In effect from: 1 July 2025

When can someone make a privacy complaint

Chapter 5 of the IP Act allows someone who believes an agency has not handled their personal information in accordance with the IP Act to make a complaint to the agency. Privacy complaints can be useful to agencies as they often highlight areas where agency processes can be improved and future risk reduced.

Requirements of a privacy complaint

The complaint must be in writing, made within 12 months of the complainant becoming aware of the act or practice the subject of the complaint, and include:

  • an address to which the agency may respond to the complaint (this can be an email address); and
  • particulars of the act or practice the subject of the complaint.

The agency can agree to accept a privacy complaint even if the 12 months have passed.

Response period for a complaint

The agency has 45 business days to give the complainant a response to their complaint, but can ask the complainant for extra time.

If the complainant does not get a response by the end of the 45 business days or any requested extra time, or they get a response they disagree with, they can escalate the complaint to the Office of the Information Commissioner (OIC).

Key factors for a successful privacy complaint

A successful privacy complaint satisfies the complainant without escalating or exacerbating their dissatisfaction. Satisfying the complainant doesn't mean giving the individual whatever they want. It means the complainant can be confident that their complaint was taken seriously, appropriately investigated, and resulted in appropriate actions.

Successfully resolving the complaint can prevent it from being escalated from your agency to the OIC or from the OIC to the Queensland Civil and Administrative Tribunal (QCAT).

Key factors to a successful privacy complaint are:

  • Promptly acknowledge the complaint.
  • Ensure you understand the complaint being made and the outcomes sought, and that the complainant understands the complaint process. This is an opportunity to manage their expectations from the outset.
  • Take the necessary steps to address any ongoing breach and minimise any harm.
  • Provide the complainant with regular updates, even if the update is that there is no information to report, and the matter is progressing. If a complainant does not hear from an agency, they may assume that their complaint is not being actioned.
  • Monitoring the 45 business day period for dealing with the complaint, and making timely requests of a complainant for additional time to consider the complaint under section 164A of the IP Act, if required.
  • Provide reasons for the outcome of the complainant and a meaningful apology, if appropriate.
  • Document your dealings with the complainant: if the complaint can’t be resolved and escalates, a proper record will assist the agency in responding to any subsequent dealings with OIC and QCAT.

Promptly acknowledge the complaint

Acknowledge receipt of the complaint as soon as possible after it is received. Prompt acknowledgement conveys an early impression that your agency is responsive and efficient and saves time by preventing follow up from the complainant.

Even if the complaint requires further investigation or will be dealt with informally, promptly acknowledging the complaint can build the foundation for effective communication with the complainant.

This is also an opportunity to manage the complainant’s expectations by:

  • explaining the steps in the complaint process and expected timeframes for handling the complaint
  • providing information about how the agency collects, uses, and discloses personal information in the course of handling a complaint; and
  • giving a contact telephone number, preferably with the name of a contact person, from the business area within the agency that will be handling the complaint.

This may avoid unnecessary escalation to an external complaint agency or a Ministerial Office.

Identify and address privacy complaints early

Privacy may be only one part of a complaint, for example, it may also raise code of conduct issues or a complaint may raise privacy concerns but not be specifically made as a privacy complaint. Your agency should have systems in place to quickly identify complaints or parts of complaints that relate to privacy and direct them to the appropriate part of the agency.

Where the complaint raises multiple issues, you should not wait for the other issues to be resolved before considering the privacy complaint. Privacy complaints are more likely to successfully resolve when an agency responds to them in a timely manner, and the agency can deal with the privacy complaint independently and concurrently with other complaint processes.

If your agency waits, it is unlikely that the privacy complaint will have any chance of successfully resolving without being escalated.

Understand the reason for the complaint

It is unlikely that the initial complaint will contain all the information you need to decide how to deal with it. Talking with the complainant gives them a chance to tell their story and know that they have been listened to. Asking questions and/or summarising the issues back to the complainant will help ensure you are fully across their position. This will assist in understanding the complainant’s interests and how best to resolve their complaint and will help prevent misunderstandings.

Talking with the complainant also gives you the opportunity to find out their concerns and why they made the complaint. Sometimes a privacy complaint may be an expression of a greater dissatisfaction with the agency, for example, about how they have been treated. If this appears to be the case, resolving those underlying issues may help resolve the privacy complaint.

A complainant who believes they have been listened to, that their concerns have been acknowledged, and that they have been treated with respect will be more willing to resolve their complaint.

Where appropriate, make personal contact with the complainant

Personal contact with a complainant by telephone is a key way of building trust, and is a great help in moving towards resolution. For example, ringing a complainant ahead of a decision letter that will disappoint them can help manage the complainant’s disappointment and increase their acceptance of the decision.

Prepare for talking with a complainant by first considering what information you require from them and what information they might want to know. A practical way of managing difficult or challenging behaviour, such as an angry complainant or one insisting on unattainable outcomes, is to plan possible key responses before talking with the complainant.

The Commonwealth Ombudsman’s Better Practice Guide to Managing Unreasonable Complainant Conduct provides script ideas that cover scenarios such as defining a complaint, reframing a complainant’s expectations, and responding to disappointment.

The responses in the script ideas are suggestions only and should be used flexibly within the context of your agency’s policies and practices and the circumstances of the individual complainant.

Provide regular updates

If complainants are not kept informed about what is happening, they may make negative assumptions, e.g., that the agency does not care about their complaint or that no one is dealing with it. This can tip a cooperative person into being adversarial or looking for redress in some other way, such as through escalating their complaint to a third party.

Good communication establishes goodwill and can mean a complainant will be more accepting of a decision or outcome that is not what they anticipated.

Provide the complainant with anticipated (and realistic) timeframes of when they can expect to be updated on the progress of their complaint. Ensure that you follow through on what you tell the complainant, even if there is no progress to update. Where possible, provide an explanation for any delays, and ensure any requests for additional time under section 164A of the IP Act are made in a timely fashion.

If an unreasonable amount of time is being spent responding to repeated inquiries from a complainant who has already been given appropriate advice, consider setting limits on when and/or how the complainant can interact with you and notify the complainant of these arrangements.

Give a meaningful apology

One of the most common outcomes sought by complainants is an apology. Apologising does not automatically mean your agency agrees that its actions were in breach of the IP Act, nor does it stop an agency from providing information about how its actions complied with the obligations in the IP Act.

A person complains because they are unhappy or dissatisfied. Even where your agency hasn’t breached its obligations under the IP Act (for example, the agency disclosed personal information in circumstances permitted by the IP Act), the fact that a complaint was made means your agency’s actions negatively impacted the individual. Apologising for this impact, especially where the apology is communicated sincerely, can go a long way towards informally resolving the complaint and restoring the relationship between the individual and the agency.

Attempts at resolution often fail where an agency does not provide an apology in a timely manner, or the apology is so qualified that it appears insincere.

An effective apology should:

  • describe the issue that is the subject of the complaint
  • acknowledge the effect it has had on the complainant
  • explain the reason for the agency’s actions, for example, legislative and/or policy compliance
  • include a sincere statement of sorrow or regret; and
  • where appropriate, state what is being done to ensure that the issue does not reoccur.

A ‘faux’ apology that focusses on the reaction of the complainant, or questions whether any harm has been done, may appear dismissive and will make it harder to resolve the complaint. Avoid phrases that put the responsibility on the complainant, such as:

  • I’m sorry you feel that way.
  • I’m sorry that you felt the agency breached your privacy.
  • I’m sorry you took offence at what was said.

Take into account the nature of the harm done and the needs of the complainant when deciding whether to how to make the apology.

Finally, ensure that the apology is given by the right person: either the person who committed the act or practice, or the person who has overall responsibility for the service or business area.

Provide an outcome letter that includes the reasons for the agency’s decision

Another common reason why complainants bring their complaint to OIC is because a decision was given without adequate reasons. A statement that ‘We were unable to uphold your complaint’, ‘We were unable to confirm your version of events’, or ‘Your complaint did not reveal anything improper’, without supporting evidence and reasoning, is not a reason; it is a conclusion.

The agency's outcome letter should include:

  • why you were unable to uphold the complaint
  • why you were unable to confirm the complainant’s version of events; or
  • why what was alleged was not a breach of the IP Act.

At a minimum, your complaint outcome letter should demonstrate that, as an agency, you have:

  • addressed the context, nature and extent of the complaint
  • assessed the complaint against the relevant privacy principles
  • considered all other relevant criteria, such as legislation applicable to the agency and any relevant policies, standards or directives; and
  • determined the extent to which the complaint is or is not substantiated and all the reasons for this.

For example, don't write this:

Your complaint has been investigated and our Agency is satisfied that appropriate action by Agency staff was taken in relation to this matter. Consequently, no further action will be taken in relation to this complaint.

Instead, write this:

Queensland government agencies are obliged to comply with the Queensland Privacy Principles (QPPs) in the Information Privacy Act 2009 (Qld). Under QPP 6, an agency must not disclose personal information to a third party unless one of the permitted exceptions apply. One of these exceptions is where the disclosure is authorised or required under a law.

The Compulsory Registration of Goldfish Regulation 2006 (Qld) requires that our Agency publish particular information about the selling of goldfish. Section 12B of this Regulation specifically requires that the name and address of a registered seller is published on our website.

The QPPs do not override other legislation. When a disclosure of personal information is in accordance with another law, there can be no privacy breach.

However, I acknowledge your concern that not everybody may be aware that their address will be made publicly available when they register as a goldfish seller and that this may raise security concerns for some individuals.

Our Agency has reviewed the process by which individuals apply to be a registered goldfish seller and as a consequence, will be updating our online form to provide clearer advice about what will happen to your personal information once it is collected.

I am sincerely sorry that this advice was not readily accessible at the time you registered as a goldfish seller and for the distress that having your address published has caused you.

I thank you for bringing this matter to my attention.

The decision letter should also advise the complainant of their right to bring their complaint to OIC if they do not consider your agency’s response to be adequate.

Consider possible remedies

In order to resolve a substantiated privacy complaint, you will generally need to consider remedial actions for the breach.

While you cannot undo what has happened, explaining how and why the problem occurred and what steps the agency will take or has taken to avoid it recurring, may help to resolve the complaint and allow complainants to feel that their complaint has had a positive outcome. Ways to prevent a privacy breach from recurring include:

  • developing or updating policies, procedures, or work instructions
  • giving an undertaking that employees will attend refresher privacy training
  • improving collection notices or the way a collection notice is provided to enhance awareness of what will or may happen to personal information once it is collected
  • undertaking a physical or technical security audit; or
  • revisiting and revising outsourcing contracts which involve the handling of personal information.

A common motivation among privacy complainants is to 'stop it from happening to someone else'. Where appropriate, telling the complainant what actions you have taken in response to their complaint that will prevent future breaches may help resolve the complaint.

You could also consider what action can be taken to remedy the harm from the breach. In theory, remedial measures are geared at restoring the individual to the position they were in before their privacy was breached. In many cases, it may be possible to provide an effective non-financial remedy such as:

  • correcting misleading or inaccurate documents by amending the document or allowing the complainant to provide a notation which can then be added to the document
  • implementing additional security measures to documents which contain the complainant’s personal information
  • taking practical steps to recall the personal information or to take it down off a website
  • clarifying precisely what personal information was involved in the breach by providing the complainant with administrative access to the relevant documents; or
  • providing information and assistance to the complainant to deal with the consequences of the breach (for example, how to request a copy of their credit report for free or to access an employee assistance program).

Agencies could also consider the potential for an ex-gratia payment for the harm suffered by the complainant as a result of the breach, including for hurt feelings.

These options are not exhaustive. Ask the complainant what outcomes they are seeking. If you cannot agree with a complainant’s proposed remedy, discuss the reasons for this with them and ask what else the complainant suggests. Often they’ll surprise you by asking for less than you may think, especially when the complainant has received a meaningful apology.

Privacy complaints at the OIC

Under Chapter 5 of the IP Act, an individual who believes an agency has not dealt with their personal information in accordance with the obligations in the IP Act may make a complaint to the agency. If they are not satisfied with the agency’s response, or do not receive a response with 45 business days (or longer agreed time), they can bring their complaint to the Office of the Information Commissioner (OIC).

OIC provides a mediation service for privacy complaints. Our role is not to determine whether a breach has occurred, or to impose a particular settlement; rather, we facilitate both parties to the complaint to find a resolution to the matter.

What happens when a privacy complaint is received?

We first assess each complaint to determine whether OIC has the jurisdiction to be able to deal with the complaint and if there is any reason why we should decline to deal with it, or with part of it. For example, we may not accept a privacy complaint where:

  • the complainant has failed to bring their complaint to the relevant agency first and/or failed to allow the required 45 business days
  • the complaint is not supported in law
  • there is insufficient evidence to support the alleged breach
  • the source of the alleged breach is not clear or not known
  • there is an error of fact in the complaint
  • there is a more appropriate course of action available under another Act to deal with the substance of the complaint
  • the agency has not had adequate time to deal with the complaint; or
  • more than 12 months have passed since the complainant first became aware of the act or practice about which they are complaining.

Under section 167 of the IP Act, OIC is authorised to make preliminary inquiries in order to decide whether to accept a complaint. This may include inviting the respondent agency to provide a submission on whether OIC should accept the complaint.

What happens when a privacy complaint is accepted?

We will provide written notice to both the complainant and the respondent agency if we accept a privacy complaint.

Once OIC accepts a complaint we must take all reasonable steps to effect a settlement. Steps may include:

  • discussing the merits of the complaint with both parties
  • communicating the complainant’s proposed outcomes to the agency
  • discussing any concerns that may affect movement on the proposed outcomes; and negotiation with both parties in terms of moving in their response to the proposed outcomes.

We typically conduct mediation by contacting both parties individually, either by telephone or in writing. In some instances we may attempt to resolve a complaint by facilitating a meeting between the complainant and the respondent agency, either face-to-face or by teleconference. 

Respondent agencies can help to resolve a privacy complaint in the following ways:

  • Timeliness:  OIC will often ask for documents, information or submissions by a certain date. An agency’s failure to meet deadlines can be perceived by the complainant as indicating the agency is not serious about dealing with their concerns.
  • Provide information if asked to do so:  OIC may require information from the agency during the mediation process. While OIC understands that information may be confidential or sensitive, we will only request information to advance the mediation of a complaint. All information will be handled securely and confidentially.
  • Consider an apology:  A significant common factor in complainants escalating their privacy complaint to OIC, is the perception that the agency has failed to acknowledge the impact the privacy breach has had on them. An agency issuing a sincere and timely apology can provide a relatively ‘cost-free’4 means of altering this perception.
  • Be creative:  If it is not possible to accede to the complainant’s proposed settlement in whole, consider whether it is possible to meet the proposed outcomes in part, or whether there is an alternate counter-proposal the agency could offer. For example, effective non-financial remedies could include implementing additional security measures to protect the individual’s personal information or taking practical steps to recall the personal information.
  • Be candid:  OIC's complaint resolution process is confidential. If an agency provides OIC with information relevant to the privacy complaint, such as information about the individual's dealings with the agency, OIC cannot be compelled to provide this information in a Queensland Civil and Administrative Tribunal (QCAT) proceeding.

Where mediation results in the complainant and the respondent agency agreeing on an outcome to resolve the privacy complaint, either the complainant or responding agency may ask OIC to prepare a written record of the agreement. This request must be made within 20 business days after agreement is reached.

What if the privacy complaint is not able to be mediated?

If it does not appear reasonably likely to OIC that resolution of the complaint can be achieved through mediation, we will provide written notice to the complainant and responding agency advising of its decision and the option for the complainant to refer their privacy complaint to QCAT.

There is no time limit for a complainant to request referral of their privacy complaint to QCAT. A complainant is not obligated to make a referral request and it remains open for both parties to re-consider the possibility that a resolution can be reached on the subject matter of the complaint.

If a referral request is made, OIC must refer the privacy complaint to QCAT within 20 business days.  We will give written notification to both the complainant and responding party when a privacy complaint is referred to QCAT.

If a privacy complaint is referred to QCAT, the complainant and responding agency will be the parties to the hearing before QCAT, with no further involvement of OIC.

The orders that QCAT may make if the privacy complaint is substantiated are set out in section 178 of the IP Act. These orders include the potential for compensatory damages, including for ‘pain and suffering’ of up to $100,000.

Print Page
Back to top