How to make a privacy complaint - a guide for individuals

Overview

The purpose of this information sheet is to provide individuals with information about making a privacy complaint to an agency under the Information Privacy Act 2009 (Qld) (IP Act).

What are my rights under the IP Act?

Under the IP Act, individuals have the right to have their personal information protected and managed in accordance with the privacy principles contained in the IP Act.  These privacy principles apply to Queensland government agencies1: departments, Ministers, public authorities and local councils.

What is personal information?

Personal information is defined in section 12 of the IP Act. It is a broad definition that includes any information about an individual who can be identified directly from the information, or whose identity can be reasonably ascertained by reference to other information. Information does not have to be true, written down, sensitive or 'important' to be personal information.

What are the privacy principles?

The privacy principles cover collection, storage, use and disclosure of personal information.

Collection: An agency can only collect the personal information it needs for a legitimate agency purpose. It cannot collect any other personal information, and it must collect personal information fairly and in a way that does not intrude unreasonably on someone's private life.

Storage and security: Information must be kept secure and protected from unauthorised access, use and disclosure.

Use: An agency may only use information for the reason they collected it unless one of a number of exceptions applies.  For example, an agency can use personal information for a secondary purpose with the consent of the individual, where it is authorised by law, or needed for law enforcement purposes.

Disclosure: Personal information can usually only be disclosed to the person it is about.  Exceptions apply where:

  • the individual was told the disclosure would occur
  • the agency has the consent of the individual
  • the disclosure is authorised by law, or
  • the disclosure is necessary for law enforcement purposes or to prevent harm to an individual or the public.

What can I do if my personal information has been misused?

If you believe a Queensland Government agency has dealt with your personal information in a way that is not consistent with the privacy principles you have the right to make a privacy complaint to that agency.2 You can only make a privacy complaint about the way the agency has handled your personal information.3

If you are unsure whether you can make a privacy complaint under the IP Act about a particular entity, you could first try contacting that entity to discuss the matter or check their privacy policy if they have one available.  If you are still unsure, the OIC Enquiries Service may also be able to assist.

How to make a privacy complaint

Your privacy complaint should be made through the complaints process set up by the agency.  It is a good idea to make your complaint in writing and to specifically state that you are making a ‘privacy complaint’. Explain the incident or practice you are concerned about and keep a record of the date you made the complaint. It can also be helpful to think about what you want from the agency as an outcome of your complaint. For example this may include an acknowledgement from the agency that a privacy breach occurred and that it had a significant impact, an apology and/or information on steps the agency would take to ensure the breach will not occur again.

If you are not familiar with the agency’s complaint process, you may wish to contact the agency directly and seek further information.  Some agencies will have a designated Privacy Officer or Privacy Unit that may be able to assist.

What can I do if the agency doesn’t acknowledge my complaint or if they give me a response I am not satisfied with?

The IP Act allows a minimum period of 45 business days for an agency to respond to a privacy complaint.  If the agency provides you with a prompt response and you are dissatisfied with the response, the IP Act requires that you must still wait out the full 45 business days before you can bring your privacy complaint to the Office of the Information Commissioner (OIC).  The 45 business day period can allow for a series of discussions to occur between the agency and you regarding the possible resolution of your privacy complaint.

If the 45 business day period has passed and you have exhausted your efforts with the agency to obtain satisfaction, or the agency has not responded to your complaint, then you can bring your privacy complaint to the OIC.

OIC does not have an investigative or determination role in privacy complaints.  Rather, it provides a mediation service to the parties to the complaint.

To bring your privacy complaint to OIC, it must be made in writing, providing details of your privacy complaint and an address so that the OIC can send you correspondence relating to your complaint.  You can post or email your complaint to:

Attention: Privacy Team        
Office of the Information Commissioner       
PO Box 10143           
Adelaide Street          
BRISBANE  QLD  4001

Email:  administration@oic.qld.gov.au

Alternatively, you may wish to complete the OIC privacy complaint form available on the OIC website (www.oic.qld.gov.au) and lodge the completed form online or print out and send the form to our office.

Note

Before you can bring your complaint to the OIC, you must make your privacy complaint to the relevant agency first.

1 In this information sheet all references to an ‘agency’ include Ministers, unless otherwise specified. The privacy principles under the IP Act do not apply to government owned corporations (GOCs), which means a privacy complaint cannot be made under the IP Act about a GOC. However, similar requirements under Commonwealth privacy legislation may apply to GOCs.
2 You can also make a complaint if you think an agency has failed to comply with a waiver or modification of the privacy principles issued by the Information Commissioner.
3 An authorised agent (eg lawyer) may make a privacy complaint on behalf of an individual.  A parent may make a complaint on behalf of a child.

Current as at: October 24, 2017