Under Chapter 5 of the Information Privacy Act 2009 (Qld) (IP Act), an individual who believes an agency has not dealt with their personal information in accordance with the obligations in the IP Act may make a complaint to the agency. If, after 45 business days, the complainant is dissatisfied with the agency’s response or the agency has failed to respond, they may bring their complaint to the Office of the Information Commissioner (OIC).
OIC provides a mediation service for privacy complaints. Our role is not to determine whether a breach has occurred, or to impose a particular settlement; rather, we facilitate both parties to the complaint to find a resolution to the matter.
This guideline outlines how OIC deals with privacy complaints and how agencies can maximise the effectiveness of this process.
We first assess each complaint to determine whether OIC has the jurisdiction to be able to deal with the complaint and if there is any reason why we should decline to deal with it, or with part of it.1 For example, we may not accept a privacy complaint where:
Under section 167 of the IP Act, OIC is authorised to make preliminary inquiries in order to decide whether to accept a complaint. This may include inviting the respondent agency to provide a submission on whether OIC should accept the complaint.
We will provide written notice to both the complainant and the respondent agency2 if we accept a privacy complaint.
Once OIC accepts a complaint we must take all reasonable steps to effect a settlement. Steps may include:
We typically conduct mediation by contacting both parties individually, either by telephone or in writing. In some instances we may attempt to resolve a complaint by facilitating a meeting between the complainant and the respondent agency, either face-to-face or by teleconference.
Respondent agencies can help to resolve a privacy complaint in the following ways:
Where mediation results in the complainant and the respondent agency agreeing on an outcome to resolve the privacy complaint, either the complainant or responding agency may ask OIC to prepare a written record of the agreement.7 This request must be made within 20 business days after agreement is reached.
If it does not appear reasonably likely to OIC that resolution of the complaint can be achieved through mediation, we will provide written notice to the complainant and responding agency advising of its decision and the option for the complainant to refer their privacy complaint to QCAT.8
There is no time limit for a complainant to request referral of their privacy complaint to QCAT. A complainant is not obligated to make a referral request and it remains open for both parties to re-consider the possibility that a resolution can be reached on the subject matter of the complaint.
If a referral request is made, OIC must refer the privacy complaint to QCAT within 20 business days. We will give written notification to both the complainant and responding party when a privacy complaint is referred to QCAT.
If a privacy complaint is referred to QCAT, the complainant and responding agency will be the parties to the hearing before QCAT, with no further involvement of OIC.
The orders that QCAT may make if the privacy complaint is substantiated are set out in section 178 of the IP Act. These orders include the potential for compensatory damages, including for ‘pain and suffering’ of up to $100,000.
OIC has developed a case note that provides an overview of remedies awarded in Queensland and other privacy jurisdictions, and some of the factors that were given weight by the relevant determinative body when deciding on an appropriate award of compensation.
Current as at: August 14, 2018