Under the Information Privacy Act 2009 (Qld) (IP Act), individuals can make a privacy complaint to your agency1 if they believe it has not complied with its obligations under the IP Act. The complaint must be about the individual’s personal information and they must give your agency at least 45 business days2 to deal with their complaint.
Privacy complaints can be useful to agencies as they often highlight areas where agency processes can be improved and future risk reduced.
This guideline will help you respond to and resolve privacy complaints in a way that may mean the difference between successfully resolving the complaint and it being escalated to the Office of the Information Commissioner (OIC) or onto the Queensland Civil and Administrative Tribunal (QCAT).
Summary of the key factors in a successful privacy complaint
- Promptly acknowledge the complaint (within 3 days is ideal).
- Clarify the complaint, the outcomes sought, the complaint process and any expectations with the complainant by telephone or in person.
- Take the necessary steps to address any ongoing breach and minimise any harm.
- Keep the complainant informed: if they don’t hear from you, they will generally assume their complaint is not being dealt with are that the agency doesn't care enough to respond to them.
- Document your dealings with the complainant: if it can’t be resolved and escalates, a proper record will assist the agency in responding to any subsequent dealings with OIC and QCAT.
Tips for resolving privacy complaints
1. Acknowledge the complaint promptly
Acknowledge receipt of the complaint as soon as possible after it is received. Prompt acknowledgement conveys an early impression that your agency is responsive and efficient, and saves time by preventing follow up from the complainant.
Even if the complaint requires further investigation or will be dealt with informally, promptly acknowledging the complaint can build the foundation for effective communication with the complainant.
This is also an opportunity to manage the complainant’s expectations about how the complaint will be managed by:
- explaining the steps in the complaint process and expected timeframes for handling the complaint
- providing information about how the agency collects, uses and discloses personal information in the course of handling a complaint; and
- giving a contact telephone number, preferably with the name of a contact person, from the business area within the agency that will be handling the complaint.
This may avoid unnecessary escalation to an external complaints agency or a Ministerial Office.
2. Identify and address privacy complaints early
Privacy may be only one part of a complaint—for example, it may also raise code of conduct issues—or a complaint may raise privacy concerns but not be specifically made as a privacy complaint. Your agency should have systems in place to quickly identify complaints or parts of complaints that relate to privacy and direct them to the appropriate part of the agency to deal with.
Where the complaint raises multiple issues, you should not wait for the other issues to be resolved before considering the privacy complaint. Privacy complaints are more likely to successfully resolve when an agency responds to them in a timely manner, and the agency can deal with the privacy complaint independently and concurrently with other complaint processes. If your agency waits, it is unlikely that the privacy complaint will have any chance of successfully resolving without being escalated.
3. Understand the reason for the complaint
It is unlikely that the initial complaint will contain all the information you need to decide how to deal with it. Talking with the complainant gives them a chance to tell their story and know that they have been listened to. Asking questions and/or summarising the issues back to the complainant will help ensure you are fully across their position. This will assist in understanding the complainant’s interests and how best to resolve their complaint, and will help prevent misunderstandings.
Talking with the complainant also gives you the opportunity to find out their concerns and why they made the complaint. Sometimes a privacy complaint may be an expression of a greater dissatisfaction with the agency, for example, about how they have been treated. If this appears to be the case, resolving those underlying issues may help resolve the privacy complaint.
A complainant who believes they have been listened to, that their concerns have been acknowledged, and that they have been treated with respect will be more willing to resolve their complaint.
4. Make personal contact with the complainant
Personal contact with a complainant by telephone or, where appropriate, face-to-face is a key way of building trust, and is a great help in moving towards resolution. For example, ringing a complainant ahead of a decision letter that will disappoint them can help manage the complainant’s disappointment and increase their acceptance of the decision.
Prepare for talking with a complainant by first considering what information you require from them and what information they might want to know.
A practical way of managing difficult or challenging behaviour, such as an angry complainant or one insisting on unattainable outcomes, is to plan possible key responses before talking with the complainant.
The Commonwealth Ombudsman’s Better Practice Guide to Managing Unreasonable Complainant Conduct provides script ideas that cover scenarios such as defining a complaint, reframing a complainant’s expectations, and responding to disappointment.
The responses in the script ideas are suggestions only and should be used flexibly within the context of your agency’s policies and practices and the circumstances of the individual complainant.
5. Make regular contact with the complainant
If complainants are not kept informed about what is happening, they are likely to make negative assumptions, eg that the agency does not care about their complaint or that no one is dealing with it. This can tip a cooperative person into being adversarial or looking for redress in some other way, such as through escalating their complaint to a third party.
Good communication establishes goodwill and can mean a complainant will be more accepting of a decision or outcome that is not what they anticipated.
Provide the complainant with anticipated (and realistic) timeframes of when they can expect to be updated on the progress of their complaint. Ensure that you follow through on what you tell the complainant, even if there is no progress to update. Where possible, provide an explanation for any delays.
If an unreasonable amount of time is being spent responding to repeated inquiries from a complainant who has already been given appropriate advice, consider setting limits on when and/or how the complainant can interact with you and notify the complainant of these arrangements
Monitor the effectiveness of communication with complainants by reviewing the:
- maximum number of days between contacts with a complainant; and
- percentage of contact with complainants made by telephone.
6. Give a meaningful apology
One of the most common outcomes sought by complainants is an apology. Apologising does not automatically mean your agency agrees that its actions were in breach of the IP Act, nor does it stop an agency from providing information about how its actions complied with the obligations in the IP Act.
A person complains because they are unhappy or dissatisfied. Even where your agency hasn’t breached its obligations under the IP Act (for example, the agency disclosed personal information in circumstances permitted by the IP Act), the fact that a complaint was made means your agency’s actions negatively impacted the individual. Apologising for this impact, especially where the apology is communicated sincerely, can go a long way towards informally resolving the complaint and restoring the relationship between the individual and the agency.
Attempts at resolution often fail where an agency does not provide an apology in a timely manner or the apology is so qualified that it appears insincere.
Apology is not liability
It is a common misconception that an apology is an admission of liability. This is not correct.
Section 72D of the Civil Liability Act 2003 (Qld) explicitly states that an apology does not constitute an express or implied admission of fault or liability, and is not relevant to the determination of fault or liability in relation to a matter.
In some instances, complaints are escalated to the OIC for mediation because the agency focussed on whether its actions were technically in breach of the IP Act, and/or shifted blame or responsibility to the complainant. Focussing on what can be done rather than who was wrong will help achieve resolution and allow for service improvement opportunities.
An effective apology should:
- describe the issue that is the subject of the complaint
- acknowledge the effect it has had on the complainant
- explain the reason for the agency’s actions, for example, legislative and/or policy compliance
- include a sincere statement of sorrow or regret; and
- where appropriate, state what is being done to ensure that the issue does not reoccur.
A ‘faux’ apology that focusses on the reaction of the complainant, or questions whether any harm has been done, may appear dismissive and will make it harder to resolve the complaint.
For example, avoid phrases such as:
- I’m sorry you feel that way.
- I’m sorry that you felt the agency breached your privacy.
- I’m sorry you took offence at what was said.
Take into account the nature of the harm done and the needs of the complainant when deciding whether to make the apology in person, in writing, or both.
Finally, ensure that the apology is given by the right person; either the person who committed the act or practice, or the person who has overall responsibility for the service or business area.
7. Give clear reasons for the agency’s decision
Another common reason why complainants bring their complaint to OIC is because a decision was given without adequate reasons. A statement that ‘We were unable to uphold your complaint’, ‘We were unable to confirm your version of events’, or ‘Your complaint did not reveal anything improper’, without supporting evidence and reasoning, is not a reason–it is a conclusion.
A reason addresses:
- why you were unable to uphold the complaint
- why you were unable to confirm the complainant’s version of events; or
- why what was alleged was not improper or in breach of the IP Act.
At a minimum, your complaint outcome letter should demonstrate that, as an agency, you have:
- addressed the context, nature and extent of the complaint
- assessed the complaint against the relevant privacy principles
- considered all other relevant criteria, such as legislation applicable to the agency and any relevant policies, standards or directives; and
- determined the extent to which the complaint is or is not substantiated and all the reasons for this.
Consider the following examples:
Example A – how not to write an outcome letter
Your complaint has been investigated and our Agency is satisfied that appropriate action by Agency staff was taken in relation to this matter. Consequently, no further action will be taken in relation to this complaint.
Example B – a good outcome letter
Queensland government agencies are obliged to comply with the privacy principles in the Information Privacy Act 2009 (Qld). Under Information Privacy Principle 11 (IPP 11), an agency must not disclose personal information to a third party unless one of the permitted exemptions apply. One of these exemptions is where the disclosure is authorised or required under a law.
The Compulsory Registration of Goldfish Regulation 2006 (Qld) requires that our Agency publish particular information about the selling of goldfish. Section 12B of this Regulation specifically requires that the name and address of a registered seller is published on our website.
The privacy principles do not override other legislation. When a disclosure of personal information is in accordance with another law, there can be no privacy breach.
However, I acknowledge your concern that not everybody may be aware that their address will be made publicly available when they register as a goldfish seller and that this may raise security concerns for some individuals.
Our Agency has reviewed the process by which individuals apply to be a registered goldfish seller and as a consequence, will be updating our online form to provide clearer advice about what will happen to your personal information once it is collected.
I am sincerely sorry that this advice was not readily accessible at the time you registered as a goldfish seller and for the distress that having your address published has caused you.
I thank you for bringing this matter to my attention.
The decision letter should also advise the complainant of their right to bring their complaint to OIC after the 45 business day period has passed if they are not satisfied with your agency’s response.
8. Look at what other remedies could be provided
In order to resolve a substantiated privacy complaint, you will generally need to consider remedial actions for the breach.
While you cannot undo what has happened, explaining how and why the problem occurred and what steps the agency will take or has taken to avoid it recurring, may help to resolve the complaint and allow complainants to feel that their complaint has had a positive outcome. Ways to prevent a privacy breach from recurring include:
- developing or updating policies, procedures or work instructions
- giving an undertaking that employees will attend refresher privacy training
- improving collection notices or the way a collection notice is provided to enhance awareness of what will or may happen to personal information once it is collected
- undertaking a physical or technical security audit; or
- revisiting and revising outsourcing contracts which involve the handling of personal information.
A common motivation among privacy complainants in other jurisdictions is to 'stop it from happening to someone else'. Where appropriate, telling the complainant what actions you have taken in response to their complaint that will prevent future breaches may help resolve the complaint.
You could also consider what action can be taken to remedy the harm from the breach. In theory, remedial measures are geared at restoring the individual to the position they were in before their privacy was breached. In many cases, it may be possible to provide an effective non-financial remedy such as:
- correcting misleading or inaccurate documents by amending the document or allowing the complainant to provide a notation which can then be added to the document
- implementing additional security measures to documents which contain the complainant’s personal information
- taking practical steps to recall the personal information or to take it down off a website
- clarifying precisely what personal information was involved in the breach by providing the complainant with administrative access to the relevant documents; or
- providing information and assistance to the complainant to deal with the consequences of the breach (for example, how to request a copy of their credit report for free or to access an employee assistance program).
Agencies could also consider the potential for an ex-gratia payment for the harm suffered by the complainant as a result of the breach, including for hurt feelings.
These options are not exhaustive. Ask the complainant what outcomes they are seeking. If you cannot agree with a complainant’s proposed remedy, discuss the reasons for this with them and ask what else they suggest. Often they’ll surprise you by asking for less than you may think, especially when they have received a meaningful apology.
- 1 In this guideline an agency includes a Minister
- 2 After 45 business days they can bring the complaint to the Office of the Information Commissioner. Refer to What to expect when OIC receives a privacy complaint - A guide for agencies for more information.
Current as at: September 20, 2020