or collection notices. â˜ Improve security and storage measures. â˜ Steps to improve data accuracy. Make a record of any changes made. Evaluate the changes by reviewing against any future privacy complaints.
Finalisation
11. Storage â˜ When finalised, the record of the complaint and the investigation should be stored securely (NPP 4) and in accordance with record keeping requirements. When responding to requests for information from the Office of the Privacy Commissioner, you may wish to use the investigation report and related documents as appropriate.

For further information

For the latest version of the Privacy Act 1988, including the National Privacy Principles, visit the ComLaw website: http://www.comlaw.gov.au/

Extensive Private Sector information is available on the Office's website.
To determine if you have to comply with the NPPs see: Private Sector Information Sheet 12
The Office's NPP guidelines.
The Office's Case Notes.
The Office's ComplaintChecker.
The Commonwealth Ombudsman's Report: To compensate or not to compensate? (1999)
NSW Ombudsman -Effective Complaint Handling (2004)
NSW Ombudsman - Public sector agencies fact sheet No 01: Apologies by Public Officials and Agencies (2006)

Private Sector Information Sheets

Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Act do legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges)

TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Private Sector Information Sheet 27

Web HTML, Word and PDF published August 2008

ISBN 978-1-877079-64-1

www.privacy.gov.au/

[1] ''Personal information' is defined as "information or an opinion (including or forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion

[2] If the complaint is from a Member of Parliament on behalf of a constituent or from a lawyer on behalf of a client, it is assumed that the individual has consented for the writer to act on their behalf. In all other circumstances, you should check that the writer has the complainant's consent to act on their behalf.

[3] For assistance in interpreting the NPPs in Act see the Office's Guidelines to the NPPs at: http://www.privacy.gov.au/materials/types/guidelines#3.2

[4] In the case of a small organisation or where there are allegations of bias, consider whether to engage an external investigator.