Notice requiring agencies to comply with the privacy principles

The Information Privacy Act 2009 (Qld) (IP Act) gives the Information Commissioner the power to issue a compliance notice where there has been a serious or a flagrant breach of the obligation to comply with the privacy principles, or a breach which has occurred five times in the preceding two years. 

An agency must comply with a compliance notice, but can appeal against the decision to issue the compliance notice to the Queensland Civil and Administration Tribunal (QCAT).

Issuing a compliance notice

In order to issue a compliance notice, the Information Commissioner must be satisfied on reasonable grounds that an agency has done an act or engaged in a practice that is a contravention of the agency's obligation to comply with the privacy principles. The act or practice must be one of the following:

• serious
• flagrant
• of a kind that has been done or engaged in by the agency at least five separate times within two years prior to the matter coming to the Information Commissioner's attention.

'Flagrant' is particularly concerned with how the breach occurred; 'serious' with the outcomes or result of the breach. 

A serious breach

For a breach to be serious, it must not be unimportant or trivial. The seriousness of a breach can be determined by any or all of the following:

• the type of personal information involved in the breach – the more sensitive the information, the more likely it is to be a serious breach
• the negative outcome or harm, or possible outcome or harm, of the breach
• the amount of personal information involved in the breach. 

The breach must be such that it would cause apprehension or concern to the individuals the information is about and could have, or has had, harmful or undesired consequences. 

A flagrant breach

For a breach to be flagrant, it must be obvious and blatant. Generally, an accidental breach or one that occurs as a result of a genuine misunderstanding would not be a flagrant breach. Flagrancy requires an element of deliberateness, carelessness, negligence or an obvious or deliberate disregard. 

Examples of a flagrant breach:

• Where an agency has received advice that an action would constitute a breach of the privacy principles and takes the action despite the advice.
• Where an agency takes a risk management approach to complying with the privacy principles that involves choosing not to follow them.
• Where an agency undertakes an activity or project involving personalinformation and takes no steps, or steps that are obviously not sufficient, to consider the application of the privacy principles to the activity or project – conducting a privacy impact assessment for new projects involving personal information would reduce this risk significantly.

Breach of a kind which has occurred five times in two years

In order to fit within this section, the agency must have done the act at least five times in the two years prior to the matter coming to the Information Commissioner's attention. 

While breaches of this kind will often come to the Information Commissioner's attention as a result of receiving privacy complaints about the action, it is not necessary for the Information Commissioner to have received a complaint in order to issue a compliance notice.

Power to compel information

Under section 197 of the IP Act, if the Information Commissioner is satisfied on reasonable grounds that a person has information relevant the Commissioner’s decision to give an agency a compliance notice, the Commissioner may give the person a written notice requiring the person to:

• give the information to the Information Commissioner in written form, or
• attend before the Information Commissioner to answer questions.

The written notice must state:

• where the person should give the information to the Information Commissioner – a place it can be sent, for written information, or the place the person should attend to answer questions
• a reasonable time for the person to provide the written information, or a reasonable time at which the person should attend to answer questions.

The Information Commissioner may choose to administer an oath or affirmation to the person attending to answer questions that the person will answer the questions truthfully.

What a compliance notice can require

There are very few limitations placed on what the Information Commissioner can require an agency to do in a compliance notice. Section 158(2) sets out that the compliance notice may require an agency to take a stated action, within a stated period, for the purposes of ensuring compliance with the obligation. 

The action must be one which will cause the agency, once it has followed it, to comply with the privacy principle or principles that they breached. A compliance notice could not, for example, require an agency to pay compensation to an individual whose personal information was involved in a breach, or to make an apology. 

There is no guidance in the IP Act as to what is a reasonable time for an agency to comply with the notice, but a reasonable time would be one which took into consideration:

• all of the circumstances surrounding the failure to comply with the agency's obligations
• what actions are required by the notice. 

Relevant considerations could include:

• the nature of the breach – whether it is recurring, serious or flagrant
• the likelihood that the breach will reoccur
• if the breach is an ongoing breach
• the harm or embarrassment that is, has been, or could be caused to the people whose personal information is the subject of the breach
• the number of people whose personal information has been involved in the breach
• the sensitivity of the personal information
• whether the breach occurred accidentally, negligently, deliberately or in disregard of the privacy principles
• the difficulty of rectifying the breach.

Complying with a compliance notice

Section 160 of the IP Act states that an agency that is given a compliance notice must take all reasonable steps to comply with the notice. The maximum penalty for non-compliance is 100 penalty units. 

Failure to take all reasonable steps to comply with a compliance notice is an offence against the IP Act. 

If an agency is having difficulty complying with a notice in the time given, it should apply to the Information Commissioner for an extension of time under section 159 of the IP Act. 

Applying for extra time to comply

An agency may apply for additional time to comply with a compliance notice, but they must make that application before the time allowed in the original notice has expired. 

An agency may apply for a general extension or for a set number of extra days. When applying for the extension, it is important that an agency sets out why it needs the additional time and any other relevant factors, so that the Information Commissioner can properly assess it.

If the time has expired, then an agency may not request extra time. This means it is very important that an agency tell the Office of the Information Commissioner if it is having any difficulties or issues complying with the compliance notice so that the time does not expire before they can request an extension. 

On receiving a request for an extension of time, the Information Commissioner may:

• refuse the application
• grant an extension for the length of time requested by the agency, if any
• grant an extension of time for any other amount of time.

Before granting the extension, the agency must give the Information Commissioner an undertaking to comply with the notice within the granted extension of time. 

What the Information Commissioner must do before granting extra time

Before the Information Commissioner can make a decision on an application for additional time under section 159 of the IP Act, the Information Commissioner must be satisfied that it is not reasonably practicable for the agency to comply with the notice in the time stated in the notice. 

'Reasonably practicable' is discussed in Key privacy concepts - practicable and impracticable but generally 'not practicable' does not simply mean difficult or undesirable. 

To be impracticable, the action must be nearly impossible or extremely difficult to carry out within the time provided. The fact that compliance within the time set out in the compliance notice would be inconvenient or would involve expenditure of some effort or resources would not be sufficient to make it not practicable. 

Appeals to QCAT

Under section 161, an agency which has been given a compliance notice may apply, as provided under the Queensland Civil and Administrative Tribunal Act 2009 (Qld) (QCAT Act), to QCAT for a review of the decision to give it the notice. When such an application is made, QCAT must exercise its review jurisdiction under the QCAT Act.

Time in which to apply

The time in which a review must be sought is not specified in the IP Act, but generally an agency should apply before the expiry of the time provided for compliance. To do otherwise might mean that, by the time the agency sought the review, the agency could have committed an offence under section 153 by not complying with the notice. 

Parties to the proceedings

Where an application is made to QCAT, both the agency to which the notice was given and the Information Commissioner are parties to both the application for review and the review, if QCAT decides to conduct one. 

QCAT may, on its own initiative or as a result of an application by the individual, at any time join an individual as a party to the proceedings. However, QCAT may only do this if it considers that the individual is affected by the decision to give a compliance notice. 

How QCAT may dispose of the review

Under section 163, if QCAT decides to review a decision of the Information Commissioner to issue a compliance notice, it may make any of the following orders:

• confirm the initial decision to give a compliance notice
• confirm the initial decision but substitute a compliance notice in different terms from the original
• reverse the decision to give a compliance notice
• revoke the notice and give the Information Commissioner directions about issuing a replacement compliance notice.