Protocol for handling privacy complaints

The Protocol for handling privacy complaints guide appears below. To download a PDF version of the guide click here Protocol - Handling Privacy Complaints, updated March 2022 

Overview

The NSW Privacy Commissioner receives complaints from members of the public about breaches of privacy, which may be dealt with under the Privacy and Personal Information Protection Act 1998 (PPIP Act) or, in certain circumstances, the Health Records and Information Privacy Act 2002 (HRIP Act).

This Protocol describes how the Privacy Commissioner will generally deal with privacy complaints. This Protocol is intended as a guide only and should not be treated as a substitute for the terms of the PPIP or HRIP Acts. It should be considered in conjunction with these Acts, together with any other legislation that may apply from time to time and as well as relevant case law.

  1. 1. Making privacy complaints

Complaints may be made to the Privacy Commissioner about an alleged violation of, or interference with, an individual’s privacy.[1] Such complaints are to be dealt with under Part 4, Division 3 of the PPIP Act.

A complaint is to be made by the person whose privacy has allegedly been interfered with or violated. The Privacy Commissioner may, however, accept a complaint made on behalf of a third person, for example, by a parent or guardian for a child, a lawyer for a client, or a Member of Parliament for a constituent. However, before dealing with such a complaint, the Privacy Commissioner will usually require the contact details of the person on whose behalf the complaint is made, and evidence of authority to act on behalf of the Complainant or evidence to any legal lack of capacity if the consent of the person on whose behalf the complaint is made has not been provided.

A privacy complaint must be dealt with under the HRIP Act if it involves an alleged breach by a private sector person[2] of:

  • a Health Privacy Principle (HPP), which apply to health information and are contained in Sch. 1 of the HRIP Act
  • Part 4 of the HRIP Act, which contains provisions for private sector persons, and/or
  • a health privacy code of practice.[3]

The process for dealing with complaints against private sector persons under the HRIP Act varies slightly from that under the PPIP Act and is discussed in Part 3 of this Protocol.

1.1 Who may deal with a complaint

The Privacy Commissioner may deal with complaints personally or any member of staff to whom complaint-handling functions are delegated by the Privacy Commissioner may also deal with complaints.[4]

1.2 Time for making complaints

A complaint must be made within 6 months from the time the complainant first became aware of the conduct or matter subject of the complaint.[5]

The Privacy Commissioner has the discretion to extend the time for making a complaint beyond the 6-month period.[6] If requested to do so, the Privacy Commissioner will consider whether to grant an extension of time, taking into account all relevant matters. These might include but is not limited to:

  • the length of the delay
  • whether the complainant is able to provide a reasonable explanation for the delay (such as ill-health or other reasons relating to incapacity)
  • whether the respondent has suffered any prejudice as a result of the delay, and
  • the merits of the complaint, which would encompass similar considerations as those on which basis the Privacy Commissioner may decide not to deal with a complaint.[7]

If the Privacy Commissioner decides to grant an extension of time, the complaint is to be dealt with under the PPIP Act or HRIP Act, as applicable.

If the Privacy Commissioner decides not to grant an extension of time, no further action will be taken in respect of the complaint.

1.3 All complaints to be in written form

The Privacy Commissioner requires complaints under the PPIP Act to be made in writing.[8] All complaints under the HRIP Act must be in writing.[9] If a person makes a complaint verbally, they should be advised to put it in writing, addressed to the Privacy Commissioner.

Complaints will only be accepted by post, email or by other electronic lodgement means made available by the Information and Privacy Commission (IPC). However, the Privacy Commissioner may require some other contact information (such as a valid telephone number) to be included or provided with the complaint. The reasons for this are, first, to ensure that the complainant has a “real world” identity and also to assist in the effective processing of the complaint by the IPC.

The Privacy Commissioner may also require a complaint to be verified by statutory declaration.[10]

1.4 Does Part 5 of the PPIP Act apply to the complaint?

The first issue to be determined after receiving a complaint is whether it involves conduct to which Part 5 of the PPIP Act applies. Part 5 deals with a person’s right to seek review of certain conduct:

  • internally by public sector agencies and
  • externally by the NSW Civil and Administrative Tribunal (NCAT).

Part 5 of the PPIP Act applies to the following conduct (or alleged conduct):

  • the contravention by a public sector agency of an Information Protection Principle (IPP) or a Health Privacy Principle (HPP) that applies to that agency[11]
  • the contravention by a public sector agency of a privacy code of practice or a health privacy code of practice that applies to that agency,[12] and
  • the disclosure by a public sector agency of personal information kept in a public register.[13]

If a complaint involves any of the above matters, the Privacy Commissioner must advise the complainant of the review process under Part 5 of the PPIP Act and the remedial action available should the complainant decide to apply for internal review under s. 53 of the PPIP Act.[14]

It should also be noted that the Privacy Commissioner does not usually deal with a complaint that is more appropriately dealt with by an application for internal review under s. 53 of the PPIP Act.

1.5 Respondent to be advised of the complaint

If the Privacy Commissioner deals with a complaint under the PPIP Act or HRIP Act, the complainant should be advised that the principles of fairness will require the respondent to be advised of the complaint’s identity, the nature of and circumstances giving rise to the complaint and any alleged breaches of privacy.

The respondent will be given an opportunity to respond to the complaint. Any such response will be taken into account, along with the complainant’s views, by the Privacy Commissioner in dealing with the complaint.

1.6 Amending complaints

All complaints may be amended or withdrawn by the individual at any time.[15] The Privacy Commissioner requires any amendments to a complaint to be made in writing consistent with the provisions of 1.3 of this Protocol.

2. Privacy complaints under the PPIP Act

All complaints must be dealt with under the PPIP Act unless they are about the conduct of a private sector person, involving an alleged contravention of a HPP, code of practice or Part 4 of the HRIP Act. In such circumstances, a complaint about a private sector person will be dealt with under the HRIP Act.[16]

The Privacy Commissioner may deal with a complaint even if it raises a matter that may be subject to internal and external review under Part 5 of the PPIP Act.[17] This means that it is open to the Privacy Commissioner to deal with a complaint even if the complainant would have a right of review by NCAT.

However, as a general practice, the Privacy Commissioner will not deal with a complaint if it would be more appropriate for the complainant to make an internal review application.

2.1 Preliminary assessment

When a complaint is received, the Privacy Commissioner may decide to conduct a preliminary assessment of the complaint.[18] The object of such an assessment will be to determine whether the complaint should be dealt with. The Privacy Commissioner is not required to conduct a preliminary assessment but may proceed directly to deal with the complaint under ss. 48 or 49 of the PPIP Act.

Usually, a preliminary assessment will not be necessary if the application relates to conduct that occurred in the last 6 months and it appears plain that the complaint has merit and warrants further action. However, a preliminary assessment may be appropriate if the complaint is ambiguous or it appears that one of the grounds in s. 46(3) of the PPIP Act applies.

Where a preliminary assessment of a complaint is undertaken, a decision will be made on whether or not to deal with the complaint. The Privacy Commissioner can only refuse to deal with the complaint if the Commissioner is satisfied with the matters set out in s. 46(3). These are discussed below.

2.2 Declining to deal with a complaint

The Privacy Commissioner may only decide not to deal with a complaint if the Commissioner is satisfied with any of the following matters, which are in s. 46(3) of the PPIP Act:

2.2.1 The complaint is frivolous, vexatious or lacking in substance, or is not in good faith

A complaint may be “frivolous” or “vexatious” where it appears that a complainant is bringing it for some purpose other than a genuine concern about their privacy.[19]

A complaint will be “lacking in substance” if the conduct complained of raises no issues relating to the “interference with” or “violation of” the complainant’s “privacy”.[20] The notion of privacy in this context should not be considered as limited to mere compliance or non-compliance with the IPPs, HPPs, or applicable codes or practice. The broader notion of privacy should be kept in mind, which is commonly understood to be:

“The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion.”

One purpose of the Privacy Commissioner’s broad investigative functions is to enable complaints to be dealt with even though they involve no breach of a person’s privacy rights under the principles or codes.

A complaint will not be made in “good faith” if the complainant does not have honest intentions. A subjective assessment will need to be made as to whether the complainant shows honesty and sincerity in making the complaint.

2.2.2 The subject matter of the complaint is trivial

A subjective assessment should be made as to the seriousness of the conduct in the complaint. This may involve an assessment as to whether the conduct adversely affects or negatively impacts the complainant’s privacy.

2.2.3 The subject matter of the complaint relates to a matter permitted or required by or under any law

The subject matter of the complaint may be conduct that a person or agency is obliged to take. Examples of this may include disclosing personal information in answering a subpoena issued by a court or tribunal. Similarly, the respondent may have acted under a discretionary power conferred by common law or a statute.

2.2.4 There is available to the complainant an alternative, satisfactory and readily available means of redress

An alternative, satisfactory and readily available means of redress may exist where the complaint raises issues that are dealt with under privacy legislation of other jurisdictions (e.g. the Privacy Act 1988 (Cth), which contains privacy principles that apply to private individuals and organisations).

A complaint may also raise an issue that is dealt with under another statute or law, for example, the covert surveillance of employees at their place of work (see the Workplace Surveillance Act 2005).

A decision made on this ground would often be accompanied by a referral under s. 47 of the PPIP Act. In such cases, the Privacy Commissioner will, prior to making a decision to refuse to deal with a complaint, advise the complainant of their view that another person or body would appear to be in a better position to deal with the complaint.

2.2.5 It would be more appropriate for the complainant to make an application under section 53

All complaints must be initially assessed as to whether it involves conduct to which Part 5 of the PPIP Act applies.

If the conduct complained of involves an alleged breach by a public sector agency of one or more of the IPPs, HPPs, codes of practice or disclosure of information on a register, the Privacy Commissioner usually takes the view that it would be more appropriate for an internal review application to be made.

This is because a person may seek external review with the NCAT if they remain dissatisfied with the outcome of the internal review. Compared to the Privacy Commissioner’s powers under the PPIP Act, the NCAT has a broader array of powers to grant a range of relief, including making an award of damages of up to $40,000 and orders requiring or restraining the agency from taking certain conduct.

If the Privacy Commissioner decides not to deal with a complaint on any of the above grounds, the Commissioner must advise the complainant of the reasons for that decision.[21] In such cases, the Privacy Commissioner may, prior to making a decision to refuse to deal with a complaint, advise the complainant of their view that an application under section 53 would appear to be more appropriate to deal with the complaint.

If a decision is made not to deal with a complaint, a letter will be sent advising the complainant of this decision and the reasons for it.

2.3 Referrals

The Privacy Commissioner may refer a complaint to a person or body (the relevant authority) as considered to be appropriate in the circumstances.[22] Before making such a decision, the Privacy Commissioner must:

  • consult with the complainant and the relevant authority to whom a referral is proposed to be made, and
  • take their views into consideration.

After considering the matter, the Privacy Commissioner may decide to refer the complaint and, in doing so, may provide to the relevant authority any information obtained in relation to the complaint.[23]

A decision to refer a complaint would ordinarily be accompanied by a decision not to deal with the complaint.[24]

If the Privacy Commissioner decides not to refer the complaint, it may be dealt with under the PPIP Act unless one of the grounds under s. 46(3) applies.

2.4 General power to deal with complaints

Under s. 48(1)(a) of the PPIP Act, the Privacy Commissioner may decide to deal with a complaint. Although that provision does not specify the manner in which a complaint may be dealt with, the Privacy Commissioner is empowered to conduct further inquiries and investigations.[25]

The Privacy Commissioner may make findings and recommendations on any complaint dealt with under the PPIP Act, which may be subject to a written report.

In dealing with a complaint, the Privacy Commissioner must attempt to resolve it by conciliation.

2.5 Conciliation

The Privacy Commissioner must endeavour to resolve all complaints dealt with under the PPIP Act by conciliation.[26] The procedures to be adopted in the conciliation process are to be determined by the Privacy Commissioner, upon the Commissioner’s discretion.[27]

Although the Privacy Commissioner is obliged to endeavour to resolve a complaint by conciliation, where both parties do not agree to conciliation, or it appears to the Privacy Commissioner that conciliation is unlikely to resolve the complaint, it may be appropriate for the Privacy Commissioner to deal with a complaint generally under s. 48(1) or, where there are grounds to do so, decline to deal with the complaint.

Where a complaint is not resolved through conciliation, the Privacy Commissioner may make a written report as to the Commissioner’s findings or recommendations in relation to the complaint.[28]

2.5.1 Informal conciliation

The Privacy Commissioner seeks to informally resolve all complaints to the parties’ mutual satisfaction, through the exchange of written correspondence and telephone discussions. The complainant will be requested to confirm the particulars of the complaint and the outcome sought. The respondent will be given an opportunity to respond.

Should the parties reach an agreement on a mutually satisfactory resolution of the complaint, the Privacy Commissioner will take no further action (unless the Privacy Commissioner's further involvement is a matter upon which the parties have agreed and the Privacy Commissioner is satisfied that further involvement is necessary).

Ordinarily, the Privacy Commissioner will allow the parties reasonable time and flexibility to arrive at a conciliated agreement. However, if, in the course of the informal conciliation process, it appears that there are limited prospects of a conciliated resolution (because, for example, the parties cannot agree on the outstanding issues), the Privacy Commissioner can terminate the conciliation and proceed to deal with the complaint.

2.5.2 Conciliation proceedings

The Privacy Commissioner has the power to issue a notice to a complainant and respondent, requesting them to appear before the Privacy Commissioner in conciliation proceedings.[29] If the respondent is a public sector agency (as defined in s. 3(1) of the PPIP Act), it must comply with the notice issued by the Privacy Commissioner.[30]

Complaints may ultimately not be resolved through conciliation proceedings, particularly in the absence of one or both parties’ consent. This is because the Privacy Commissioner does not have the power to grant enforceable remedies to a complainant and, accordingly, conciliation proceedings are based on the mutual cooperation of both parties.

Any conciliation proceedings will be conducted informally, with a view to assisting the parties reach an agreed resolution of the complaint. Neither the complainant nor the respondent is entitled to be represented by another person, except with leave of the Privacy Commissioner.[31]

Each party will be requested to bring to the conciliation proceedings information relevant to the complaint and act in good faith to try and resolve the issues raised in the complaint. Any person appearing for a public sector agency will be required to have authority to resolve the matter.

​​​​​​​2.6 Inquiries and investigations

The Privacy Commissioner has broad powers to conduct investigations and inquiries.[32] The Privacy Commissioner may determine the procedures to be followed in conducting inquiries and investigations, must act informally, is not bound by the rules of evidence and may gather information in any way considered by the Privacy Commissioner to be just.[33]

In conducting inquiries or investigations, the Privacy Commissioner must also act according to the substantial merits of the case, without undue regard to technicalities.[34]

​​​​​​​2.7 Reports and recommendations

The Privacy Commissioner may make a written report on any findings or recommendations in relation to a complaint dealt with under the PPIP Act.[35] This includes any recommendations made in the course of conciliation, as well as those made in the course of dealing with the complaint generally under s. 48 of the PPIP Act. A copy of this report may be given to the complainant and any other persons or bodies who may be materially involved in matters concerning the complaint.[36]

However, the Privacy Commissioner is not obliged to make a written report for all complaints dealt with under the PPIP Act.

3. Complaints against private sector persons under the HRIP Act

Complaints must be dealt with under the HRIP Act where it involves an alleged breach by a private sector person of:

  • an HPP in Sch. 1 of the HRIP Act
  • Part 4 of the HRIP Act, and/or
  • a health privacy code of practice.[37]

Any complaint that does not fall within one of the above categories must be dealt with under the PPIP Act (see Part 2 of this Protocol).

​​​​​​​3.1 Preliminary assessment

When a complaint is received, the Privacy Commissioner may conduct a preliminary assessment of the complaint.[38] The object of such an assessment will be to determine whether there are reasonable grounds to the complaint, and if so, whether the Privacy Commissioner should deal with the complaint.

Generally, a preliminary assessment will be appropriate if the complaint is ambiguous or it appears that one of the grounds under s. 43(2) of the HRIP Act applies.

The Privacy Commissioner is not required to conduct a preliminary assessment and may proceed directly to conduct a s. 44 assessment and if there is a prima facie case for the complaint to be dealt with under s. 45(1) of the HRIP Act.

​​​​​​​3.2 Declining to deal with a complaint

After undertaking a preliminary assessment of a complaint, a decision will be made whether or not to deal with it. The Privacy Commissioner can only refuse to deal with the complaint if the Commissioner is satisfied with the matters set out in s. 43(2) of the HRIP Act, which are discussed below.

3.2.1 The complaint is frivolous, vexatious or lacking in substance, or is not in good faith

The sorts of complaints that can be dealt with under the HRIP Act are significantly more limited than the general matters about which complaints may be made under the PPIP Act.

As with those under the PPIP Act, a complaint under the HRIP Act may be “frivolous” or “vexatious” where it appears that a complainant is bringing it for some purpose other than a genuine concern about their privacy.[39]

Similarly, a complaint will not be made in “good faith” if the complainant does not have honest intentions. A subjective assessment will need to be made as to whether the complainant shows honesty and sincerity in making the complaint.

However, a complaint will only be “lacking in substance” only if it raises no issue relating to an alleged breach of an HPP, provision of Part 4 of the HRIP Act, or a health privacy code of practice.

3.2.2 The subject matter of the complaint is trivial

A subjective assessment should be made as to the seriousness of the conduct that is the subject of the complaint. This may involve an assessment as to whether the conduct adversely affects or negatively impacts the complainant’s privacy.

3.2.3 The subject matter of the complaint relates to a matter permitted or required by or under any law

The subject matter of the complaint may be conduct that a person or agency is obliged to take. Examples of this may include disclosing personal information in answering a subpoena issued by a court or tribunal. Similarly, the respondent may have acted under a discretionary power conferred either by common law or by a statute.

3.2.4 There is available to the complainant an alternative, satisfactory and readily available means of redress

An alternative, satisfactory, readily available means of redress may exist where the complaint raises issues that are dealt with under privacy legislation of other jurisdictions (e.g. the Privacy Act 1988 (Cth), which contains privacy principles that apply to private individuals and organisations).

3.2.5 The matter should be referred to the Health Care Complaints Commission (HCCC) or another person or body under section 65, 66 or 67 of the HRIP Act

The Privacy Commissioner may refer a complaint about private sector persons to the HCCC, the Commonwealth Privacy Commissioner or to any other person or body the Privacy Commissioner considers to be relevant in the circumstances.[40] Any such referral will usually be accompanied by a determination that the complaint has been resolved to the Privacy Commissioner’s satisfaction and no further action will be taken on the complaint.[41]

If the Privacy Commissioner decides to refer a complaint to the HCCC or the Commonwealth Privacy Commissioner, the Privacy Commissioner is not obliged to consult with the complainant before so doing. However, if the Privacy Commissioner refers the complaint to another person or body, the Privacy Commissioner must consult with the complainant.[42]

3.2.5.1 Referral to the Health Care Complaints Commission

Serious complaints about a healthcare practitioner’s professional conduct would fall under the Health Care Complaints Act 1993 and should be referred to the HCCC. Similarly, the Privacy Commissioner may refer a complaint to the HCCC if the complaint concerns a health service that affects the clinical management or care of a person who uses or receives a health service (including a patient).[43]

If a complaint is referred to the HCCC, the Privacy Commissioner may provide it with any information obtained in relation to the complaint.

3.2.5.2 Complaints to the Commonwealth Privacy Commissioner

The Privacy Commissioner may refer a complaint to the Commonwealth Privacy Commissioner if it appears that the complaint could be more appropriately dealt with by the Commonwealth Privacy Commissioner.[44]

If a complaint is referred to the Commonwealth Privacy Commissioner, the NSW Privacy Commissioner may provide them with any information obtained in relation to the complaint.[45]

3.2.5.3 Referral to other persons or bodies

The Privacy Commissioner may refer a complaint to other persons or bodies (“relevant authority”), for investigation or other action, as considered to be relevant in the circumstances.[46] All information obtained by the Privacy Commissioner in relation to the complaint may be provided to the relevant authority.[47]

A complaint may only be referred to a person or body, other than the HCCC or Commonwealth Privacy Commissioner, after consultation with the complainant and the relevant authority.

3.2.6 The person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the Privacy Act 1988 of the Commonwealth, and the:

  • complaint to the Commonwealth Privacy Commissioner has not been withdrawn, or
  • Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or
  • adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.

Upon receiving a complaint against a private sector person under the HRIP Act, the Privacy Commissioner may check with the Commonwealth Privacy Commissioner to determine whether they have received a complaint raising substantially the same or similar issues and that the complaint has not been withdrawn or subject of a determination under s. 52 of the Privacy Act 1988 (Cth).

​​​​​​​3.3 Assessment of the complaint: is there a prima facie case?

If the Privacy Commissioner is satisfied that a complaint should be dealt with under the HRIP Act, an assessment must be carried out under s. 44. In conducting this assessment, the Privacy Commissioner can make such inquiries and investigations that they consider to be appropriate.[48]

Unlike a preliminary assessment, the sole focus of a s. 44 assessment is to determine whether a prima facie case exists with respect to the issues raised in the complaint. A “prima facie” case should be understood as being “a serious, as opposed to a speculative, case which has a real possibility of ultimate success”.[49]

That is, the Privacy Commissioner must form a view as to whether there is a real possibility the complainant can establish that there are reasonable grounds to the complaint and that if it is determined that there exists such a “real possibility”, the Privacy Commissioner will proceed to deal with the complaint. If there is no “real possibility”, the Privacy Commissioner must cease dealing with the complaint.[50]

​​​​​​​3.4 Dealing with complaints

If, after conducting a s. 44 assessment, the Privacy Commissioner is satisfied that there exists a prima facie case for the complaint, the Commissioner may decide to deal with the complaint in one of the following three ways:

  • by endeavouring to resolve the complaint by conciliation under s. 46;
  • by further investigating the complaint and making a report under s. 47; or
  • by determining that the complaint has been resolved to his or her satisfaction.[51]

In deciding how to deal with the complaint, the Privacy Commissioner must take into account the nature of the complaint, the views of the complainant and the respondent, any action(s) taken by the respondent to address the concerns raised in the complaint and whether the complaint raises a matter of public interest.[52]

3.4.1 No further action

If the Privacy Commissioner determines that the complaint has been resolved to the Commissioner’s satisfaction, the complainant and respondent are to be advised of this determination and no further action is to be taken on the complaint.[53]

The determination that a complaint has been resolved to the Privacy Commissioner’s satisfaction is a discretionary matter, taking into account any relevant factors, which might include:

  • the nature and circumstances of the complaint, in particular where circumstances have changed since the making of the complaint
  • the views of the complainant and respondent
  • whether the agency has taken any action to remedy the conduct complained of (e.g. where an apology has been given or a change made to the respondent’s practices or procedures), or
  • that the matter will be referred to the HCCC, Commonwealth Privacy Commissioner or another person or body.

In making a determination that a complaint has been resolved to the Privacy Commissioner’s satisfaction, it should be borne in mind that the complaint loses any right of review by NCAT.[54]

If the Privacy Commissioner determines that the complaint has been satisfactorily resolved, a letter should be sent to the complainant and respondent, advising them of this fact and that no further action will be taken.

3.4.2 Conciliation proceedings

One way in which the Privacy Commissioner may deal with a privacy complaint against a private sector person is to resolve it by conciliation under s. 46 of the HRIP Act. Unlike the conciliation obligation under the PPIP Act, the Privacy Commissioner’s power to conciliate a complaint is discretionary.[55]

The form of conciliation contemplated by s. 46 of the HRIP Act is the conduct of formal conciliation proceedings. The Privacy Commissioner may issue a written notice to the complainant and respondent, requesting them to appear before the Privacy Commissioner.[56] A person or body must not fail to comply with such a notice without reasonable excuse.[57]

3.4.3 Conciliation precludes inquiry by NCAT

Prior to conducting a conciliation, the Privacy Commissioner should advise the complainant that, if conciliation is attempted and is unsuccessful, they will lose the right to apply to NCAT for an inquiry into the complaint.

This is because the Privacy Commissioner is not permitted to take any further action after the conclusion of the conciliation proceedings, whether or not the parties reach any agreement as a result of the proceedings.[58] Therefore, the Privacy Commissioner cannot investigate a complaint if conciliation is unsuccessful, nor prepare a report under s. 47(1)(b) of the HRIP Act, which is a necessary pre-condition for an inquiry by NCAT into a complaint.[59]

3.4.4 Agreement of the parties to conciliation

The unavailability of an NCAT inquiry if conciliation proceedings are conducted is a significant risk for complainants. As a consequence, the Privacy Commissioner will ordinarily be reluctant to deal with a complaint in this manner, particularly in the absence of the complainant’s consent.

Nonetheless, if both parties (and, in particular, the complainant) prefer to have the complaint resolved by conciliation and there appears to be good prospects of settling the matter, it may be appropriate for the Privacy Commissioner to attempt to resolve the complaint through conciliation proceedings.

If a conciliation proceeding is arranged, both parties are to be advised in writing of the following matters:

  • the date, time and venue at which the conciliation proceedings will be held
  • the time allocated for the proceedings and the person who will preside over the proceedings
  • that no further action can be taken after the conclusion of the proceedings, even if the parties do not reach agreement
  • that electing to conciliate a complaint precludes the Privacy Commissioner from investigating and reporting on the matter, which in turn precludes NCAT from holding an inquiry into the complaint, and
  • confirming that conciliation proceedings are to be conducted confidentially.

3.4.5 Conduct of conciliation proceedings

As with conciliation conducted under the PPIP Act, the Privacy Commissioner will conduct proceedings in an informal manner. The procedures to be adopted in the conciliation process are to be determined by the Privacy Commissioner, upon the Commissioner’s discretion.[60] Usually, this would involve the complainant and respondent appearing at the Privacy Commissioner’s office on a specified date. Neither the complainant nor the respondent is entitled to be represented by another person, except with leave of the Privacy Commissioner.[61]

Each party will be requested to bring to the proceedings information relevant to the complaint and act in good faith to try and resolve the issues raised in the complaint. Any person appearing for the respondent person or body will be required to have authority to resolve the matter.

Both parties will be required to agree to the confidentiality of the conciliation proceedings. Evidence of anything said or done during the course of conciliation proceedings is not admissible in subsequent proceedings in relation to the complaint.[62] The parties’ involvement in conciliation proceedings before the Privacy Commissioner is therefore without prejudice to the parties’ rights in subsequent proceedings concerning the complaint.

3.4.6 Conclusion of conciliation proceedings

During the course of conciliation proceedings, the Privacy Commissioner will encourage the parties to come to a mutually acceptable settlement of the complaint. This might involve a respondent agreeing to take further action to remedy the conduct of which was complained. In turn, a complainant may be requested not to take the complaint any further if some form of remedial action is taken.

Where the parties have not reached an agreement, the Privacy Commissioner will exercise particular caution before determining that conciliation proceedings have concluded. This is because an unsuccessful conciliation will leave a complainant with no further avenues of redress under the HRIP Act.

However, if in the course of the proceedings, it appears that there are limited prospects of settlement (because, for example, the parties cannot agree on the issues), the Privacy Commissioner will advise the parties that they intend to terminate the proceedings. Each party will be given an opportunity to express a view as to why the proceedings should not be terminated.

If, at the conclusion of the time allocated for the proceedings, no agreement has been reached, the conciliation will be terminated. If this occurs, the Privacy Commissioner cannot take any further action.[63]

Only in exceptional circumstances, and where there is a real prospect of agreement, will the time for conducting the conciliation proceedings be extended.

At the conclusion of conciliation proceedings, the Privacy Commissioner will write to both the parties, confirming:

  • the nature of the complaint and the issues arising at the conciliation proceedings
  • the outcome and agreed settlement of the complaint (if any), and
  • that no further action will be taken on the complaint.

3.4.7 Investigating complaints and reporting on findings

An alternative manner in which the Privacy Commissioner may deal with a complaint, under s. 45(1)(b) of the HRIP Act, is by conducting further investigations and making a report. In so doing, the Privacy Commissioner has the same broad powers to undertake inquiries and investigations under the HRIP Act, as under the PPIP Act.[64]

The Privacy Commissioner may determine the procedures to be followed in conducting inquiries and investigations, must act informally, is not bound by the rules of evidence and may gather information in any way considered by the Privacy Commissioner to be just.[65] In conducting inquiries or investigations, the Privacy Commissioner must also act according to the substantial merits of the case, without undue regard to technicalities.[66]

If the Privacy Commissioner decides to further investigate a complaint, the parties should be advised in writing of this decision.

3.4.8 Report on findings and recommendations

Under s. 47(1), the Privacy Commissioner may make a written report as to any findings or recommendations in relation to a complaint dealt with by investigation. A copy of such a report may be given to the complainant, respondent and other persons or bodies as are materially involved in the matters concerning the complaint.[67]

Once a report has been finalised, the complaint will be considered to have been “dealt with” and finalised. This means that the Privacy Commissioner can take no further action in relation to the matter.

3.4.9 Right to apply to NCAT for an inquiry

Where the Privacy Commissioner makes a report under s. 47(1), the complainant has a right to apply to NCAT for an inquiry into the complaint.[68] The Privacy Commissioner has a right to appear and be heard in any such proceedings.[69]

The NCAT will make a fresh inquiry into the complaint and has broad powers to make orders remedying the complaint, including the award of damages.[70]

If a report is to be made under s. 47(1), the Privacy Commissioner will usually provide a copy of it to both the parties and advise them that the complainant will have a right to apply to NCAT for a fresh inquiry into the complaint and the relevant timeframes that may be applicable.

Appendix 1: Complaint Provisions of the PPIP Act

Part 4, Div. 3 of the Privacy and Personal Information Protection Act 1998 provides as follows:

Division 3 Complaints relating to privacy

45  Making of privacy related complaints

  1. A complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.
  2. The subject-matter of a complaint may relate to conduct to which Part 5 applies (unless it is conduct that is alleged to have occurred before the commencement of that Part).

Note—

Section 21 of the Health Records and Information Privacy Act 2002 provides that certain conduct under that Act by public sector agencies is conduct to which Part 5 of this Act applies.

(2A) A complaint about a matter referred to in section 42 of the Health Records and Information Privacy Act 2002 is not to be dealt with under this Division but is to be dealt with by the Privacy Commissioner as a complaint under Part 6 of that Act.

Note—

Section 42 of that Health Records and Information Privacy Act 2002 provides that a complaint may be made to the Privacy Commissioner about the alleged contravention by a private sector person of a Health Privacy Principle, a provision of Part 4 (Provisions for private sector persons) of that Act or a health privacy code of practice.

  1. A complaint may be in writing or verbal, but the Privacy Commissioner may require a verbal complaint to be put in writing.
  2. The Privacy Commissioner may require information about a complaint to be provided by the complainant in a particular manner or form, and may require a complaint to be verified by statutory declaration.
  3. A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the complainant first became aware of the conduct or matter the subject of the complaint.
  4. A complainant may amend or withdraw a complaint.

46  Preliminary assessment of privacy related complaints

  1. The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Division for the purpose of deciding whether to deal with the complaint.
  2. If the subject-matter of the complaint relates to conduct to which Part 5 applies, the Privacy Commissioner must inform the complainant of the review process under that Part and the remedial action that may be available if the complainant decides to make an application under section 53 in respect of that conduct.
  3. The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that—​​​​​​​
    • (a) the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or
    • (b) the subject-matter of the complaint is trivial, or
    • (c) the subject-matter of the complaint relates to a matter permitted or required by or under any law, or
    • (d) there is available to the complainant an alternative, satisfactory and readily available means of redress, or
    • (e) it would be more appropriate for the complainant to make an application under section 53.

47  Referring privacy related complaints to other authorities

  1. The Privacy Commissioner may refer a complaint made under this Division for investigation or other action to any person or body (the relevant authority) considered by the Privacy Commissioner to be appropriate in the circumstances.
  2. The Privacy Commissioner may communicate to the relevant authority any information that the Privacy Commissioner has obtained in relation to the complaint.
  3. The Privacy Commissioner may only refer a complaint to a relevant authority after appropriate consultation with the complainant and the relevant authority, and after taking their views into consideration.

48  Dealing with privacy related complaints

  1. If the Privacy Commissioner decides to deal with a complaint made under this Division, the Privacy Commissioner may—
    • (a) deal with the complaint, and
    • (b) make such inquiries and investigations in relation to the complaint as the Privacy Commissioner thinks appropriate.
  2. If the Privacy Commissioner declines to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for declining to deal with the complaint.

49  Resolution of privacy related complaints by conciliation

  1. In dealing with a complaint made under this Division, the Privacy Commissioner must endeavour to resolve the complaint by conciliation.
  2. The Privacy Commissioner may by written notice request the complainant, and the person or body against whom the complaint is made (the respondent), to appear before the Privacy Commissioner in conciliation proceedings.
  3. If a respondent that is a public sector agency receives any such notice, the agency must comply with the terms of the notice.
    Maximum penalty (subsection (3)): 50 penalty units.
  4. The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.
  5. The procedures for conciliation are to be determined by the Privacy Commissioner.

50  Reports and recommendations of Privacy Commissioner

  1. The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Commissioner under this Division.
  2. The Privacy Commissioner may give a copy of any such report to the complainant, and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.

51  Effect of dealing with privacy related complaints under this Division

Even though the Privacy Commissioner declines to deal with a complaint under this Division, or decides to refer the complaint to a relevant authority, the Privacy Commissioner may conduct an inquiry or investigation into any general issues or matters raised in connection with the complaint.

Appendix 2: Complaint Provisions of the HRIP Act

Part 6 of the Health Records and Information Privacy Act 2002 provides as follows:

Part 6 Complaints against private sector persons

Division 1 General

41  Definitions

In this Part—

complainant, in relation to a complaint, means the person who makes the complaint.

respondent, in relation to a complaint, means a person against whom the complaint is made.

42  Making of privacy related complaints

  1. A complaint may be made to the Privacy Commissioner about the alleged contravention of any of the following by a private sector person—
    • (a) a Health Privacy Principle,
    • (b) a provision of Part 4,
    • (c) a health privacy code of practice.
  2. A complaint must be made—
    • (a) in writing, and
    • (b) in accordance with such regulations (if any) as may be made for the purposes of this section.
  3. A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) after the time the complainant first became aware of the conduct the subject of the complaint.
  4. A complainant may amend or withdraw a complaint.
  5. This Part does not apply to any conduct that occurred before the commencement of this Part.

43  Preliminary assessment of complaints

  1. The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Part for the purpose of deciding whether to deal with the complaint.
  2. The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that—​​​​​​
    • (a) the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or
    • (b) the subject matter of the complaint is trivial, or
    • (c) the subject matter of the complaint relates to a matter permitted or required by or under any law, or
    • (d) there is available to the complainant an alternative, satisfactory and readily available means of redress, or
    • (e) the matter should be referred to the Health Care Complaints Commission or another person or body under section 65, 66 or 67, or
    • (f) the person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the Privacy Act 1988 of the Commonwealth, and—
      • (i) the complaint has not been withdrawn, or
      • (ii) the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or
      • (iii) the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.
  3. If the Privacy Commissioner decides not to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for deciding not to deal with the complaint.

44  Assessment of complaints

  1. If the Privacy Commissioner decides to deal with a complaint made under this Part, the Privacy Commissioner—​​​​​​​
    • (a) is to carry out an assessment to determine whether there is a prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, and
    • (b) for that purpose, may make such inquiries and investigations into the complaint as the Privacy Commissioner thinks appropriate.
  2. If, after carrying out such an assessment, the Privacy Commissioner is satisfied that there is no prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, the Privacy Commissioner is to cease to deal with the complaint.
  3. If the Privacy Commissioner ceases to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for ceasing to deal with the complaint.

45  Dealing with complaint

  1. If the Privacy Commissioner is satisfied that there is a prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, the Privacy Commissioner may—​​​​​​​
    • (a) endeavour to resolve the complaint by conciliation under section 46, or
    • (b) further investigate the complaint and make a report under section 47, or
    • (c) determine that the complaint has been resolved to his or her satisfaction.
  2. In deciding which course of action to take, the Privacy Commissioner is to take into consideration the following matters—​​​​​​​
    • (a) the nature of the complaint,
    • (b) the views of the complainant and respondent,
    • (c) any action taken by the respondent (or that the respondent gives an undertaking to take) to address the complaint,
    • (d) whether the complaint raises a matter of public interest.
  3. If the Privacy Commissioner determines that the complaint has been resolved to his or her satisfaction under subsection (1) (c), the Privacy Commissioner is to—
    • (a) notify the complainant and the respondent of the determination, and
    • (b) take no further action on the complaint.

46  Resolution of complaint by conciliation

  1. The Privacy Commissioner may endeavour to resolve the complaint by conciliation.
  2. The Privacy Commissioner may by written notice request the complainant and the respondent to appear before the Privacy Commissioner in conciliation proceedings.
  3. A person or body must not without reasonable excuse fail to comply with the terms of a notice under subsection (2).
    Maximum penalty—50 penalty units in the case of a body corporate or 10 penalty units in any other case.
  4. The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.
  5. The procedures for conciliation are to be determined by the Privacy Commissioner.
  6. Evidence of anything said or done in the course of conciliation proceedings under this section is not admissible in subsequent proceedings under this Part relating to the complaint.
  7. The Privacy Commissioner is to take no further action after the conclusion of the conciliation proceedings, whether or not the parties reach any agreement as a result of the proceedings.

47  Reports and recommendations of Privacy Commissioner

  1. The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Privacy Commissioner under section 45 (1) (b).
  2. The Privacy Commissioner may give a copy of any such report to the complainant, the respondent and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.
  3. A report under this section is admissible in subsequent proceedings under this Part relating to the complaint.

Division 2 Functions of the Tribunal

Note—

The Civil and Administrative Tribunal Act 2013 contains provisions dealing with the practice and procedure of the Tribunal, including matters concerning parties and their representation.

48  Application to Tribunal

  1. A person who has made a complaint to the Privacy Commissioner under Division 1 may apply to the Tribunal for an inquiry into the complaint, but only if the complaint was the subject of a report of the Privacy Commissioner under section 47.

Note—

This section confers jurisdiction on the Tribunal to make an original decision. It does not confer jurisdiction to review a decision of the Privacy Commissioner.

  1. An application may only be made within 28 days after—​​​​​​​
    • (a) the day on which the complainant received the report of the Privacy Commissioner, or
    • (b) the day (if any) recommended in the report of the Privacy Commissioner as the day after which an application may be made to the Tribunal, whichever is later.
  2. However, a person cannot apply to the Tribunal if the person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the Privacy Act 1988 of the Commonwealth, and—​​​​​​​
    • (a) the complaint has not been withdrawn, or
    • (b) the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or
    • (c) the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.

49  Inquiries into complaints

The Tribunal is to hold an inquiry into a complaint that is the subject of an application.

50  Appearance by Privacy Commissioner

  1. The Privacy Commissioner is to be notified by the Tribunal of any application made to it under section 48.
  2. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an inquiry under this Part.

51  Proof of exemption

If in proceedings in relation to an inquiry into a complaint the respondent relies on an exemption under any provision of this Act or the regulations, the onus of proving that the exemption applies to the respondent in the circumstances lies on the respondent.

52  Tribunal may dismiss frivolous etc complaints

  1. If, at any stage of an inquiry into a complaint, the Tribunal is satisfied that the complaint is frivolous, vexatious, misconceived or lacking in substance, or that for any other reason the complaint should not be dealt with, it may dismiss the complaint.
  2. The Tribunal may dismiss a complaint if satisfied that the person does not wish to proceed with the complaint.
  3. If the Tribunal dismisses a complaint under this section, it may order the complainant to pay the costs of the inquiry.

53  Relationship to Civil and Administrative Tribunal Act 2013

Nothing in section 52 limits the generality of the powers conferred on the Tribunal by Part 4 of the Civil and Administrative Tribunal Act 2013.

54  Order or other decision of Tribunal

  1. After holding an inquiry, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders—
    • (a) subject to subsection (2), an order requiring the respondent to pay to the complainant damages not exceeding $40,000 if the respondent is a body corporate, or not exceeding $10,000 in any other case, by way of compensation for any loss or damage suffered by reason of the respondent’s conduct,
    • (b) an order requiring the respondent to refrain from any conduct or action in contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,
    • (c) an order requiring the performance of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,
    • (d) an order requiring health information that has been disclosed to be corrected by the respondent,
    • (e) an order requiring the respondent to take specified steps to remedy any loss or damage suffered by the complainant,
    • (f) such ancillary orders as the Tribunal thinks appropriate.
  2. The Tribunal may make an order under subsection (1) (a) only if—
    • (a) the application relates to conduct that occurs after the end of the 12-month period following the date on which Schedule 1 commences, and
    • (b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the respondent.
  1. In making an order for damages under this section concerning a complaint lodged on behalf of a person or persons, the Tribunal may make such order as it thinks fit as to the application of those damages for the benefit of the person or persons.
 

[1] PPIP Act, s. 45(1).

[2] A “private sector person” is defined in s. 4(1) of the HRIP Act to include natural persons and body corporates, partnerships, and trusts or any other unincorporated associations or bodies, but not small business operators and agencies under the Privacy Act 1988 (Cth).

[3] HRIP Act, s. 42.

[4] Under s. 44 of the PPIP Act, the Privacy Commissioner may delegate any of his or her functions under any other Act to a member of his or her staff or to any other person prescribed by the Regulations.

[5] PPIP Act, s. 45(5) and HRIP Act s. 42(3).

[6] Id.

[7] PPIP Act, s. 46(3).

[8] Under s. 45(3) of the PPIP Act, the Privacy Commissioner may require a verbal complaint to be put in writing.

[9] HRIP Act, s. 42(2).

[10] PPIP Act, s. 45(4).

[11] PPIP Act, s. 52(1)(a) and HRIP Act s. 21(1)(a).

[12] PPIP Act, s. 52(1)(b) and HRIP Act s. 21(1)(b).

[13] PPIP Act, s. 52(1)(c).

[14] PPIP Act, s. 46(2).

[15] PPIP Act, s. 45(6) and HRIP Act s. 42(4).

[16] HRIP Act, s. 45.

[17] PPIP Act, s. 45(2).

[18] This is done under s. 46 of the PPIP Act.

[19] For example, a complaint brought to intimidate, harass or to derive some collateral advantage: Williams v Spautz (1992) 107 ALR 635; Flower & Hart (A Firm) v White Industries (Qld) Pty Ltd [1999] FCA 773).

[20] In s. 45(1) of the PPIP Act, a complaint may be made about an alleged violation of, or interference with, an individual’s privacy.

[21] PPIP Act, s. 48(2).

[22] PPIP Act, s. 47(1).

[23] PPIP Act, s. 47(2).

[24] PPIP Act, s. 46(3)(d).

[25] PPIP Act, s. 48(1)(b).

[26] PPIP Act, s. 49(1).

[27] PPIP Act, s. 49(5).

[28] PPIP Act, s. 50(1).

[29] PPIP Act, s. 49(2).

[30] PPIP Act, s. 49(3).

[31] PPIP Act, s. 49(4).

[32] See the Privacy Commissioner’s functions in Part 4, Division 2 of the PPIP Act.

[33] PPIP Act, s. 39(a)-(c).

[34] PPIP Act, s. 39(d).

[35] PPIP Act, s. 50(1).

[36] PPIP Act, s. 50(2).

[37] HRIP Act, s. 42.

[38] HRIP Act, s. 43(1).

[39] For example, a complaint brought to intimidate, harass or to derive some collateral advantage: Williams v Spautz (1992) 107 ALR 635; Flower & Hart (A Firm) v White Industries (Qld) Pty Ltd [1999] FCA 773).

[40] HRIP Act, ss. 65-67 respectively.

[41] HRIP Act, ss. 45(1)(c) and 45(3)(b).

[42] HRIP Act, s. 67(3).

[43] HRIP Act, s. 65(1).

[44] HRIP Act, s. 66(1).

[45] HRIP Act, s. 66(2).

[46] HRIP Act, s. 67(1).

[47] HRIP Act, s. 67(2).

[48] HRIP Act, s. 44(1)(b).

[49] See the definition of “prima facie” in the Encyclopaedic Legal Dictionary and the following authorities cited therein: Beecham Group Ltd v Bristol Laboratories Pty Ltd (1968) 118 CLR 618 ; [1968] ALR 469; and Shercliff v Engadine Acceptance Corp Pty Ltd [1978] 1 NSWLR 729.

[50] HRIP Act, s. 44(2).

[51] HRIP Act, s. 45(1).

[52] HRIP Act, s. 45(2).

[53] HRIP Act, s. 45(3).

[54] This is because the Tribunal has jurisdiction to inquiry into a complaint only where a written report is made under s. 47(1) of the HRIP Act, as to any findings or recommendations in relation to an investigation into a complaint under s. 45(2)(b).

[55] HRIP Act, s. 46(1).

[56] HRIP Act, s. 46(2).

[57] HRIP Act, ss. 46(2) and (3).

[58] HRIP Act, s. 46(7).

[59] HRIP Act, s. 48(1).

[60] HRIP Act, s. 46(5).

[61] HRIP Act, s. 46(4).

[62] HRIP Act, s. 46(6).

[63] HRIP Act, s. 46(7).

[64] See the Privacy Commissioner’s functions under Part 7 of the HRIP Act, in particular, s. 60.

[65] HRIP Act, ss. 61(a)-(c).

[66] HRIP Act, s. 61(d).

[67] HRIP Act, s. 47(2).

[68] HRIP Act, s. 48(1).

[69] HRIP Act, s. 50(2).

[70] The Tribunal’s powers are in s. 54(1) of the HRIP Act.

How easy did you find it to understand this resource?
Have you used the information in this resource to assist you?

IPC logo.

© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use