Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance

Information Sheet (Public Sector) 2 - A step-by-step guide to internal investigations of privacy complaints by Australian and ACT government agencies

document icon pdf (338.15 KB)

This information sheet assists Australian and ACT government agencies covered by the Privacy Act 1988 (Cth) (the Act) to address a privacy complaint by an individual.

Are you covered under the Act?

The Act requires that most Australian Government agencies comply with the Information Privacy Principles (IPPs).

Under the Australian Capital Territory Government Service (Consequential Provisions) Act 1994, the IPPs also apply to ACT government agencies.

What is an interference with privacy?

Acts or practices by agencies that are not consistent with the IPPs may be an interference with an individual's privacy.

When are you involved?

The Act says that the complainant should take their complaint to the agency before making a complaint to the Privacy Commissioner.

Under section 36 of the Act, individuals may complain to the Commissioner if they believe that their privacy has been interfered with.

How do we handle complaints?

If the complainant believes the matter has not been resolved by the agency, they can complain to this Office.

The Commissioner may then investigate and attempt to conciliate the matter.

The Commissioner also has the power to decline to investigate complaints (or not to investigate further) in a number of circumstances.

These include situations where it is clear that there has not been an interference with privacy or where the matter has been 'adequately dealt with' by the agency.

The Commissioner may make a determination if the matter is not resolved between the parties.

How do you handle privacy complaints?

Are individuals able to complain to your agency?

Does your agency have an enquiries line or provide feedback or complaint forms in both printed and electronic formats? Complaint forms should be easily accessible and in a number of languages and formats.

Is there a process by which privacy complaints are identified and directed to staff with appropriate knowledge of the Act?

If an individual complains, are they being heard? It might be possible to resolve a complaint and avoid this Office becoming involved, especially where individuals just want to be heard or receive an apology.

Regular review of complaint handling processes and procedures will be useful.

Over the page you will find a checklist to assist your agency in addressing privacy complaints.

Steps to follow	Date completed
Preliminary steps
1. Is the correspondence about a person's personal information?[1] â˜ Yes - treat the correspondence as a privacy complaint, and go to Question 2. â˜ No - follow the agency's usual complaint handling procedures.
2. Is the information about the person who wrote the correspondence? â˜ Yes - go to Question 3. â˜ No - do you know if the writer is the representative of the person whose information is concerned in the correspondence[2]? â˜ Yes - go to Question 3. â˜ No - you should clarify the writer's authority to act either in writing or by telephone. If you proceed without the proper authority, there is a risk that you will be disclosing personal information and that you may be in breach of IPP 4 and IPP 11.
3. Does the complaint involve any of the following?[3] â˜ Collection of the complainant's personal information (IPPs 1-3). â˜ Security or storage of the complainant's personal information (IPP 4). â˜ Refusal to give the complainant access or find out about their personal information (IPPs 5 and 6)[4]. â˜ Refusal to change or delete their personal information (IPP 7). â˜ Accuracy of the complainant's personal information (IPP 8). â˜ Relevant use of the complainant's personal information (IPP 9). â˜ Use of the complainant's personal information (IPP 10). â˜ Disclosure of the complainant's personal information (IPP 11). â˜ Other/unsure - if this is the case, go back to the complainant and seek further information. If the complaint does not involve a matter to which the IPPs apply, consider whether the matter may be dealt with under the agency's usual complaint handling procedures.
4. Appoint an investigating officer This should not be someone who was involved in the conduct complained about[5]. â˜ Insert the investigating officer's name here: ............................................................................
5. Contact the complainant, either by telephone or in writing, stating: â˜ Your understanding of the conduct complained about. â˜ Your understanding of the IPPs at issue (if appropriate). â˜ That the agency is conducting an investigation (if appropriate). â˜ The name, title, and contact details of the investigating officer. â˜ How the investigating officer is independent of the person/s responsible for the alleged conduct. â˜ The estimated completion date for the investigation process. â˜ A request that the complainant outline what they expect as an outcome.
Now you can start the investigation
6.Issues for consideration: â˜ Does it appear that the alleged conduct occurred? â˜ Was the information collected by the agency for inclusion in a record or a generally available publication? â˜ Was or is the information held by the agency in a record? â˜ If so, did the agency comply with the IPPs when dealing with the information?
7.Preliminary findings about the facts and the application of the law to the facts: â˜ Is there sufficient evidence to establish that the matters complained about actually occurred? For example, this may include the disclosure of information to a third party, use of personal information for a secondary purpose or failure to secure personal information. â˜ Which of the IPPs may be relevant and why? â˜ Does it appear that the conduct, decision or omission complied with the IPPs? â˜ If not, was non-compliance permitted by an exception or an exemption under the Act? â˜ If an exception or an exemption does not apply, consider whether the complainant's requests regarding outcomes can be met. This may include an apology, a change in procedures, improvement of security safeguards or payment of compensation for loss or damage suffered.
Communication with the complainant
8. Write to and, if possible, call the complainant providing: â˜ Your decision. Include as much detail about the investigation as possible. â˜ An invitation for the complainant to respond to your decision and if appropriate, the offer of a meeting. â˜ An apology if the agency did not comply with the relevant IPPs, and consider whether any further remedy is appropriate. Consider whether a meeting to discuss the possible outcomes would assist, or whether it might be possible to resolve the matter by mediation.
9. Complainant's response â˜ Assess any response from the complainant. â˜ If you initially found that the agency did comply with the IPPs, does the complainant's response alter your view? â˜ Are further discussions needed? â˜ If the agency did not comply with the relevant IPPs would an external mediator be helpful? â˜ If the complainant remains unsatisfied with the outcome, refer the complainant to the Office of the Privacy Commissioner.
Systemic issues
10. Consider whether the complaint raises any systemic issues, such as: â˜ Privacy training. â˜ Amendment of forms and/or collection notices. â˜ Improve security and storage measures. â˜ Steps to improve data accuracy. Make a record of any changes made. Evaluate the changes by reviewing against any future privacy complaints.
Finalisation
11. Storage â˜ When finalised, the record of the complaint and the investigation should be stored securely (IPP 4) and in accordance with record keeping requirements. When responding to requests for information from the Office of the Privacy Commissioner, you may wish to use the investigation report and related documents as appropriate.

For further information

For the latest version of the Privacy Act 1988, including these principles, visit the ComLaw website: http://www.comlaw.gov.au/
The Privacy Contact Officer section on the Office's website.
The IPP guidelines.
The Office's Case Notes.
The Office's ComplaintChecker.
Commonwealth Ombudsman Report: To compensate or not to compensate? (1999)
NSW Ombudsman -Effective Complaint Handling (2004)
NSW Ombudsman - Public sector agencies fact sheet No 01: Apologies by Public Officials and Agencies (2006)

Public Sector Information Sheets

Information sheets are advisory only and are not legally binding. The Information Privacy Principles in section 14 of the Act do legally bind agencies.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Act works. They provide explanations of some of the terms used in the IPPs and good practice or compliance tips. They are intended to help agencies apply the IPPs in ordinary circumstances. Agencies may need to seek legal advice on the application of the Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Act or to apply the IPPs in the way that seems most appropriate to the facts of the case being dealt with. Agencies may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges)

TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Public Sector Information Sheet 2

Web HTML, Word and PDF published August 2008

ISBN 978-1-877079-63-4

www.privacy.gov.au/

[1] 'Personal information' is defined as "information or an opinion (including or forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion

[2] If the complaint is from a Member of Parliament on behalf of a constituent or from a lawyer on behalf of a client, it is assumed that the individual has consented for the writer to act on their behalf. In all other circumstances, you should check that the writer has the complainant's consent to act on their behalf.

[3] For assistance in interpreting the IPPs in Act see the Office's Guidelines to the IPPs at: http://www.privacy.gov.au/materials/types/guidelines#34.

[4] Requests about access to or correction or amendment of personal information should be dealt with under the Freedom of Information Act 1982 (Cth) (FOI Act), unless it involves a simple request for personal information or an amendment and the agency is prepared to provide the information free of charge or to make the amendment.

[5] In the case of a small agency or where there are allegations of bias, consider whether to engage an external investigator.

Site Changes

Types

Information Sheet (Public Sector) 2 - A step-by-step guide to internal investigations of privacy complaints by Australian and ACT government agencies

Are you covered under the Act?

What is an interference with privacy?

When are you involved?

How do we handle complaints?

How do you handle privacy complaints?

Steps to follow

Date completed

Preliminary steps

Now you can start the investigation

Communication with the complainant

Systemic issues

Finalisation

For further information