Fact Sheet - Making a privacy complaint about a NSW public sector agency

View the document below or download it here: Fact Sheet - Making a privacy complaint about a NSW public sector agency May 2021

The Privacy and Personal Information Protection Act 1998 (PPIP Act) provides two avenues for dealing with a complaint about a breach of privacy, an internal review or a privacy complaint. This fact sheet has been developed to provide citizens with information about the two options.

Who can I make a complaint about?

The PPIP Act applies to NSW public sector agencies. This includes: 

• State government agencies; 
• Local councils; 
• Universities; 
• Ministers and Minister’s offices; and 
• State owned corporations that have elected to follow the PPIP Act.^[1]

The key difference between the two is that if you apply for a privacy internal review by the agency the internal review is conducted by the agency concerned and the Privacy Commissioner has an oversight role in the considering whether the agency’s conduct that you are complaining about is consistent with the requirements of the NSW privacy legislation.

If you are not satisfied with the agency’s findings or its proposed actions in relation to the internal review, then you have the right to apply to the NSW Civil and Administrative Tribunal (NCAT) for further review of the conduct subject to your complaint.

If your complaint is proven, NCAT may order an agency to do certain things, such as make an apology, correct a record, change their practices, or pay compensation for harm suffered. However, it may also decide to take no further action, for example if the agency has already apologised or taken other steps to improve the situation. 

Orders made by NCAT must be followed by the agency, and are enforceable.

If you make a complaint to the Privacy Commissioner, the Privacy Commissioner must try to conciliate the complaint and there is no right of review to the NCAT.

Why would I make a complaint?

If you believe an agency has breached your privacy in relation to your personal information or health information, you have the right to make an application for internal review to the agency. It will help the agency to understand your concerns if you can explain how or in what way you believe the agency has breached your privacy and when the relevant conduct occurred.

For further details on the internal review process, please see our resources including our fact sheets on:

• Guide to protecting your privacy in NSW
• Privacy complaints: your review rights.

A complaint may be made to the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.

However, where the option of internal review is available to you, the Privacy Commissioner may decline to deal with your complaint on the basis that there is an alternative, satisfactory and readily available means of redress available to you or it would be more appropriate for you to make an application for internal review.

How do I lodge a complaint?

Your application for internal review must be submitted in writing to the agency concerned.^[2] Most agencies have their own form to assist you to make your internal review application on their website. The contact details for an agency’s Privacy Officer is also usually available on the agency’s website.

The IPC has developed a generic privacy internal review application form that you can complete and send to the agency’s Privacy Officer. You are not required to use this form but it may assist to make it clear to the agency what conduct you would like to be considered in the internal review.

You will need to provide the agency with your postal address or email address so that they can contact you in relation to the internal review.^[3]

To make a complaint to the Privacy Commissioner, you will need to do so in writing. You can write to the Privacy Commissioner outlining your complaint and include any relevant information.

How long do I have to make a complaint?

Regardless of whether you make an application for internal review or a complaint to the Privacy Commissioner, you must lodge your complaint within 6 months from when you first become aware of conduct relevant to your complaint.^[4]

The timeframe for making an application for internal review can be extended at the agency’s discretion. The Privacy Commissioner has a similar discretion to accept a complaint outside of the 6 month period. 

More information is available in the IPC Privacy Statement of Jurisdiction.

Is there a cost?

There is no cost involved to make an application for internal review to the agency or a complaint to the Privacy Commissioner.

What happens after I make my complaint?

An internal review is conducted by the agency and is a fact-finding investigation to determine whether a breach of the privacy principles has occurred.

After you submit your internal review application the agency should contact you to confirm receipt and next steps in the internal review process, including the timeframe for completion of the review.

The officer who conducts the internal review must not have been substantially involved in any matter relating to the conduct complained of.^[5]

The IPC has developed a fact sheet that provides further information about the internal review process.

If you make a complaint to the Privacy Commissioner, the IPC will acknowledge receipt and complete a preliminary assessment of the issues in the complaint to decide whether or not to deal with the complaint.^[6] 

If the subject-matter of the complaint appears to be conduct that could be considered in an internal review by the agency, the Privacy Commissioner must inform you of the option of applying to the agency for internal review and the remedies available to you in that process.^[7]

The Privacy Commissioner may decide not to deal with a complaint if she is satisfied that: 

• the complaint is frivolous, vexatious, lacking in substance or not in good faith;
• the subject-matter of the complaint is trivial;
• the subject-matter of the complaint relates to a matter permitted or required by or under any law;
• there is an alternative satisfactory and readily available means of redress; or
• it would be more appropriate for you to make an application for internal review by an agency.^[8]

If the IPC decides not to deal with your complaint the IPC will write to you to advise you of the reasons for declining to deal with the complaint.^[9]

If the Privacy Commissioner decides to deal with your complaint, the IPC may make such inquiries and investigations in relation to the complaint as the Privacy Commissioner thinks appropriate.

How long does it take?

An internal review must be completed as soon as reasonably practicable. However, if the review is not completed by the agency within 60 days from the date that the application was received, you are entitled to make an application for review to the NCAT.^[10]

Please see the IPC fact sheet Privacy complaints: your review rights for further information.

There is no requirement for the Privacy Commissioner to deal with a complaint within a specific timeframe.

The steps required to assess and deal with a complaint can vary from case to case and therefore it is not possible to provide a specific timeframe for how long it would take for the Privacy Commissioner to finalise your complaint.

The Privacy Commissioner will deal with your complaint as quickly as possible and will provide you with regular updates about the steps being taken to progress your complaint.

What is the role of the Privacy Commissioner?

An agency must notify the Privacy Commissioner of the internal review application as soon as practicable after receiving the application, keep the Privacy Commissioner informed of the progress of the internal review and inform the Privacy Commissioner of the findings of review and any proposed actions to be taken.[11] This is the Privacy Commissioner’s oversight role in the internal review process.

Further information can be found in the following resources: Privacy complaints: your review rights and a guidance document on the oversight role.

The Privacy Commissioner may make submissions to the agency in relation to the internal review and the agency is required to consider any submissions made by the Privacy Commissioner as a part of the internal review process.[12]

If you make a complaint to the Privacy Commissioner and the Privacy Commissioner decides to deal with your complaint, the Privacy Commissioner must try to resolve the complaint by conciliation. Generally, this will involve making written inquiries with you and the agency to try to identify a resolution to the complaint.

What might be the possible outcomes?

At the conclusion of its internal review, the agency is required to inform you of its findings of the review, and the action proposed to be taken by the agency, if any. The internal review report should also advise you of your further review rights.

The PPIP Act provides a range of outcomes that are available to the agency in an internal review which include an apology, take no further action, take remedial action it thinks appropriate or provide undertakings that the conduct will not occur again. [13]

If you make a complaint to the Privacy Commissioner and the Privacy Commissioner is not able to resolve the complaint,[14] then the Privacy Commissioner can investigate and provide a report. The Privacy Commissioner may make findings and recommendations on the complaint.[15] However, the Privacy Commissioner’s recommendations are not binding and the Privacy Commissioner cannot order an agency to take particular action in response to a complaint.

The IPC does not have the authority to make orders against an agency or award damages to a complainant at the conclusion of a privacy complaint.

The Privacy Commissioner may also determine that no further action is required after considering factors such as the nature and circumstances of the complaint, in particular where circumstances have changed since making the complaint that the complaint has been resolved to her satisfaction.

What if I am unhappy with the outcome?

If you are not satisfied with the agency’s findings of internal review or its proposed actions, you can apply to the NCAT for an administrative review.[16] You need to do this within 28 days of receiving the Agency’s findings. Please see further Privacy complaints: your review rights.

If the internal review is not completed within 60 days of you lodging the internal review application, you can make an application under section 55 of the PPIP Act to the NCAT for administrative review.[17]

The legislation sets out the orders that are available to the NCAT which may include that the agency stop the conduct in contravention of the information protection principles, compensation or other orders the Tribunal thinks appropriate.[18]

The IPC has also developed a fact sheet about the Privacy Commissioner’s right of appearance in the NSW Civil and Administrative Tribunal.

If you are not satisfied with the outcome of the complaint by the Privacy Commissioner, there is no right to seek review at the NCAT.

Which option is best?

Generally, if an internal review is available it is the better option as it offers NCAT review rights and encourages the agency to consider their obligations under NSW privacy legislation with the Privacy Commissioner’s oversight.

Review rights and enforceable orders are not available as outcomes of a complaint to the Privacy Commissioner.

Can someone assist me with my complaint?

If you want to authorise another person to represent you or make a complaint on your behalf, you should provide evidence that you have authorised another person to make a complaint on your behalf at the time of making your application for internal review or complaint to the Privacy Commissioner.

Please note that the IPC is an independent regulator and cannot provide legal advice or provide representation or advocacy in relation to privacy complaints.

Can I make an anonymous complaint?

When an agency receives an application for a privacy internal review, the agency needs to be satisfied that you have been aggrieved by the conduct of the agency.[19]

If an anonymous complaint is made to the Privacy Commissioner, the steps that the Privacy Commissioner can take to address the complaint may be limited. Each complaint is assessed on a case by case basis.

Where can I get more information?

The IPC has developed a number of resources to assist citizen understanding of NSW privacy legislation which are available on the IPC website here.

You may also wish to review the agency’s website to consider any information that the agency makes publicly available about how it meets the requirements of NSW privacy laws in relation to personal and health information, including the right to make a privacy complaint to the agency by making an application for internal review.

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:              ipcinfo@ipc.nsw.gov.au
Website:           www.ipc.nsw.gov.au
 

NOTE: The information in this fact sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.