Privacy Complaints

	Individuals
		Complaints
		Complaints (Other Languages)
		ComplaintChecker
		Your Privacy & Government
		Your Privacy & Health
		Your Privacy & Organisations
		10 Steps Guides
		State & Territory Privacy Laws
		Australian Government - Do Not Call Register
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

Privacy Complaints

View printable version of this page

The Privacy Act 1988 (Cth) gives you the right to make a complaint if you think personal information, including health information about you, has been mishandled by a Australian or ACT government agency or a private sector organisation. This page tells you how to make a complaint and explains the complaint process generally. Real cases de-identified can be found in the Privacy Law section under Complaints Case Notes.

If you would like some indication as to whether the Commissioner can investigate your complaint before you lodge it, please use our ComplaintChecker. Complaints may also be submitted in languages other than English. Please see our complaints information in other languages.

Generally, if you think that your privacy rights have been infringed, you need to try to work out the problem with the organisation or agency you are concerned about, before you complain to us. The Office of the Privacy Commissioner handles your privacy complaint free of charge. You do not have to be represented by a lawyer to make a complaint to us about privacy. If you do decide to hire a lawyer, you must pay for the lawyer yourself. You may withdraw your complaint at any time.

Privacy complaints involving

Private sector organisations
Private sector codes
Opt-ins
Australian and ACT government agencies
Credit providers and credit reporting agencies
Tax File Numbers
Data-matching
Spent convictions

How to make a complaint

Complaint Form

How to send us your complaint

What will happen to your complaint?

Can we investigate your complaint?
Will we investigate your complaint?
Investigation
Conciliation
Resolving your complaint
Decision by the Privacy Commissioner

Appeals

The Federal Court and the Federal Magistrates Court
Administrative Appeals Tribunal

Privacy Complaints involving:

Private sector organisations

Our Office can investigate complaints against private sector organisations, including all private health service providers that are subject to the National Privacy Principles (NPPs).

The NPPs set the standards for the way many private sector organisations and all private health service providers handle personal information.

There are exemptions in the Privacy Act for the media, political parties and for information held in employee records. Information Sheet 12 -2001 Coverage of and Exemptions from the Private Sector Provisions provides more information on those exemptions.

If you think an organisation has breached the NPPs, you can complain to us. But generally, before you do, you need to write to the organisation and try to resolve the problem directly.

Private sector codes

Some private sector organisations may have a privacy code which the Privacy Commissioner has approved under the Privacy Act. The Privacy Commissioner keeps a Register of approved privacy codes. Where an organisation is bound by an approved privacy code, your complaint must be lodged with the Code Adjudicator. Please visit the Business section for further information on Codes.

Opt-ins

Some organisations opt-in or choose to be covered by the Privacy Act, where they would otherwise not be bound by the Act. We can investigate complaints about these organisations. The Privacy Commissioner maintains a Register of organisations which have opted-in.

If you think an organisation that has opted-in has breached the NPPs, you can complain to us. But generally, before you do, you need to write to the organisation and try to resolve the problem directly.

Australian and ACT government agencies

Australian and ACT government agencies are bound by the Information Privacy Principles (IPPs) in the Privacy Act. State and local government bodies are not covered, except for ACT agencies. There are also exceptions for intelligence agencies and government business enterprises.

Among other things, the IPPs cover the collection, security, quality, use and disclosure of personal information that Australian and ACT agencies hold. Please visit the Government section on our website for further information on agencies.

If you think that an Australian or ACT agency has breached the IPPs, you can complain to us. But generally, before you do, you need to try to resolve the problem with the agency directly.

Credit providers and credit reporting agencies

Credit providers, like banks and building societies, make reports about people's bad debts and credit applications to central databases called credit reporting agencies.

The Privacy Act sets out rules about what information credit providers can report and who the credit reporting agency can give that information to.

If you think that a credit provider or credit reporting agency has breached the rules on consumer credit reporting you can complain to us. If you are concerned about a credit provider giving inaccurate information to a credit reporting agency, then generally, before you complain to us, you need to write to the credit provider and try to resolve the problem directly.

If your complaint involves your credit report, please attach a copy of your credit report to your complaint. Credit reports may be available from Veda Advantage on 1300 762 207, Dun & Bradstreet on 132333 or for residents of Tasmania, the Tasmanian Collection Service on (03) 6213 5555.

Tax File Numbers

There are rules about the collection and use of Tax File Numbers. They can only be collected or used for taxation, superannuation or social security benefits.

Any organisation that collects Tax File Numbers is subject to these rules.

If you think any organisation or agency has improperly collected, used or disclosed your Tax File Number, you can complain to us. But generally, before you do, you need to write to the organisation and try to resolve the problem directly.

Data-matching

Centrelink, the Australian Taxation Office and the Department of Veterans' Affairs share information about their clients. This is done according to rules in the Data-matching Program (Assistance and Tax) Act 1990 (Cth).

If you think that one of these agencies has breached the data-matching rules, you can complain to us. But generally, before you do, you need to write to the agency first and try to resolve the problem directly.

Spent convictions

Part VIIC of the Crimes Act 1914 (Cth) is usually called the Spent Convictions Scheme. It protects people against discrimination on the basis of old minor criminal convictions.

If you think an individual or organisation has broken the rules of the Spent Convictions Scheme, you can complain to this Office. Generally, before you make a complaint to our Office, you need to write to the agency or organisation first to try to resolve the problem directly.

How to make a complaint

Generally, before you complain to us, you need to complain in writing to the organisation or agency you are concerned about (called 'the respondent'), and try to resolve your complaint directly. You need to give the respondent a reasonable time (usually 30 days) to respond to your complaint.

If you are not satisfied with the way the respondent deals with your complaint, or if the respondent does not reply, you can complain to us.

Your complaint letter should include:

the name of the agency or organisation involved;
a brief description of your privacy problem;
any action the agency or organisation has taken to fix the problem;
a description of any response you have had from the agency or organisation; and
copies of any relevant documents.

Where there has been an interference with the privacy of a number of individuals, one individual may make a complaint on behalf of the group.

Complaint Form

We have produced a complaint form which you may find useful. This form is also available in PDF and Word format.

If you have any questions about making a complaint (for example who to contact or how the process works) or if you need help in making your complaint, our Privacy Enquiries Line staff can help. Ring 1300 363 992, or e-mail privacy@privacy.gov.au.

How to send us your complaint

You can send us your complaint by post, fax or by email.

You should note that email that is not encrypted can be copied or tracked. The Office uses Microsoft Outlook, which allows for the transmission and receipt of encrypted emails.

For more information on how to setup your own Outlook program to send and receive encrypted emails from the Office, please click here.

While the Office discourages using unencrypted emails to transmit complaints, it will accept them via privacy@privacy.gov.au. This same address will also accept properly formatted encrypted emails sent from Microsoft Outlook.

If you have concerns about postal security, you may wish to consider sending your complaint by registered mail. Please note that it is not possible for the Office to guarantee total security in e-mail or postal transmissions.

Please address postal mail to:

Director, Compliance
Office of the Privacy Commissioner
GPO Box 5218
SYDNEY NSW 2001.

Faxes can be sent to:

(02) 9284 9666

What will happen to your complaint?

Can we investigate your complaint?

We cannot investigate all complaints about your privacy. Your complaint must be about a privacy issue and an Australian or ACT government agency or private sector organisation that is bound by the Privacy Act 1988 (Cth).

The body you are complaining about is called the respondent. We may need to contact you or the respondent for more information before we decide whether we can investigate your complaint. Please let us know if you do not want us to tell the respondent about your complaint.

Will we investigate your complaint?

If we have the power to investigate your complaint you will need to give us some information. This will usually include:

A copy of your letter of complaint to the respondent you are complaining about; and
A copy of any response to your complaint that you have received from the respondent. You must give the respondent 30 days to reply to your letter.

In some cases we may decide not to investigate your complaint. For example, if:

you knew about the privacy issue for more than 12 months before coming to us; or
we think your matter would be better handled by other legislation (not the Privacy Act); or
we think the respondent has already dealt with the complaint properly; or
it is clear that the respondent has not breached the Privacy Act.

The Privacy Act allows us to do this. If we decide not to investigate we will write to you to explain why.

Investigation

If we need more information about what has happened we will contact you to discuss your complaint and what you are seeking. The Privacy Act gives us the power to ask you or the respondent to give us documents or to contact witnesses if we need to.

When we have all the information we need we will contact the respondent in writing and:

tell them that you have made a complaint;
tell them what you are complaining about or give them a copy of your complaint;
explain how their actions may have infringed your privacy rights; and
ask them to respond to our letter within 21 days.

Please let us know if you do not want the respondent to see any documents or information you give us as evidence. Otherwise we let both you and the respondent have access to all documents and information provided. We do not exchange information with any party other than those involved in the complaint.

When we receive a reply from the respondent we will either telephone you or write to you asking you to give your views on what the respondent has said about your complaint.

Either: There will not be enough evidence to support your complaint and we may decide to stop the investigation and close your file. We will write to you and give you the reasons and explain your options if you wish to appeal the decision.

Or: If we think there is enough evidence to support your complaint, we will try to conciliate your complaint.

Conciliation

Conciliation means that we will try to help you reach an agreement with the respondent that will resolve your complaint in a fair way.

We can conciliate your complaint in a number of ways. Usually we write or telephone the respondent and ask them if they agree to your solution and give them a chance to reply. Or we may bring both you and the respondent together in a conciliation conference.

For more information about our conciliation process, please click here.

Resolving your complaint

When you are making a complaint, you need to think about what you want the respondent to do.

You may want an apology or explanation. You may want the organisation to improve their practices to reduce the chance of the same thing happening again. You may want compensation. Or you may want a combination of these three options.

If you have asked for financial compensation, your claim must show how the alleged breach of your privacy has impacted on you financially. We will give the respondent a chance to reply to your claim. We may also make suggestions on how the respondent can improve its practices to reduce the chance of the same thing happening again.

Either: You and the respondent reach an agreement. You may be asked to sign a 'Deed of Release' before the respondent will pay any compensation or do anything else that they may have agreed to. If you sign the 'Deed of Release' you will not be able to make any further claims for that breach of your privacy. We will then close our file on the grounds that the respondent has adequately dealt with the matter.

Or: If you and the respondent cannot agree, we will make a decision about what should happen.

Decision by the Privacy Commissioner

Either: The respondent has made you a reasonable offer but you have not accepted it. We can close your file on the grounds that the respondent has adequately dealt with the matter, even if you do not agree.

Or: The respondent has not made you a reasonable offer. The Privacy Commissioner can make a formal decision instructing the respondent how to resolve your complaint. This is called a determination. The respondent could be ordered to apologise, pay compensation or change its practices.

More information about the Privacy Commissioner's use of the determination power:

Privacy Commissioner's use of s.52 Determination Power

Appeals

The Federal Court and the Federal Magistrates Court

If the Privacy Commissioner closes your file and you disagree with that decision, you can appeal to the Federal Court or the Federal Magistrates Court.

If the respondent does not follow the Privacy Commissioner's orders in a determination either you or the Commissioner can take your complaint to the Federal Court or the Federal Magistrates Court to have the determination enforced.

Administrative Appeals Tribunal

If the Privacy Commissioner has issued a determination in relation to an Australian or ACT government agency, and you or the respondent disagree with the amount of compensation, if any, an application can be made to the Administrative Appeals Tribunal for a review of the compensation amount.