What to expect when OIC receives a privacy complaint - A guide for agencies

Under Chapter 5 of the Information Privacy Act 2009 (Qld) (IP Act), an individual who believes an agency has not dealt with their personal information in accordance with the obligations in the IP Act may make a complaint to the agency.  If, after 45 business days, the complainant is dissatisfied with the agency’s response or the agency has failed to respond, they may bring their complaint to the Office of the Information Commissioner (OIC).

OIC provides a mediation service for privacy complaints.  Our role is not to determine whether a breach has occurred, or to impose a particular settlement; rather, we facilitate both parties to the complaint to find a resolution to the matter.

This guideline outlines how OIC deals with privacy complaints and how agencies can maximise the effectiveness of this process.

What happens when a privacy complaint is received?

We first assess each complaint to determine whether OIC has the jurisdiction to be able to deal with the complaint and if there is any reason why we should decline to deal with it, or with part of it.¹ For example, we may not accept a privacy complaint where:

• the complainant has failed to bring their complaint to the relevant agency first and/or failed to allow the required 45 business days
• the complaint is not supported in law
• there is insufficient evidence to support the alleged breach
• the source of the alleged breach is not clear or not known
• there is an error of fact in the complaint
• there is a more appropriate course of action available under another Act to deal with the substance of the complaint
• the agency has not had adequate time to deal with the complaint; or
• more than 12 months have passed since the complainant first became aware of the act or practice about which they are complaining.

Under section 167 of the IP Act, OIC is authorised to make preliminary inquiries in order to decide whether to accept a complaint.  This may include inviting the respondent agency to provide a submission on whether OIC should accept the complaint.

What happens when a privacy complaint is accepted?

We will provide written notice to both the complainant and the respondent agency² if we accept a privacy complaint.

Once OIC accepts a complaint we must take all reasonable steps to effect a settlement.  Steps may include:

• discussing the merits of the complaint with both parties
• communicating the complainant’s proposed outcomes to the agency
• discussing any concerns that may affect movement on the proposed outcomes; and negotiation with both parties in terms of moving in their response to the proposed outcomes.

We typically conduct mediation by contacting both parties individually, either by telephone or in writing.  In some instances we may attempt to resolve a complaint by facilitating a meeting between the complainant and the respondent agency, either face-to-face or by teleconference. 

Respondent agencies can help to resolve a privacy complaint in the following ways:

• Timeliness:  OIC will often ask for documents, information or submissions by a certain date. An agency’s failure to meet deadlines can be perceived by the complainant as indicating the agency is not serious about dealing with their concerns.
• Provide information if asked to do so:  OIC may require information from the agency during the mediation process.  While OIC understands that information may be confidential or sensitive, we will only request information to advance the mediation of a complaint.  All information will be handled securely and confidentially.
• Consider an apology:  A significant common factor in complainants escalating their privacy complaint to OIC, is the perception that the agency has failed to acknowledge the impact the privacy breach has had on them. An agency issuing a sincere and timely apology³ can provide a relatively ‘cost-free’⁴ means of altering this perception.
• Be creative:  If it is not possible to accede to the complainant’s proposed settlement in whole, consider whether it is possible to meet the proposed outcomes in part, or whether there is an alternate counter-proposal the agency could offer.  For example, effective non-financial remedies could include implementing additional security measures to protect the individual’s personal information or taking practical steps to recall the personal information.⁵
• Be candid:  OIC's complaint resolution process is confidential.  If an agency provides OIC with information relevant to the privacy complaint, such as information about the individual's dealings with the agency, OIC can not be compelled to provide this information in a Queensland Civil and Administrative Tribunal (QCAT) proceeding.⁶

Where mediation results in the complainant and the respondent agency agreeing on an outcome to resolve the privacy complaint, either the complainant or responding agency may ask OIC to prepare a written record of the agreement.⁷ This request must be made within 20 business days after agreement is reached.

What if the privacy complaint is not able to be mediated?

If it does not appear reasonably likely to OIC that resolution of the complaint can be achieved through mediation, we will provide written notice to the complainant and responding agency advising of its decision and the option for the complainant to refer their privacy complaint to QCAT.⁸

There is no time limit for a complainant to request referral of their privacy complaint to QCAT.  A complainant is not obligated to make a referral request and it remains open for both parties to re-consider the possibility that a resolution can be reached on the subject matter of the complaint.

If a referral request is made, OIC must refer the privacy complaint to QCAT within 20 business days.   We will give written notification to both the complainant and responding party when a privacy complaint is referred to QCAT.

If a privacy complaint is referred to QCAT, the complainant and responding agency will be the parties to the hearing before QCAT, with no further involvement of OIC.

The orders that QCAT may make if the privacy complaint is substantiated are set out in section 178 of the IP Act. These orders include the potential for compensatory damages, including for ‘pain and suffering’ of up to $100,000.

OIC has developed a case note that provides an overview of remedies awarded in Queensland and other privacy jurisdictions, and some of the factors that were given weight by the relevant determinative body when deciding on an appropriate award of compensation.